remcos | 8a95a509c657f55f3037336ba69c03f687b6818fdff078aaaba41ee359154eac

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2025, 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

747031500_D747031500_A.js
Size

1003KB
MD5

e3765da77fefd90e2a7e1fe50029a1d8
SHA1

b0aec621810789c80ddeb96d746cc88ee6b0db50
SHA256

8a95a509c657f55f3037336ba69c03f687b6818fdff078aaaba41ee359154eac
SHA512

47c7a5f988e5051aca274b2dfa585348f814fd4105d93b6b6e81dc54044eaab767319ca0e1f62cf160aa1571850e089cb90c94120889cda2b3d47cf7c7d7ef0a
SSDEEP

24576:kYnZJg8/S5NnzlKWrhjxQfB/nQ0xc/qqXsE8zl:dg8/S5NnzlKWrhjxQfB/nQ0xc/PO

Score

10^/10

remcos host 2025 collection credential_access discovery execution persistence rat stealer

Malware Config

Extracted

Family

remcos

Botnet

Host 2025

favor-grace-fax.home-webserver.de:5930

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
iuioh.dat
keylog_flag
false
keylog_folder
iuyt6yu
mouse_option
false
mutex
iuytroiuy77im-KQ32FT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1500-69-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2748-68-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2608-67-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2748-68-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2608-67-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	4532	wscript.exe
4	4532	wscript.exe
11	4532	wscript.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
2	4532	wscript.exe
71	4724	Process not Found

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1836	msedge.exe
1592	msedge.exe
5028	Chrome.exe
1396	Chrome.exe
1316	Chrome.exe
3048	Chrome.exe
2456	msedge.exe
1684	msedge.exe
3916	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
4508	kmwdx.txt

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drvt\\KMWDXT~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\drvt\\fdilfn.dll"	kmwdx.txt

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4508 set thread context of 4360	4508	kmwdx.txt	93
PID 4360 set thread context of 2608	4360	RegSvcs.exe	94
PID 4360 set thread context of 2748	4360	RegSvcs.exe	96
PID 4360 set thread context of 1500	4360	RegSvcs.exe	97

