remcos | fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e

Analysis

max time kernel
62s
max time network
49s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-12-2024 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveSourceInstaller.exe
Size

469KB
MD5

e468b718e67495ea73c85d8258059adf
SHA1

dcad70f5c39ab85f900ef1288067dbf51eaeb503
SHA256

fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e
SHA512

b4eb6cc848b5ebfc6bab7e1cc033ec468bc8cf2fed72ea912f9fc60d6eaab75664f4627646960dccab2aceefeab9c5acbd2fe1b57d992c62358929b4d840dedb
SSDEEP

12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSJn9:uiLJbpI7I2WhQqZ7J9

Score

10^/10

remcos wavesourceleaked discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

WaveSourceLeaked

204.10.194.175:4444

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-46FS9Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 1 IoCs

pid	Process
2508	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 768	2508	remcos.exe	81

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveSourceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133790459119120615"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	WaveSourceInstaller.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2508	remcos.exe
2508	remcos.exe
1852	chrome.exe
1852	chrome.exe
4156	chrome.exe
4156	chrome.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2508	remcos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 2356	3628	WaveSourceInstaller.exe	77
PID 3628 wrote to memory of 2356	3628	WaveSourceInstaller.exe	77
PID 3628 wrote to memory of 2356	3628	WaveSourceInstaller.exe	77
PID 2356 wrote to memory of 4176	2356	WScript.exe	78
PID 2356 wrote to memory of 4176	2356	WScript.exe	78
PID 2356 wrote to memory of 4176	2356	WScript.exe	78
PID 4176 wrote to memory of 2508	4176	cmd.exe	80
PID 4176 wrote to memory of 2508	4176	cmd.exe	80
PID 4176 wrote to memory of 2508	4176	cmd.exe	80
PID 2508 wrote to memory of 768	2508	remcos.exe	81
PID 2508 wrote to memory of 768	2508	remcos.exe	81
PID 2508 wrote to memory of 768	2508	remcos.exe	81
PID 2508 wrote to memory of 768	2508	remcos.exe	81
PID 1852 wrote to memory of 3796	1852	chrome.exe	85
PID 1852 wrote to memory of 3796	1852	chrome.exe	85
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 4344	1852	chrome.exe	86
PID 1852 wrote to memory of 2820	1852	chrome.exe	87
PID 1852 wrote to memory of 2820	1852	chrome.exe	87
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88
PID 1852 wrote to memory of 1868	1852	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\WaveSourceInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WaveSourceInstaller.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\ProgramData\Remcos\remcos.exe
      C:\ProgramData\Remcos\remcos.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2508
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92840cc40,0x7ff92840cc4c,0x7ff92840cc58
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,16635967771906186178,2927751729723526864,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1928,i,16635967771906186178,2927751729723526864,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:3
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,16635967771906186178,2927751729723526864,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,16635967771906186178,2927751729723526864,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,16635967771906186178,2927751729723526864,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4512,i,16635967771906186178,2927751729723526864,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3052,i,16635967771906186178,2927751729723526864,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:3264

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92840cc40,0x7ff92840cc4c,0x7ff92840cc58
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1704,i,2409977310912850754,13137076461442960649,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1720 /prefetch:2
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,2409977310912850754,13137076461442960649,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,2409977310912850754,13137076461442960649,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2256 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,2409977310912850754,13137076461442960649,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,2409977310912850754,13137076461442960649,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4404,i,2409977310912850754,13137076461442960649,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4600,i,2409977310912850754,13137076461442960649,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4740,i,2409977310912850754,13137076461442960649,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4632,i,2409977310912850754,13137076461442960649,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4368,i,2409977310912850754,13137076461442960649,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4376,i,2409977310912850754,13137076461442960649,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4440 /prefetch:2
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4636,i,2409977310912850754,13137076461442960649,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:2144

