remcos | a63c26783dee7bb580a5cc5267a5b3e84ee9601b776d797175cfd70911135a76

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rem.exe
Size

1.1MB
MD5

0f7e8e737582613d9ec805ea627bd1ff
SHA1

0a3aa2d8c65e2e03c900b8a148c1ad53f65289fd
SHA256

a63c26783dee7bb580a5cc5267a5b3e84ee9601b776d797175cfd70911135a76
SHA512

b384c1a5eab522bd4058602a1f61411729baef765bf459b5937722e2e974712942111da764bb26a5747b5406453c531c079de3437c2420b5cd5fc8fd802cb8cd
SSDEEP

24576:XCPQ3X6wOmeEXfz0ty9qXo93AkC4rhp3pZ:XC4azmeEvz14Xo95zZ

Score

10^/10

remcos document collection credential_access discovery execution persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

Document

45.138.48.25:3333

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
WinUpdate.exe
copy_folder
WinUpdate
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%Temp%
keylog_crypt
false
keylog_file
WinUpdat.dat
keylog_flag
false
keylog_folder
WinUpdat
mouse_option
false
mutex
Rmc-E10MWO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/2236-128-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3532-127-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1932-125-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1932-125-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3532-127-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4016	powershell.exe
2296	powershell.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2064	Chrome.exe
3128	Chrome.exe
1992	msedge.exe
4232	msedge.exe
1876	msedge.exe
3344	Chrome.exe
3652	Chrome.exe
3228	msedge.exe
3868	msedge.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	rem.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	rem.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WinUpdate.exe