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kmwdx.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1592	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4508	kmwdx.txt
4508	kmwdx.txt
4508	kmwdx.txt
4508	kmwdx.txt
4508	kmwdx.txt
4508	kmwdx.txt
4508	kmwdx.txt
4508	kmwdx.txt
4508	kmwdx.txt
4508	kmwdx.txt
4508	kmwdx.txt
4508	kmwdx.txt
4508	kmwdx.txt
4508	kmwdx.txt
4508	kmwdx.txt
4508	kmwdx.txt
2608	RegSvcs.exe
2608	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
2608	RegSvcs.exe
2608	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
5028	Chrome.exe
5028	Chrome.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	RegSvcs.exe
Token: SeShutdownPrivilege	5028	Chrome.exe
Token: SeCreatePagefilePrivilege	5028	Chrome.exe
Token: SeShutdownPrivilege	5028	Chrome.exe
Token: SeCreatePagefilePrivilege	5028	Chrome.exe
Token: SeShutdownPrivilege	5028	Chrome.exe
Token: SeCreatePagefilePrivilege	5028	Chrome.exe
Token: SeShutdownPrivilege	5028	Chrome.exe
Token: SeCreatePagefilePrivilege	5028	Chrome.exe
Token: SeShutdownPrivilege	5028	Chrome.exe
Token: SeCreatePagefilePrivilege	5028	Chrome.exe
Token: SeShutdownPrivilege	5028	Chrome.exe
Token: SeCreatePagefilePrivilege	5028	Chrome.exe
Token: SeShutdownPrivilege	5028	Chrome.exe
Token: SeCreatePagefilePrivilege	5028	Chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5028	Chrome.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4360	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 2988	4532	wscript.exe	90
PID 4532 wrote to memory of 2988	4532	wscript.exe	90
PID 2988 wrote to memory of 4508	2988	cmd.exe	92
PID 2988 wrote to memory of 4508	2988	cmd.exe	92
PID 2988 wrote to memory of 4508	2988	cmd.exe	92
PID 4508 wrote to memory of 4360	4508	kmwdx.txt	93
PID 4508 wrote to memory of 4360	4508	kmwdx.txt	93
PID 4508 wrote to memory of 4360	4508	kmwdx.txt	93
PID 4508 wrote to memory of 4360	4508	kmwdx.txt	93
PID 4508 wrote to memory of 4360	4508	kmwdx.txt	93
PID 4508 wrote to memory of 4360	4508	kmwdx.txt	93
PID 4508 wrote to memory of 4360	4508	kmwdx.txt	93
PID 4508 wrote to memory of 4360	4508	kmwdx.txt	93
PID 4508 wrote to memory of 4360	4508	kmwdx.txt	93
PID 4508 wrote to memory of 4360	4508	kmwdx.txt	93
PID 4360 wrote to memory of 2608	4360	RegSvcs.exe	94
PID 4360 wrote to memory of 2608	4360	RegSvcs.exe	94
PID 4360 wrote to memory of 2608	4360	RegSvcs.exe	94
PID 4360 wrote to memory of 2608	4360	RegSvcs.exe	94
PID 4360 wrote to memory of 2884	4360	RegSvcs.exe	95
PID 4360 wrote to memory of 2884	4360	RegSvcs.exe	95
PID 4360 wrote to memory of 2884	4360	RegSvcs.exe	95
PID 4360 wrote to memory of 2748	4360	RegSvcs.exe	96
PID 4360 wrote to memory of 2748	4360	RegSvcs.exe	96
PID 4360 wrote to memory of 2748	4360	RegSvcs.exe	96
PID 4360 wrote to memory of 2748	4360	RegSvcs.exe	96
PID 4360 wrote to memory of 1500	4360	RegSvcs.exe	97
PID 4360 wrote to memory of 1500	4360	RegSvcs.exe	97
PID 4360 wrote to memory of 1500	4360	RegSvcs.exe	97
PID 4360 wrote to memory of 1500	4360	RegSvcs.exe	97
PID 4360 wrote to memory of 5028	4360	RegSvcs.exe	100
PID 4360 wrote to memory of 5028	4360	RegSvcs.exe	100
PID 5028 wrote to memory of 4568	5028	Chrome.exe	101
PID 5028 wrote to memory of 4568	5028	Chrome.exe	101
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102
PID 5028 wrote to memory of 4920	5028	Chrome.exe	102

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\747031500_D747031500_A.js
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\nkidhrkkebcikn\kmwdx.txt" "C:\Users\Admin\AppData\Local\Temp\nkidhrkkebcikn\fdilfn.dll""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\nkidhrkkebcikn\kmwdx.txt
    "C:\Users\Admin\AppData\Local\Temp\nkidhrkkebcikn\kmwdx.txt" "C:\Users\Admin\AppData\Local\Temp\nkidhrkkebcikn\fdilfn.dll"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\piirnphacat"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2608
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\zcncohsuqjlefg"
        5⤵
        
        PID:2884
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\zcncohsuqjlefg"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2748
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\kesupacwerdiimyfc"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5028
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdb30fcc40,0x7ffdb30fcc4c,0x7ffdb30fcc58
        6⤵
        
        PID:4568
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,17132554594411664365,11078151385446561483,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=1908 /prefetch:2
        6⤵
        
        PID:4920
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,17132554594411664365,11078151385446561483,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=2104 /prefetch:3
        6⤵
        
        PID:3156
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,17132554594411664365,11078151385446561483,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=2392 /prefetch:8
        6⤵
        
        PID:4736
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,17132554594411664365,11078151385446561483,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3212 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1316
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,17132554594411664365,11078151385446561483,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3236 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1396
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4612,i,17132554594411664365,11078151385446561483,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4588 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3048
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4628,i,17132554594411664365,11078151385446561483,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4668 /prefetch:8
        6⤵
        
        PID:752
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,17132554594411664365,11078151385446561483,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4596 /prefetch:8
        6⤵
        