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
469KB

MD5
e468b718e67495ea73c85d8258059adf

SHA1
dcad70f5c39ab85f900ef1288067dbf51eaeb503

SHA256
fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e

SHA512
b4eb6cc848b5ebfc6bab7e1cc033ec468bc8cf2fed72ea912f9fc60d6eaab75664f4627646960dccab2aceefeab9c5acbd2fe1b57d992c62358929b4d840dedb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
129695cb13d7a74b2339de2c6556dd72

SHA1
314d3406a078f2c388ddd861d66e41d17985ac35

SHA256
2afff6d4c92cde01a63f9c67fa7a035a1ea17c25dc1ed06f59594880682eb02e

SHA512
085502747eae8f5927ee5b1bda77ae3eef5a3828de370deb3d2e4c199c28aab2dbd0d5bc58c4a61f582548b11dd865ffa2c21e58cbd9376051ab042c1b7337b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
619844f3be81d7dd20955fb719c054be

SHA1
d020368d316e1a2dd554693d703a1b1f54cb92f6

SHA256
6e9f715f8f48eef17213afa0397d403595e89c373063bd3a7b6f8d614aa03137

SHA512
a1f7b5b088daf1c55ed8fb34e4edc9f5150189d626035e92268b1ec56db0e94af3fc47903614bff20f39719457cba8ad722bd7e4261d822b128b600d61c7ea24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
d2767ca42529ce2e5685729a4fcc9ac2

SHA1
afe26d85ade80a9b02918f71ddd18000de03d7b1

SHA256
ef4c7d50a8a3c15c5b4e9874a43fd0c20da2f553468fab99933bda4fbdbc6535

SHA512
d5b7bc17a5ead0bb64ed907b998b9f2b9e7b61d8098999c8eb955aa87b8926a157f319b84d81c663c7fd21dc6e4b29471e9b6e39fa4f66b3064307ef9f2e59dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
2dc0de41ceaf2ae4b9ddbe77044309dc

SHA1
ed3b6d6093166f8ebabbc411db5e1e7034dcb8e1

SHA256
6da011a743225179b78ca09348c3257d1edd4cfef6c7cbf7229a3dc77679e079

SHA512
9fa019dcd1f03faaf4c91856e62baf6c36f4827e7331728e32f236a9b6d7287781e05d7be78dd0fa0bf7b0d9cc5d15fd9e38bafde54c6561de0bfa6035205b9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
3e421924be7ffa1331a594b1078347c0

SHA1
bbb2949377df944abcfb71100d9da6c743ed109a

SHA256
f18c53fcddcad456026b6175d5f38b9eede83674933c2f22280915a345016c5d

SHA512
993344034ccfb77b8f143c0b4b24645d829decea3ff761573f7500e15606c8e7ef2d7885ac585bb40bc56d79e025c32d827f9df1a28f306a5ff00c91c728b70c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
320B

MD5
c9b2a757ecaa401396173d455c8f43a8

SHA1
ba2b56d4d261cad2aa4f46368b29561eb3b21a7e

SHA256
dfc0492107a190390a3fb1219756995d4b1e671e05301cc7a1bf71c98c0cb058

SHA512
ae4c2aac81758d4ccf7d15c0151a95e2043242c5305437d504ab28ff7386467457930abfacd99e68eab999aa99e8ea2ceaeceb38a85c512c25ce0d7645af7008

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0

Filesize
44KB

MD5
98221c526ffa1d25e3a26fed65a2c5d5

SHA1
c4a39e5d146de1adfd125f377a2d30fe3775f771

SHA256
27a315f4bf46f041bc63d230a10195c10fbd5c896878d7d01d4e62753605f9e9

SHA512
c7650fd85c2547bebfe03ea08f23927993c06fbc59fb7c34935aeea88c31c6dfb0c68168f1003b7b559eca897a56039d946bd5058af6fa184ef8b18b5bb6a6b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
dea2df82699e3721611024576a8a5a43