Executes dropped EXE 6 IoCs

pid	Process
2488	WinUpdate.exe
4460	WinUpdate.exe
2200	WinUpdate.exe
3532	WinUpdate.exe
1932	WinUpdate.exe
2236	WinUpdate.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	WinUpdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\""	rem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\""	WinUpdate.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 4920	2364	rem.exe	98
PID 2488 set thread context of 4460	2488	WinUpdate.exe	104
PID 4460 set thread context of 3532	4460	WinUpdate.exe	109
PID 4460 set thread context of 1932	4460	WinUpdate.exe	110
PID 4460 set thread context of 2236	4460	WinUpdate.exe	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4016	powershell.exe
4016	powershell.exe
2296	powershell.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
2296	powershell.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
3532	WinUpdate.exe
3532	WinUpdate.exe
2236	WinUpdate.exe
2236	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
3532	WinUpdate.exe
3532	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
2064	Chrome.exe
2064	Chrome.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe
4460	WinUpdate.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2236	WinUpdate.exe
Token: SeShutdownPrivilege	2064	Chrome.exe
Token: SeCreatePagefilePrivilege	2064	Chrome.exe
Token: SeShutdownPrivilege	2064	Chrome.exe
Token: SeCreatePagefilePrivilege	2064	Chrome.exe
Token: SeShutdownPrivilege	2064	Chrome.exe
Token: SeCreatePagefilePrivilege	2064	Chrome.exe
Token: SeShutdownPrivilege	2064	Chrome.exe
Token: SeCreatePagefilePrivilege	2064	Chrome.exe
Token: SeShutdownPrivilege	2064	Chrome.exe
Token: SeCreatePagefilePrivilege	2064	Chrome.exe
Token: SeShutdownPrivilege	2064	Chrome.exe
Token: SeCreatePagefilePrivilege	2064	Chrome.exe
Token: SeShutdownPrivilege	2064	Chrome.exe
Token: SeCreatePagefilePrivilege	2064	Chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2064	Chrome.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4460	WinUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 4016	2364	rem.exe	96
PID 2364 wrote to memory of 4016	2364	rem.exe	96
PID 2364 wrote to memory of 4016	2364	rem.exe	96
PID 2364 wrote to memory of 4920	2364	rem.exe	98
PID 2364 wrote to memory of 4920	2364	rem.exe	98
PID 2364 wrote to memory of 4920	2364	rem.exe	98
PID 2364 wrote to memory of 4920	2364	rem.exe	98
PID 2364 wrote to memory of 4920	2364	rem.exe	98
PID 2364 wrote to memory of 4920	2364	rem.exe	98
PID 2364 wrote to memory of 4920	2364	rem.exe	98
PID 2364 wrote to memory of 4920	2364	rem.exe	98
PID 2364 wrote to memory of 4920	2364	rem.exe	98
PID 2364 wrote to memory of 4920	2364	rem.exe	98
PID 4920 wrote to memory of 2488	4920	rem.exe	99
PID 4920 wrote to memory of 2488	4920	rem.exe	99
PID 4920 wrote to memory of 2488	4920	rem.exe	99
PID 2488 wrote to memory of 2296	2488	WinUpdate.exe	102
PID 2488 wrote to memory of 2296	2488	WinUpdate.exe	102
PID 2488 wrote to memory of 2296	2488	WinUpdate.exe	102
PID 2488 wrote to memory of 4460	2488	WinUpdate.exe	104
PID 2488 wrote to memory of 4460	2488	WinUpdate.exe	104
PID 2488 wrote to memory of 4460	2488	WinUpdate.exe	104
PID 2488 wrote to memory of 4460	2488	WinUpdate.exe	104
PID 2488 wrote to memory of 4460	2488	WinUpdate.exe	104
PID 2488 wrote to memory of 4460	2488	WinUpdate.exe	104
PID 2488 wrote to memory of 4460	2488	WinUpdate.exe	104
PID 2488 wrote to memory of 4460	2488	WinUpdate.exe	104
PID 2488 wrote to memory of 4460	2488	WinUpdate.exe	104
PID 2488 wrote to memory of 4460	2488	WinUpdate.exe	104
PID 4460 wrote to memory of 2064	4460	WinUpdate.exe	106
PID 4460 wrote to memory of 2064	4460	WinUpdate.exe	106
PID 2064 wrote to memory of 1520	2064	Chrome.exe	107
PID 2064 wrote to memory of 1520	2064	Chrome.exe	107
PID 4460 wrote to memory of 2200	4460	WinUpdate.exe	108
PID 4460 wrote to memory of 2200	4460	WinUpdate.exe	108
PID 4460 wrote to memory of 2200	4460	WinUpdate.exe	108
PID 4460 wrote to memory of 3532	4460	WinUpdate.exe	109
PID 4460 wrote to memory of 3532	4460	WinUpdate.exe	109
PID 4460 wrote to memory of 3532	4460	WinUpdate.exe	109
PID 4460 wrote to memory of 3532	4460	WinUpdate.exe	109
PID 4460 wrote to memory of 1932	4460	WinUpdate.exe	110
PID 4460 wrote to memory of 1932	4460	WinUpdate.exe	110
PID 4460 wrote to memory of 1932	4460	WinUpdate.exe	110
PID 4460 wrote to memory of 1932	4460	WinUpdate.exe	110
PID 4460 wrote to memory of 2236	4460	WinUpdate.exe	111
PID 4460 wrote to memory of 2236	4460	WinUpdate.exe	111
PID 4460 wrote to memory of 2236	4460	WinUpdate.exe	111
PID 4460 wrote to memory of 2236	4460	WinUpdate.exe	111
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112
PID 2064 wrote to memory of 2184	2064	Chrome.exe	112

C:\Users\Admin\AppData\Local\Temp\rem.exe
"C:\Users\Admin\AppData\Local\Temp\rem.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\rem.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Users\Admin\AppData\Local\Temp\rem.exe
  "C:\Users\Admin\AppData\Local\Temp\rem.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2064
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe0112cc40,0x7ffe0112cc4c,0x7ffe0112cc58
        6⤵
        
        PID:1520
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,5915650853061389027,12020655023742207644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:2
        6⤵
        
        PID:2184
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,5915650853061389027,12020655023742207644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:3
        6⤵
        
        PID:2528
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,5915650853061389027,12020655023742207644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:8
        6⤵
        
        PID:2964
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,5915650853061389027,12020655023742207644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3652
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,5915650853061389027,12020655023742207644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3348 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3344
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,5915650853061389027,12020655023742207644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3128
    - - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
        
        C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\dlzuztkgiyqcolpiqpxloevsgyxxo"
        5⤵
        Executes dropped EXE
        
        PID:2200
    - - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
        
        C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\dlzuztkgiyqcolpiqpxloevsgyxxo"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3532
    - - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
        
        C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\ogefzmvawgipqzlmzaknrqibpfhghoav"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
        
        C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\yikys"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:1992
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe00fe46f8,0x7ffe00fe4708,0x7ffe00fe4718
        6⤵
        