        PID:3204
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,17132554594411664365,11078151385446561483,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4784 /prefetch:8
        6⤵
        
        PID:2104
      - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4812,i,17132554594411664365,11078151385446561483,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=5176 /prefetch:8
        6⤵
        
        PID:3504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:1684
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffdb28646f8,0x7ffdb2864708,0x7ffdb2864718
        6⤵
        
        PID:4664
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,12061304547044294765,12922049574384242591,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
        6⤵
        
        PID:2488
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,12061304547044294765,12922049574384242591,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
        6⤵
        
        PID:2104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,12061304547044294765,12922049574384242591,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
        6⤵
        
        PID:4756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2052,12061304547044294765,12922049574384242591,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2052,12061304547044294765,12922049574384242591,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2052,12061304547044294765,12922049574384242591,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1836
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2052,12061304547044294765,12922049574384242591,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1592

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODc5NDgwMTMtMENCOC00RTY3LUFDMUEtNUIzRTIxMkRFRDFFfSIgdXNlcmlkPSJ7NTdBRTU1MDUtNjcyMS00OTVFLUFGNDQtQ0QwOEFDQjc5NTAxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Nzk5QkQyQjctNzkwQy00QjcxLTk0MjEtOTczODNCNUQ5NzkzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDA4MDUzOTY5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1592

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\iuyt6yu\iuioh.dat

Filesize
184B

MD5
62c8a8384800a6536c7d4f952ac8517d

SHA1
c6e691481a27e87288adaa3053f9611efd7e6e17

SHA256
cbe4c412fbe18730e3081a1e289f7565b94d3d7f84c829724a2b67704d230e6b

SHA512
73b8eeb25ca9f9ac191759111c36f271a5a37560d99ba25b1b2696a8264a03f0548ac0bc933491cad2218cc8be3025c72221872761b1d86e3694a93879c62e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\NKIDHR~1\knkfcutogchunsg.bls

Filesize
342B

MD5
a8a133ddc500108184d77f5b54b3d329

SHA1
bc44210a564fa6bf9e9960954794c3dbd64f08d0

SHA256
394cf473b490411611883bb970f37d2403e3f08535eb1e640a5773a517eccaab

SHA512
78d2025d9817d3f102fd7354461d89a70f4b8a651ed9543c54dd28d693b06848edb35d24994e38cb4ae63a5080d1715df26b77acf171925064e39ee6e80e3bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
f79b865703622658a37c6deddce88ebb

SHA1
753caa2b5749be7059ec439004846fa6ef93598e

SHA256
8636f1ad30816987f31d5e73789343cc11198d3ea50cf6480f27544d72a40f50

SHA512
0020b7a308658ddaa4ccc49cb11496e47335832e4d05c5845802d74b407b8e61dc409515cac0a16f008e929b186eef241b44c679a1824a4d2681c35f10182e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
7a000fa1eca3a792d3cf4714fc7d8d84

SHA1
4b0ed4e91ba7e1b4bfe8d4994fd7e437f1721c77

SHA256
852b0063669143868d9de280e3c785a30a65fc4748591b7859ee3f1ed3f97ece

SHA512
de5411fde37911c035d89ed6e7ea9534499c8c1a3a339c08b919c49bb6c62a1a9a06bc44586b9fb3ef6cc8a23031af0b2b2bfc62b6cec69785b96b5edcdf69c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
bd1b047692013fe1d3b30771719db2c4

SHA1
f8de74bfb136420bad3e330976e10856fe992e11

SHA256
1ee6271c003bb28148fc6cb6984b131caf2bb912b5a2a54d6fdf37d6b007fdf1

SHA512
87089904e14349eb4c511ab9d0632b1e7b136fd333bb4f8044d7414c6b6e6a705e85abf2f991f710d1c57b1590e8bd15fc7f523b99fdb4b6b0efae0313188901

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
234a6f39761b294bf99e0f44290282fb