SHA1
b109d155206cdccf80d9cd234df51b1de058ea52

SHA256
0200e70a7698ec33012726544e4286e2007d9e4d862e0557c66cdc744cf6c8b5

SHA512
05a8360e56025bb3eb4376522bd354e4ace239341196c5d11fcf5b98390c8f53f5bd21d843f8962b8aa8dc99c3addf4f9533135b1254d1a897455ab18072b6d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

Filesize
1.0MB

MD5
5c324da6ea2d588e2a9b96713cc3f1fb

SHA1
386011e334ce09611cd5fb3e3a8e5e25b18897a5

SHA256
2a7cf497100404d1d9842ba02076d77c07c2ab5b339935a9672bf35fba2f3074

SHA512
9b713a31f38324936d124435a538e20ff3021302c8d1438cde56a133d16b81ad479172c9caff5e933f88277966b974548bf8ce22d248c1adcf923c6f76e7fd58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3

Filesize
4.0MB

MD5
cfa172a650b84b3abdbcc47097ea7b57

SHA1
5b45943b506c37225942826c102fcca6bb743847

SHA256
74581baa80a130006b3dd5628aa4845b20089bb80a5c5710c459e2708c95b038

SHA512
fd8626ec91e0b48a17bfe1bbf51ff8419717f631109ea2ca39b908dbc06d7628b4ff5d861bee7bc2070685c59a63c9c3759db1cb589299a0cf430a7d3b5dabfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
df1c9f544c656c7b88cada7cd5ef2e0c

SHA1
8ebfff663f1155b0d2f081b2d981eda214dfdaa1

SHA256
055bcf38558ef48f9864585d23cd5333dbaf97ef57612ae5560be97b4dee42c8

SHA512
08e43204bf32485a4a83a1131e8c8c5eca5aa8c01504304cd00c155c39c53e2dcea57783b4dcb3308b9de85ab6c445b17c15a5b26f144265bc2aa73c99deb953

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9e9b99775880506f03041338629953d9

SHA1
fed46296ee62f6e5f6634590e3c39cbeb8626f8d

SHA256
d2b64585556cf80566c838e2403365afb67a7c7b734cdb0251ed17fdbacd9341

SHA512
2f69c0c286e706831532d4bd0f4d3b84268b6edd07929df1c5d3367a47883c869a45d0ac35c4db8b064c4bd4c40325b2a796e02460288c30104d16a441cadd2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b808af67011cac145c41efd8088ab959

SHA1
0646e2953d58aaab1053d611837cd54b68f79315

SHA256
0caec614a0e39c710edee89cdc5d575c649ea6a7d335abb26fb5b0c3854e5b72

SHA512
971808a4b2780e2d8288f8dc5aff0ff24b2da53131f46d54709349ee6ac5f5a8f27d845cac24c6a88031b6890cb8a70aaca4e5b74a0e9f02f04f226b7809ff0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
75fb980ceb2a5e422b40795047e2c58f

SHA1
253d0032a478babc325cdd14d6d6572399ce3e86

SHA256
98470ce95ed9899e1683df2190ebc948fc417c97ca752df4fd48153cca56c6e2

SHA512
64fac274fb882adc6ef6d92b60d55434383241bf7c56700dc251ae9b05ba466b9ee3e4d5bd41d81e2c2f2639c4bf505c9729af92c2355fa22a918ac08760ba87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f1c6c918c3dc31911c053de6e51d06f5

SHA1
ba6cb59dc3e1360542038b2f25e07dcc27768059

SHA256
2f1127abe0606c31acdbfbe49ffa8969f24e8f0f9c052baddcde95bae7e3fc78

SHA512
d58ed4ccda8fedb1f7b11426b81079d249747dd8f567ba3837059a768be50edd9d764e3795b223bb20c73ab09f9397ecc3d4ab7f5cadc2b2d2710c4b95e5c51e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6a534600830cd8085d89f3357b13adc4