        PID:4436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,4645644124247963839,17654952283987234893,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
        6⤵
        
        PID:4560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,4645644124247963839,17654952283987234893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
        6⤵
        
        PID:1824
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,4645644124247963839,17654952283987234893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
        6⤵
        
        PID:4124
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2064,4645644124247963839,17654952283987234893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3868
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2064,4645644124247963839,17654952283987234893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3228
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2064,4645644124247963839,17654952283987234893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2064,4645644124247963839,17654952283987234893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1876

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8838b60c57afaecae01ca8b0bba2f881

SHA1
20480faf5643595ee775ad4cfaf03567b6cd5506

SHA256
aae256902621ed9511b01ec9f702781eac4ea61759a03c258dfadd5b89065dc0

SHA512
62c79b6d55b0e4c61f8f563ea929b13bc8b99c5aa7b1ff8a1e9368879f4d74395e9bde1fc9cfbe6fbee176bf9fd242b5d6f800cf18a44c7d124ddd5d9e22f5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
8d96e2819ef61abc4dfd5420da174946

SHA1
c1001f721a72e524be988f6ef7e5ac3902363a21

SHA256
78e82bec4609127fd1df267bc85b3bf32cbdbdb756542e8b2c9dd1d5a56ba101

SHA512
e633f10c4214cf150d1a79534d720e0bbe848f82eda2acc78f57bf0beffbcf9dd0f48496a6e4740f78e0474b1a8dfbac7517cb9a3587892f3b4003c3a9fafc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
676c51bd71e217582ffc3899dc82a05c

SHA1
1588f9a4ec223925c08b493f8628c66ae392b252

SHA256
17ff2e6f439fff0638f4c9d4fe5db80cf6baf44df03acf9a5e6ba04b241f8586

SHA512
5d5fdb14b113e72c5122b5c8a7c7a184d42fc08f2aec368c46eb335b9604808574d6884255bda49bf9fff75edac453dd0ea081ed3ef0c43c61ae5080ac405e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
5ecbcaea898125098ff09326c8bfc489

SHA1
786d4b0b6552320d6009836897652c29dff6cc9e

SHA256
eb57cb27c4963e6796ce535aad50f4a30b754f1b36e40fe9a9e01e7860692bf5

SHA512
89d3f83e2f653ae150bafe3de57977b6ddf47eec89116d4e164429ce7cb429b0db7ce874c6f1986346391b5795ebb91b5bdd3946036e3cb2c9c576056333b66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
edb2545a64eb6550760448c574798564

SHA1
1f3a3bdd7d01d2f552b62dc42fee5dce7df505b7

SHA256
e0c14b8832b2d41833359572f5922fe9a6c128d40bdfdd94e95343b063b309c8

SHA512
a8f53a67d64722c712e8ac7243f5103238f9df329bb2bae221b010c67de256c91920cb4fb0a96cd55187a6e71c8bf22b44569313952b33a5172a6928bb40473a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
1380a3b11fc2ae3d1d18fb4ffd23e890

SHA1
00435d9dc94d5aaa7e488b70ea87bb559a297851

SHA256
f62598923077eba5af608310a3219f792571eccd60b15a6e5b9ed2dd597afb24

SHA512
f57fbdcdbd1262cded06b943d94f3ed9721eee1077cef1634c932acd5c959ae166df5c783167e2684c41ab74cde133113b926d32383f22d858e96570deb1bd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
d101c58d85fd2705614c19dee4a69769

SHA1
9d78452cf31e0edd2ae0b5552a0379e9aa6a5a6e

SHA256
603e3b52780d60bebb6d6ffa177d065c3a89a856b546311dff9aed877fa60b15

SHA512
a443856ba95ce70064ce94496648e7a7ee74acc34f8e4e30e49e9fe128b239216fc2f450dac1bb915b24470ebfcbe072fa46eb3d23035c00a1bcc8fce72a32f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
275B

MD5
9c4bfcc581439efa25156560a2151227

SHA1
e8fbb83f31e5656b14603eaa0071fd40f45ba3ff

SHA256
dac1a150e1209dcd95663ae3154651de81ecbab42cf624c9480cb9eec60e5c4f

SHA512
edf9b2db4e6c5cace88dddc5ff4598c7e46d88ccaab791afc14f9e8231e1a5b034291370bb88b2e30ebdd7a2a4c0a0f1c447927e7dd9e5e0ed8465e366434fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
7b6e3f06cc55e0f25de8bf0b4b6b423e