SHA1
90f15316aabdf756160ffaa6f374e6677b99dd60

SHA256
117138588bf482c2d1a72452af7ae6b95165e48b543ef1926bdb14fb219dc00a

SHA512
d488dcc7af657fb249a3cba3a4284cee9404da5cb09f456442f869c82c4c4a104ef09b639c0d0a208fb2be1c0faa5233b313684e52d9daa74339610cbfbd85d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
0ea4c4b9168ef5189f3b849093ffeb4e

SHA1
65d29f622c09ca30c51a8ad7b27be520f4b55720

SHA256
4155714a642110bc5f22f0aaf9db683a67b14686c5b164e7db56d1c8c98118e5

SHA512
5e50959cbd0f567e37b8d0a623a819496e37ed92f88f8dc79cc94bfd187e67ca4b6a961eeb3f7b91e228ae2efd4e5326a34582c679cf195fd92de0ac94e501a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
9b207553a9e4e404e520263e269c0794

SHA1
a38d267b0a964f0b623d54013eb566c1f96f0ee3

SHA256
ce71930f7a66406ad1166cf88f071a16a4804dc5a41577a0914bba5a4f0a689c

SHA512
5bc40d521ddfb33f6617558b490e9f350393aaebe929af2200fa479819b0cdd574a051b1b4ed44db3f69e833c67647db6bcde6e18478aae4da19c4d6b72f5719

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
275B

MD5
7f032f9b814c09b645d85c2fc6858d0a

SHA1
5d414bc09163e4fe37a6710e6c0e6f50be830ac8

SHA256
e3064bee1afd8c9559e3bd146472c507a26476e56e7c83ec63533b02480c91ec

SHA512
d67237a1fd64ab5c32894e5df15bc177449f40382d79240c3483a69a4ddb710388a37974c47103e9c710681f8e3f3210793c2a6412666632e9f2da5c192adc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
f7d7d1ffd024d9bd9918320809692bfc

SHA1
b2c711f85645d41305127a5d596568b5d48517be

SHA256
f159e5760433afe80d57959de10d45783b62081ff42aec09dde9a5ea523ccc16

SHA512
69e555bb44e3174039b6ed198235f5101334d44eaed8988b9f8b0f291c8481fc23a47e030c761fe05a536c41f11bd86a8b2fc65c03b27e63cff2710dcfe61605

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
de162ead5239ac5c7991ba7a60b4205d

SHA1
84c6520581d2a73e1243fec5241a852ce10cfdea

SHA256
136e2d2169733f24360290b036b27e19111bc534716ac0be620132dd57f96807

SHA512
67a22145606d5d83317e254fefbdffdc2c20a1c6c3d4b0900acd5201909f05ef2340636e424efb3e7a8396da7a02386660579753cd7b5ac79fc803477b0f2af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
e17b6620a5b286ad340e927f0cfda6ed

SHA1
80f83f5bee92797940305d26b0e8294d09411974

SHA256
9898f523653ac3e1e3a0b5c633272bbf369da212f39fc414b17c6a58fa781169

SHA512
ab3affe9c24587353cfccd7c961ab4547595fced4c8377a75e8774379ac4e6c19ec628baeffb9a09f6eec734a98c990134b06c530b5dafab882782d5e1b0e5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
c5a6231b2007617189351fede7baab30

SHA1
05853222b5eee0bd4f514575b15efb5b3c255b95

SHA256
6cdc3199f9cf0a951af484a94b5e86fcaa7bf49c3b2b8a5342df613a24a8bbeb

SHA512
2c01528b37a5021c60ce44018d83f5ff72ce15910908b6bc89ed753ebd065e1d7361cbdc7de6cd0f05b883adb799a3a99b1b2982554e0a6ee2ca0c283fc81413

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
80c5d483b0d9a924a1f6f3bc1972879a

SHA1
1e8a48e7e9547d3a69d90590cc95b546a9237393

SHA256
e9b339fd01d46a16d3fa39e36e08bc0b54220e073cb224cbdb7c16ba8e2e2f8c

SHA512
79e9e8a9018a1e38401d51846fbbe11f7a16e832cdb3cbdd6ce5e4bd8d1d2e42efc9868c75b903af757a4e8fa68975f3361ca7c5cefe64a35c989efcdb9d9b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
a91d62a87eb8d70ffc5a2ae7d61a43e0