SHA1
06afcaa508ab71f8fbe0d97de9d3b120eff55309

SHA256
a45283c770ce0e83373bbd79946953971c1f16011901b1901334d82e01db427b

SHA512
c0bcab15b50633011217cf2ff4beb2145bddc20c2c11bdd04527588c53d9bc304bb76b81b0225c7ddf975f7f2141e445b51495d759f3bfef77ac774755aecfa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
30294e4f9155aba334306087140c1383

SHA1
da48933b79ab54e91ea64bf5d07ecbf59c7b42e5

SHA256
d1bdd2fdac92dbfef2ab0bdf7fa8cff3b2cd6e00b66ac7b93f5d929c723f4a57

SHA512
770bec93464d98dad4ffd621e88ab2e9dbc459f22d20193cdecba4d54d227c043ce250a38687cf77e188c3ea31f1a79abc32d964df16274629bb23d93e6954a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
66e9e1c0823018379825be6d8d88478d

SHA1
336f8c651ee0e68bca2a3acc260b23966d49a35d

SHA256
8d3dec09d75db4b80f1e327b1572f656f4d7990a017c016f7d157861623693e1

SHA512
1e9db2a56c16d2c4b85d8327879c774f658dc3d232de06c60aab1a6be790252abdc03a8d29e00b30bd03fb26342d4d7bff28028a6fdddfc5a4b6b437d5028e76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0a1bd9e1bb774710fb1f8c5ef3bf76be

SHA1
f32ddc87654bd5a93ab62da50d8bd6b086991691

SHA256
055426871a8c03e5b5acd478633dc2b9cd2670a72373f0d4717993e9c738733a

SHA512
9326e51b5e4b6badf5f63ac962d92766764e34c7336def38c74b1244745d67b538b553d5632d45b11619d7d523d2385e71496e642fe33e0f98a268954b0806cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
333B

MD5
2224cc0e414a5688d5e377c6343fc61c

SHA1
0c98641b67b4630d36ca972e81e7b58e71703843

SHA256
e8c202d8eb0455405e9bd0c694f0b8d902f6a6bc5de36a8070096f1a75a4c10d

SHA512
5ac118d0bf24695439e9fd2279e9c1882e3658f4e778d94eee8b98fdce3f45d6a10d4bb43a906441e9b60f91557ebe32ce18e9079e84943b320a520461d65d73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
327B

MD5
a66efaa590a0d16b1874a35836ba0a4b

SHA1
bb750c61e162420271f89a90f2b58f43587680e1

SHA256
b9ab1ed7609e2254b7d4fb655b57b21b2be601646c4ff0b207c411e8bdd9e654

SHA512
2b1ea0c798b69b360ab1546d14fccf7d5f9cb224b31bc8430cdb956c8cc570a086e4cfa10e6a843292deb862f4161dfc9b9abbc44afe397ff0ec9563646ff7a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
317B

MD5
456a2869eb21d4e141ebf7bbfe6e1262

SHA1
11d3af2b6bd08dc22a15c3f621d77b7dae5c992f

SHA256
4a71e62d7208ae001a0cb95b3e755d0863afa29352862010c49b08234627ad94

SHA512
80e53f235312a6a0a1641e0fb104c984f10671eb3bd4779bf60bad915755b8a3314977078c7d711148dd4c724d2bb3f783257d1f1618db23991c7f046c744a0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13379045894477224

Filesize
1KB

MD5
7376615b75f1282f8e2d174959442f06

SHA1
8eeab94e3895737d3ebab3156da9d3f697440949

SHA256
4f06931dfd90f09c10ff59bf0a11c3055001d13d5bf02161a9ba5ed3a19bc21b

SHA512
42eb0f0b0aa49942eb601f60549d6181ab3ffe198f1755d50d3e3a2de3780dcec33f3898639918a1c253d86bb88f284813ef434fbbb1016537742ec33b85eae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
1fbb898ab639d8cc28cf046e94e22f25