SHA1
4568ade3c604bdc5ec0333bb0ccdc09bec2b7ac7

SHA256
a4698d80716a05253513208f8d1f61cb6ac720dc88ce57a649c9e0b577df313e

SHA512
823e1b262604179dc6f21c166258b29edb78bae1f9be2402958a3b601d812131d36378c97788c0cc2be407b80d15b21d8560b6343cc2fbd4dc13204611a4a1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
d66d3281b92cc4c9ae99b9c0cc4b5ecd

SHA1
e711c6949a59dc2a6ee72e8513c510da4b345599

SHA256
b9fcfec35523fc6d7444bde5ee666b6a334aae76ace73f6e229a884609592863

SHA512
5d9a4e62e4314bd8f8fd76aed9201902030486e0e97f369dcb16e451275bab5224f15c5604ad6c715891ce4ab0765e27f916baef958158f8301a6d9b47d0f65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
a26eb8d76593226416fb493860bceb28

SHA1
f49b78822b4bf0fff4e4e6c046ef9b75e5f6d4f0

SHA256
c97bfa82ae421b2b5094829e764f60a6ebcd190caa9497430f522a687915eb61

SHA512
bc4cf89ea54e4a3ba35b6fa8ad34bf748d77d8e602249ca1407d1d114a5a1104586ebb213f4628733ba23f72ba0e2e128911e823c2b7eec590edd723d5c6f8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
f26dbd713a735bbe58608786d67e4eb7

SHA1
b8b6089fa4f021ca11b0adb347867125b0fa94e4

SHA256
ff75bc5625661d0180ada2a29ea6315b3ece381f35b34dce67bf1822981907a1

SHA512
774e35b00a2b90461b0734322035c629e86ae3ec52fabd688f80fe3bd2ef8879c3c116723bdae33d1e0e066ff12b922b431f18adf11d4b0de950753180ab319c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
41b0bd2703f2fbe7b1c502560dfa417b

SHA1
31c16919ee60f7637b0b177e20605ded90944681

SHA256
963984ee46a83e2a3048d78e0e7090e96922181f9eed59b2b02bf859df24b8c6

SHA512
49f3cce1e384e1206aaf82b3be3cd027f25aa7c8ba6699b509aa05536db3257abd1fc95e8a64f682049444296f12cbe2dd3ffea964f701c19532c4b7d6d6c80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
3bf275ad7c396401afb4c58a726ad1b6

SHA1
96bf533576e086a90bd1a6618dd68e940d1e9560

SHA256
f52768ee3e6f25ea1894eb1c4bb7d0feb89efab07cd2fb169bc71a2122faf0b1

SHA512
79af46b585a913f7b03c410ff38004effc98fb074107e90592d98c4fefd668bef7ec76f4c710f692cc71b6d41ee613905483e539d1327d6be49a0d374cbc9e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
cb2ffba737b517d8f8387b0acecdef61

SHA1
168a78316a57d993ef372bf955fc8c8acc54bcc8

SHA256
be15062940fe7ef68776688c93de601304084f7292495461b4da1a72fa337fb4

SHA512
bceff96dd6ae6f914472ce459e65d68a46ab2beecf0e788f768a0a09e5af074b0edbfd7f08e4ffa67c3c4921003bde7a8bd8e7c4358eb03d305f520d8e02ecc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
263B

MD5
13f05f55769f8be430ed500425233465

SHA1
f9353076823fbaf161b310af3b5dab056f7e1326

SHA256
47c1926923f2bb7d2866934353625269ac443f8823b0a1609c7ebb981e07b969

SHA512
101593a285237e5839ca4f526ef4a2912d366495f70c98244f41d32d6e33088b57d42612d8cc41f7a09e6ddf5f5bcf71476aba5f231ad903fe66e819a57542c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
a84452b96599e754a46b3e5988a4d656

SHA1
813f207fdb69e88f48d63ae12df10f0d4a8faf90

SHA256
9ae8add24731e7d46ff2e181973a6a57c5d738b40d44b2e93cfc9acad95037c9

SHA512
733dce6086111a0bad90e7df0a3b1d70a4fa3f9e42453f33754eb408e6d8cdcd017060457ee455095c58bd6027d72d4adfdbd71f2b33f581adf8f3f2ffba2a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
269B