SHA1
44d19e87ddfba672868e9ccf6594f469c5e3be8d

SHA256
23a6ca3dbe2a9ca15f82de19d18dbe58b857fe8a1977423bb6a8262b88ffde64

SHA512
0198fe6cfcdbab7a396f494045254d8018b86eee5092f60d06357a38422867400635bc3247e5156662434e08b6fca840c29960e01651a151d77437263ff10d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
d696dfd40cda6f53fc9b79443b7e611a

SHA1
4800b860a7dab53d9c1d7a78ed925fc87fbe2d7e

SHA256
e8a249da8b0f9401c6e491bfd253680e52041ee1d12b780fbf9426d82bccaeb7

SHA512
659cf2469915f17c5fd26ecf7597a4ff4ac9909e923e734a8787e13fd3b2d5ef03d4b0a3264c66d12d1f2cb762341f190b75c37dbc44061a392740cab4f7895c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
263B

MD5
1afd86460b9d0629b97fd05ca707e105

SHA1
4ba6c2a3bbcd1bd85d91bf9488b261ea87422831

SHA256
dd0b7301366ae8d4daa622548b6191fe29e7524652a314cbc48c248ad9365f44

SHA512
d6e252a1ac4dc0499cb025d25094ddc22fb1e9fd4d0e1bee107deb4f7db38482734c3b0f3216692ad8600c6c02880a323c7890443f8a15e67e6ae9bb6facc7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
38fc3f7b2830fcfe17f14efaf3c8e93b

SHA1
5022d569e3c20abce3477e39ffaea9cbcafc1d1d

SHA256
2a817eda9a27ebd501b3af5f8b29ad922113dfe0a073f395a41292fea18a41ff

SHA512
d37efc3b3ff0311ba1d34f90f36dfc4c9f17eddad056ebf0935bb46d32c3a098f4287e045e7c5350ff3dca6293989315dd343d43e973d8a8c7191a3ebd1c1954

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
267B

MD5
811b00d882b29724790645cc17071042

SHA1
a43d674267625f5e8682bfa7365321eefff6683e

SHA256
a370045dbaceb282fb750065dc03ef43f385a8a29d141ed9481acbc71de6bc32

SHA512
41a5fc8823f54d95d4f0c3a90f995617f5431fb1415526ba9192e06ed6c788c17a02116c52608f12147c4d3d09aa3379ba78c9122c85a8e87b96b845ba0031d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
1849a797dc1b8048f95d7404e4aa5282

SHA1
147ab9f3928156ee129bf1a6e635a8dd52c74515

SHA256
36b4be4237f7d04894d2effc59e66a2ec8079e732bb4ef0cf01fb67875d3d552

SHA512
cf6e6b5843046da2c03bc407e802671388f87195070c011d2cdf064205633c51669c743bbff15087f3d2cffb639bc008c25653636183c2e0bbaaf7c6d2a6f59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
f1f157ec8942449dd6eda0194caadf65

SHA1
152c3893a716c220b214f50d50ae3f6830969289

SHA256
78ebcf780eaf80c4403cec872b9a91d53fbd7b3ad08ce25c4195b52932caa710

SHA512
0f51f8f6ff95860b6fe3f420789cf97074ad0017dfe0f58f0447defebdef06b211b75fc6ee57c6e67347f7b0d069376cfc17cc0c4f70b840e19b180975da7bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
7f9e64348697245b3c4b7fa8e886e855

SHA1
9c290175798d7abe6c980ff742250fdbcc0866d7

SHA256
9c407628f4feeb276a64ccd1b9fb346644381282fb47c0c75a58010eeca7e278

SHA512
55ce5491b3d06e3908e376800e6843e8acb04cb38a85cd21ffb161a3dfa61325b554506ca4dc149e10cfeaab28cf11829385fdcb3a0402d51fff67de124c5435

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
a2ed8125766d12f12b476c41faf5337d