SHA1
09e2962229242170c07f56c63aaaeb929e6da918

SHA256
656584c925a9f5f8d189832539a13cf8e112dc8cd407248ca7027125d221b4e9

SHA512
49ee2291b1ae48e26819df92009924104233451d3f5267c984378575c3ea7e28155f95bce0e6fb22aaf920402cd28b83cbee55d24a0dd09bccd741f0efb79014

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
3de545d3cba3b44e96b9065df83c606f

SHA1
a9d2e251f3ed341502831722e8c5462d039cc9d1

SHA256
dc83b6b6f422cd42da40bd4c6004883a8b5e36d3afbc1586f8bc712b113ffabe

SHA512
437127cc7280fdc02c31d8b7b7b2bd6c9da1929b7c461d729d6cb4b0bb79c55d58c2fa882806a120e238495ca433d1ac4b00db41d88c823b2fdde5bb95067515

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager

Filesize
40KB

MD5
e29522d7a313e48585645c60473df878

SHA1
82520ff408ed604da29b0290342f83e84095b940

SHA256
8846bdde6ef1ac96f5439a85ef4586f6a7656737dec153182675ec19588b66d3

SHA512
85076d87c5f6fd5610afe72c16ebc426ee017e5804af97ba5d06c25b1f80be963c16d9a7f0eed626e73cfc341cffc464e413c10b02909239f0da155c10b422ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal

Filesize
8KB

MD5
29d108b486b8f27141ea1793f23ce5d1

SHA1
a61a5bea8d01f3ebae6fd227a801cac12c55f83f

SHA256
7ab5e181d60f7c095b50a0a5f5de1c5b1ce75721879ccb8a91c1f437ca81b6b2

SHA512
f8db1c93d4b1b1f19857c7f813f662bbbb50a2d2fdb7fe3b0a64eb890a479556ee48397b6b1fe2e7132c7c44c8877e31a07c526843db43c047798cbde8d0be6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
12KB

MD5
696636129df671179dfd054f2871e7e8

SHA1
96636a6058eec191121a6f6adbdc10a1bc48efb8

SHA256
343c1a3cf9e26e11648542c1ceb63a4ec0ca46ebfb67fcd10396f33df993a168

SHA512
1190ca218899fbc5dde7b3b9eff488f50b6fd4a2a5cb5d7a7d3af91037401ce7b2f3cf8f25a997e5b8dfe697a43ab873025ee9436f6036689936905332e2d7c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
317B

MD5
f67b262e3b964b1b4fdf7cbdad589873

SHA1
d1f32d034a4f09819ea7714ae6230dd582026f6f

SHA256
fd13ced4cc726fe9c1e8ed6056fd151ce4c7d7f86f94f5ff5e8601ae117ddac7

SHA512
3f4e4c0b82cd862fd9a2b750b2b512c17382e70106a057722d5c93964a3b720285b78005e8bdbf26079f46f6267abd984559ebafceea905138cb099bbb067c5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
fe50380a8263024ff02078bd99874a24

SHA1
1a925c510e0a221952ef23df07c2933722e2c3bc

SHA256
d7a491fb027c363682a1ebb28840137250fe6183d8449960be900884b85577be

SHA512
29c445b8bb96f336640fd385df18b2a8cb59b44507cf75394c5b98f4b7c5ec9e122fabcbdd3e911865495f0331ff232f1eb09ba1079de35a464d66dcec6df789

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
135ae1f50b59d852e6d1813b92329f5f

SHA1
b46dcf491a57069766f99f11a9aa90e9814426a5

SHA256
cb3b87dc0bc5a4efc9f1b9607159b9836b7076448dfbea79d355d5f3fa37180e

SHA512
3b4913d32a54b037a45e29d392f700f6d016cb49c6453ada8ae58a6796a2e07f37ec2a65ca24c01195e6ef01d7304daea079e4d711c12f3fb672095ecedd1b7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
85548913466f9607449f0997ca7f95e8