MD5
787ba97b044f0c429480bba086f33ae7

SHA1
6a2712ca6efc4e0255bd3153e24a38ecd860039b

SHA256
5d16c77b9ebd4b7a8d1c701c429ff4b3ff973ba08ddd1763f96fa832d5313ccd

SHA512
0ddbbcf3af579a25edecd11bbe376cd10dadd4cf1174ef2966e8449043eb35d832590e6796c1ab214eaa70262743df2e579792f00726090724b0c41d86221c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
8b07fd231ffdb22f54ffb9b464059962

SHA1
4daa6fcb0c1d96682b4c3707c83de6eeb71c5334

SHA256
e5a912e250bbaf922f8e0b398e7913f7fcb79c020473d34d4706628335160dff

SHA512
f1f8cb476788008adb2f4c10b9803bfa1a68b11e39c49ec786e89af437bb6629038a47e87669c2997ab20c295621bffb977c05ad842bdf2e81c07051652bce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
2af818ca9814d8fb8050ef75730b443c

SHA1
b11f4d4b95fd49a747ec1a08d32a86d3a495b809

SHA256
7401093820eb388cf853e50dbbcf9038835ffaed6bd72f0309416420b96f02e8

SHA512
9bee0538fac95264054435c92f2e9868357e9df637613e3d6c1f6c262c1294ce302d00e9731e80906b4bc35e5c1efb2534c7f595f874b42542bb11797d8da098

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
9bb935b9f2e597a75cc28f37417353ee

SHA1
54c830050f73a648aa46435d0cccfa2b23f51e0e

SHA256
5b1f79b75aeffb6ae2a21c96f8a95c7d5b7db07ba3caf68ed9bf8a1f8a2228ad

SHA512
e5626a53664795c78c87b344280f7062cf6b463704a270d2ea190b25f561b2eb261c3e36136057beaa1a19c098e943ac95166676604b7b72af469baa7f44a748

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
08d1c2f0ae71f4c0caa7f67e38fb2174

SHA1
46680b47925c67a74e47c8501deed0fb8fadcb10

SHA256
43d441407830c43e9b603df3cd3fb0fc8151db7e37e2199a799117e3a95cc3ab

SHA512
92f71c81c21c9ab22e558d119954de5a9fb03ca460531b0928a270a17801991836cf2783dc35409c18a619ab6e5327b93e9f56d6adfd14fbb104f26e236d4970

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
0ccc00762ada1d22b40b0b3b7e9e2d4c

SHA1
e368f3fd92f668010f57b84ba371e76f97285efc

SHA256
5e8abc32641d6b7dc0106a0a857efe4d06402c6a1dd02a3c0ae5691e93249712

SHA512
585892f9040cd0fde53e26f8f35d85a81731edc17e73b534b5559f748e01492f5a3bcbc1a321dfd73b626f1bc792e87d34da2056ab5d353ad6b5f342d0ae25e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

Filesize
1.1MB

MD5
0f7e8e737582613d9ec805ea627bd1ff

SHA1
0a3aa2d8c65e2e03c900b8a148c1ad53f65289fd

SHA256
a63c26783dee7bb580a5cc5267a5b3e84ee9601b776d797175cfd70911135a76

SHA512
b384c1a5eab522bd4058602a1f61411729baef765bf459b5937722e2e974712942111da764bb26a5747b5406453c531c079de3437c2420b5cd5fc8fd802cb8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zqadaf5z.1b0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dlzuztkgiyqcolpiqpxloevsgyxxo

Filesize
4KB

MD5
c3c5f2de99b7486f697634681e21bab0

SHA1
00f90d495c0b2b63fde6532e033fdd2ade25633d

SHA256
76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582

SHA512
7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

Download Submit
memory/1932-118-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1932-125-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1932-121-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2236-122-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2236-126-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2236-128-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2296-132-0x0000000006710000-0x000000000675C000-memory.dmp