SHA1
49ffb7a9aab478c3c1135bcae317d60132df6b1d

SHA256
26533f413811256e6f41e6188394163bc44133397db684aa9f31ba02a677a5ad

SHA512
dc4dde2d69da353b437d9d0977396bacebc5b4b62e0bf7cc54d6855f8053ace4d4fb8be294e7c75b5e4e0660099421475caa3d936a6f19a9dc694376f2f807ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
247KB

MD5
be7a4b4f0c97043b65731adc90eceed3

SHA1
90500af23b8275566eba4c522f8b954f6b42b25a

SHA256
8f42a15abed507b0f64b223bc56504dfdba57f3a8eaebcbacd22ad5f50481594

SHA512
ef3e16d1f1b47ea7bb76daa6baa0b6c7fceba1464025decc948fd30c4a8653f559cacad1b1d0ca583cd2730a35fb91cdc3f5d1d9424cee6d8bf3cd4bb78f421d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkidhrkkebcikn\fdilfn.dll

Filesize
930KB

MD5
a224a99613680c9f62222278eabdca6d

SHA1
c54b0c5b214ecc82ddd029f4bac298b117181813

SHA256
b9767d9336f63b5b92b31d1e6b9e1c1891a0c62828a80a789fb358b03daf4b9d

SHA512
e1a0baa62c119abc5594b48f9441aeea56e29d67e8c5350cf3b9edbcdc5e9699157875f470f9af17d8110bd441d6fc3cbaedd96f11ff91fbbebbab11310e31f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkidhrkkebcikn\kmwdx.txt

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkidhrkkebcikn\knkfcutogchunsg.bls

Filesize
346B

MD5
cc57c6f0a60ec79c929bd11ea1c209ab

SHA1
9e4b6fa463e5e4b09bde26add356d39de9d0eb33

SHA256
3750c4fc9f35a931701497a6859596a4f19bcfb0da88058711880a543d344250

SHA512
76603902a82f5dcc60b7f1fe643da8ce86c306f395d98ab2ac2f8df911d714dd8504cb385fe42d238ff9512bf170137906631f833baaecb1093719b28a41d58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkidhrkkebcikn\wtine.amv

Filesize
878KB

MD5
c33a090d46bf270d49280178326a3616

SHA1
2df877c3633ad1b2c073b6bc96163d01f62cf0d7

SHA256
7f7b416678f859aa3e1e37cc1ebffb7ff09390c6c29cbcf75c97f1edeb2ae60b

SHA512
6b508912db2f66c40223e11f9baa51c1bbe64babdfb8c0dc5dd6270ffde1276fca86c81e1c1e2392404504ae242ab3343ddb04d9751e63e8b85ffffb51a855a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\piirnphacat

Filesize
4KB

MD5
18aaad48016d645ad439f178b27d0fb5

SHA1
b7b0f41b7e09b23ea220d2775242b779df74eec1

SHA256
e7a2cb979d8bccf31603e66a4b54542df0659773cc8718d532a1074d7f5ad558

SHA512
f2d6bd5dd24f3e69db77637eff8c74df749d13f259ea9e5036686c2371c97b1e046c5a01a41be8d076c9eda24bb8c6e72b63c1cbf02cd3d8f319bbff2e636464

Download Submit
memory/1500-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1500-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1500-69-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2608-67-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2608-65-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2748-62-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2748-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2748-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4360-79-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4360-48-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-78-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4360-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-81-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-82-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-60-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-58-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-57-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-56-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-54-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-55-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-53-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-52-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-75-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4360-51-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-47-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-46-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-45-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-87-0x00000000032B0000-0x00000000032E4000-memory.dmp

Filesize
208KB

Download
memory/4360-90-0x00000000032B0000-0x00000000032E4000-memory.dmp

Filesize
208KB

Download
memory/4360-91-0x00000000032B0000-0x00000000032E4000-memory.dmp

Filesize
208KB

Download
memory/4360-365-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-366-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-367-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-374-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-375-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-382-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-383-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-390-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4360-391-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download