SHA1
01f138893a9b048a73bfc97f39a7ee7ae7b5d775

SHA256
3e3beeeb8f63a4d9c88930d4974ec22ff0ec97edff9c4661b38087288c3a23ed

SHA512
af9ed035a86b054d8086263c26669691229e9694997ad69ebdd7b2c860fe86c8a2729588f2896fcf8e04f96d79e5ae1470317b82a9536e0992f1f5009ea13b37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
d4338ccdfd92ba251f92b88ae6898037

SHA1
318732332a554da11ff909fc8166a9109eef944e

SHA256
6863febf6dd7671f2d34f2cb174d1532f839221c94e40e7a2bb8ddc399caf1f7

SHA512
dc4fdf5290324754746270d0b029caa6b64cc08d408ec599fa7ee631d6d4f32d16e4086b354780b6902dfbee791105910e292bf4c34692e1261475128de15169

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
6f12290e39b9302f73334ba4f5be4967

SHA1
0204de2c97fb1417b7963b3c0e551463b01aacc7

SHA256
ef3e18049837c7ec98e6b2e6a7a51c0d67937b825de2ba8eeb33485f9a8d7b6e

SHA512
3661a136d605ff6f3e39f9885b910cf4a4925407b736bdb862b82ed06a688042ba42351768544ee5579ffbc073a020acb0e2fbb4485bf55b1102a483ead3198e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
565fc857b9f883f5bb189871a7a42be0

SHA1
6dc85705166ec5de600403a041ce57bd4ba29ccd

SHA256
279f5802e03e5baf904cd30c4ab690eeae944e1a486c0639c42b3992658c210c

SHA512
710c08580437226839fe6239b0f6c457606d6e1e8260bd2f082462f262a89a3be3d0700435302778681c87d3e69bf3e75e384d1cb5aed0e2be307a364f44cb72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
b87b3846af25a8470dba8118bea73aaa

SHA1
cfd3c8d1a78ef746487b7c16befed9cd5d87fd48

SHA256
7e0145a40bd7ae2429c4355b6b7f734cd160adb6d04a4e7cc86e9beb92fbb9d5

SHA512
d535075b77059429f5e6e82e3b5ff79f5d4a0a0aac3dfd01e84b39d202333617819a5f127e7798fbeee003eae976b4a2059347122079572afe694812280256e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
cee880c0c52eecbf1519d03cbb6ac280

SHA1
0c085a09029905fa336d1c5a0de587ff9f042ec8

SHA256
e5f804e02a593da4c24926b672640e5e65dc73c0071cd3cb19abc53472fa6b0e

SHA512
30ccc9cc1a552be9fc3009fda3c6d3e342f1f745ec8bdf4245e26d11ff12567121102363c962f72c25ee49cdd534a46bbfd45c53ef3bd49d1966c20fb16a8a37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
memory/768-38-0x0000000001170000-0x00000000011EF000-memory.dmp

Filesize
508KB

Download
memory/768-39-0x0000000001170000-0x00000000011EF000-memory.dmp

Filesize
508KB

Download
memory/768-119-0x0000000001170000-0x00000000011EF000-memory.dmp

Filesize
508KB

Download
memory/768-13-0x0000000001170000-0x00000000011EF000-memory.dmp

Filesize
508KB

Download
memory/768-10-0x0000000001170000-0x00000000011EF000-memory.dmp

Filesize
508KB

Download
memory/768-208-0x0000000001170000-0x00000000011EF000-memory.dmp

Filesize
508KB

Download
memory/768-207-0x0000000001170000-0x00000000011EF000-memory.dmp

Filesize
508KB

Download
memory/768-11-0x0000000001170000-0x00000000011EF000-memory.dmp

Filesize
508KB

Download
memory/768-9-0x0000000001170000-0x00000000011EF000-memory.dmp

Filesize
508KB

Download
memory/768-8-0x0000000001170000-0x00000000011EF000-memory.dmp

Filesize
508KB

Download
memory/768-40-0x0000000001170000-0x00000000011EF000-memory.dmp

Filesize
508KB

Download