Filesize
304KB

Download
memory/2296-229-0x00000000717F0000-0x000000007183C000-memory.dmp

Filesize
304KB

Download
memory/2296-243-0x0000000007430000-0x00000000074D3000-memory.dmp

Filesize
652KB

Download
memory/2296-252-0x0000000007700000-0x0000000007711000-memory.dmp

Filesize
68KB

Download
memory/2296-110-0x0000000005B40000-0x0000000005E94000-memory.dmp

Filesize
3.3MB

Download
memory/2296-253-0x0000000007730000-0x0000000007744000-memory.dmp

Filesize
80KB

Download
memory/2364-8-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/2364-3-0x0000000005000000-0x0000000005092000-memory.dmp

Filesize
584KB

Download
memory/2364-6-0x00000000052B0000-0x00000000052CC000-memory.dmp

Filesize
112KB

Download
memory/2364-1-0x0000000000510000-0x000000000062E000-memory.dmp

Filesize
1.1MB

Download
memory/2364-7-0x000000007504E000-0x000000007504F000-memory.dmp

Filesize
4KB

Download
memory/2364-4-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/2364-0-0x000000007504E000-0x000000007504F000-memory.dmp

Filesize
4KB

Download
memory/2364-5-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/2364-9-0x0000000007B90000-0x0000000007C52000-memory.dmp

Filesize
776KB

Download
memory/2364-10-0x000000000A290000-0x000000000A32C000-memory.dmp

Filesize
624KB

Download
memory/2364-2-0x00000000056B0000-0x0000000005C54000-memory.dmp

Filesize
5.6MB

Download
memory/2364-19-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/3532-127-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3532-124-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3532-116-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4016-60-0x0000000006E50000-0x0000000006E6E000-memory.dmp

Filesize
120KB

Download
memory/4016-46-0x00000000058B0000-0x0000000005C04000-memory.dmp

Filesize
3.3MB

Download
memory/4016-68-0x0000000007430000-0x0000000007444000-memory.dmp

Filesize
80KB

Download
memory/4016-67-0x0000000007420000-0x000000000742E000-memory.dmp

Filesize
56KB

Download
memory/4016-66-0x00000000073F0000-0x0000000007401000-memory.dmp

Filesize
68KB

Download
memory/4016-18-0x00000000025E0000-0x0000000002616000-memory.dmp

Filesize
216KB

Download
memory/4016-20-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4016-17-0x000000007504E000-0x000000007504F000-memory.dmp

Filesize
4KB

Download
memory/4016-21-0x0000000005030000-0x0000000005658000-memory.dmp

Filesize
6.2MB

Download
memory/4016-65-0x0000000007470000-0x0000000007506000-memory.dmp

Filesize
600KB

Download
memory/4016-64-0x0000000007260000-0x000000000726A000-memory.dmp

Filesize
40KB

Download
memory/4016-63-0x00000000071F0000-0x000000000720A000-memory.dmp

Filesize
104KB

Download
memory/4016-62-0x0000000007830000-0x0000000007EAA000-memory.dmp

Filesize
6.5MB

Download
memory/4016-70-0x0000000007510000-0x0000000007518000-memory.dmp

Filesize
32KB

Download
memory/4016-73-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4016-69-0x0000000007530000-0x000000000754A000-memory.dmp

Filesize
104KB

Download
memory/4016-22-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4016-61-0x0000000006EC0000-0x0000000006F63000-memory.dmp

Filesize
652KB

Download
memory/4016-32-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/4016-50-0x0000000072760000-0x00000000727AC000-memory.dmp

Filesize
304KB

Download
memory/4016-49-0x0000000006E70000-0x0000000006EA2000-memory.dmp

Filesize
200KB

Download
memory/4016-48-0x0000000005F60000-0x0000000005FAC000-memory.dmp

Filesize
304KB

Download
memory/4016-47-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/4016-30-0x0000000004DF0000-0x0000000004E12000-memory.dmp

Filesize
136KB

Download
memory/4016-31-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/4460-82-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-84-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-171-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-402-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-166-0x0000000003CF0000-0x0000000003D09000-memory.dmp

Filesize
100KB

Download
memory/4460-169-0x0000000003CF0000-0x0000000003D09000-memory.dmp

Filesize
100KB

Download
memory/4460-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-170-0x0000000003CF0000-0x0000000003D09000-memory.dmp

Filesize
100KB

Download
memory/4460-401-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-400-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-399-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-83-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-398-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-85-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-86-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-104-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/4460-97-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/4460-109-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-103-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/4460-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-391-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-392-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-396-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4460-397-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4920-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4920-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4920-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4920-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4920-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download