remcos | 974b3b9247ead5b640b495a96efba657ebee885fd25374e294ce55d7472ee402

Analysis

max time kernel
151s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
23-04-2021 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21731d17093e84bd146460b533627120.exe
Size

999KB
MD5

21731d17093e84bd146460b533627120
SHA1

4437ace2b80a89732e1f292d50e767b646c9b05a
SHA256

974b3b9247ead5b640b495a96efba657ebee885fd25374e294ce55d7472ee402
SHA512

eda88fb8c937b5cf071f6cf2b3c37af5b6885dcfd63100f065c3d81243d23c81a3a4df82782bfd6c7c06b17c5ffc2fa5d9a7a508a6136109218a0ad7a8e6c160

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

fieldsdegreenf.duckdns.org:6553

aaeeerbbbeee.duckdns.org:6553

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

1596 remcos.exe
2360 remcos.exe

pid	process
1596	remcos.exe
2360	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

21731d17093e84bd146460b533627120.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	21731d17093e84bd146460b533627120.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	21731d17093e84bd146460b533627120.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

21731d17093e84bd146460b533627120.exeremcos.exeremcos.exe

description	pid	process	target process
PID 4020 set thread context of 3392	4020	21731d17093e84bd146460b533627120.exe	21731d17093e84bd146460b533627120.exe
PID 1596 set thread context of 2360	1596	remcos.exe	remcos.exe
PID 2360 set thread context of 1228	2360	remcos.exe	svchost.exe
PID 2360 set thread context of 2548	2360	remcos.exe	svchost.exe
PID 2360 set thread context of 4976	2360	remcos.exe	svchost.exe
PID 2360 set thread context of 4896	2360	remcos.exe	svchost.exe
PID 2360 set thread context of 5464	2360	remcos.exe	svchost.exe
PID 2360 set thread context of 5872	2360	remcos.exe	svchost.exe
PID 2360 set thread context of 5488	2360	remcos.exe	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e3c9a0591f38d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 65031f4f1f38d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\docs.microsoft.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\docs.microsoft.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdom = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\docs.microsoft.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000d5bb403d45ffc7ad73b16814de27d3a42d1fde9f4a254e7eea4efbb64c1eec88c6cc5077ba6caeb62c8982f2233fa0c3a2f84e28543983fea433548e27105805921671d4b22e7d990662120da853e921d4da6829e93186430a69e31f500f738ccf394e78596691422edccf8d7685ea6e61664607a02fb5c0e38f93291a3b589875d524cd6432cee19797bf5afef329d1c93a66156852982fe247dd6545b4ae445c8a59b6e2b3f144c4333f80b0bfc72402f8fcd275ba41d60030ecbc6e9a7eab72f88c59d9098385d050b02b6808ff0dd83eceb8be86d119f6e96488030d44271cbfdb747e5594054d8f4bb5d3edd5d640ae329bc0d876628314a5e43a2d3e59157f194484b551ba378e0a3c6a901e2319e6fb94b2cfd55204509914351a5fffd3d70ff8a54a5dcc38eee01bc50f476fbc87e785238b364ab23c6ff429f4079eda69e9be2935567ef44f91264f8c8c5e5a3299244c2c3039097a487821dbd2fbebd408551394756fe25111f3cd2513e1c4854f9b85d179c751a9074428ef6e63c6b8a633d1888a23b494113243fcd61e0b225cb3a69c37c5a219562d0e6971b2b2d43265df55	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\docs.microsoft.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 629e175b1f38d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

remcos.exe

pid process

2360 remcos.exe

pid	process
2360	remcos.exe

Suspicious behavior: MapViewOfSection 24 IoCs

Processes:

MicrosoftEdgeCP.exe

pid	process
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	3508	MicrosoftEdge.exe
Token: SeDebugPrivilege	3508	MicrosoftEdge.exe
Token: SeDebugPrivilege	3508	MicrosoftEdge.exe
Token: SeDebugPrivilege	3508	MicrosoftEdge.exe
Token: SeDebugPrivilege	2496	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1944	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2496	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2496	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1944	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4592	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4592	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

remcos.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

2360 remcos.exe
3508 MicrosoftEdge.exe
3920 MicrosoftEdgeCP.exe
3920 MicrosoftEdgeCP.exe

pid	process
2360	remcos.exe
3508	MicrosoftEdge.exe
3920	MicrosoftEdgeCP.exe
3920	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

21731d17093e84bd146460b533627120.exe21731d17093e84bd146460b533627120.exeWScript.execmd.exeremcos.exeremcos.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 4020 wrote to memory of 3392	4020	21731d17093e84bd146460b533627120.exe	21731d17093e84bd146460b533627120.exe
PID 4020 wrote to memory of 3392	4020	21731d17093e84bd146460b533627120.exe	21731d17093e84bd146460b533627120.exe
PID 4020 wrote to memory of 3392	4020	21731d17093e84bd146460b533627120.exe	21731d17093e84bd146460b533627120.exe
PID 4020 wrote to memory of 3392	4020	21731d17093e84bd146460b533627120.exe	21731d17093e84bd146460b533627120.exe
PID 4020 wrote to memory of 3392	4020	21731d17093e84bd146460b533627120.exe	21731d17093e84bd146460b533627120.exe
PID 4020 wrote to memory of 3392	4020	21731d17093e84bd146460b533627120.exe	21731d17093e84bd146460b533627120.exe
PID 4020 wrote to memory of 3392	4020	21731d17093e84bd146460b533627120.exe	21731d17093e84bd146460b533627120.exe
PID 4020 wrote to memory of 3392	4020	21731d17093e84bd146460b533627120.exe	21731d17093e84bd146460b533627120.exe
PID 4020 wrote to memory of 3392	4020	21731d17093e84bd146460b533627120.exe	21731d17093e84bd146460b533627120.exe
PID 4020 wrote to memory of 3392	4020	21731d17093e84bd146460b533627120.exe	21731d17093e84bd146460b533627120.exe
PID 4020 wrote to memory of 3392	4020	21731d17093e84bd146460b533627120.exe	21731d17093e84bd146460b533627120.exe
PID 4020 wrote to memory of 3392	4020	21731d17093e84bd146460b533627120.exe	21731d17093e84bd146460b533627120.exe
PID 3392 wrote to memory of 3020	3392	21731d17093e84bd146460b533627120.exe	WScript.exe
PID 3392 wrote to memory of 3020	3392	21731d17093e84bd146460b533627120.exe	WScript.exe
PID 3392 wrote to memory of 3020	3392	21731d17093e84bd146460b533627120.exe	WScript.exe
PID 3020 wrote to memory of 1092	3020	WScript.exe	cmd.exe
PID 3020 wrote to memory of 1092	3020	WScript.exe	cmd.exe
PID 3020 wrote to memory of 1092	3020	WScript.exe	cmd.exe
PID 1092 wrote to memory of 1596	1092	cmd.exe	remcos.exe
PID 1092 wrote to memory of 1596	1092	cmd.exe	remcos.exe
PID 1092 wrote to memory of 1596	1092	cmd.exe	remcos.exe
PID 1596 wrote to memory of 2360	1596	remcos.exe	remcos.exe
PID 1596 wrote to memory of 2360	1596	remcos.exe	remcos.exe
PID 1596 wrote to memory of 2360	1596	remcos.exe	remcos.exe
PID 1596 wrote to memory of 2360	1596	remcos.exe	remcos.exe
PID 1596 wrote to memory of 2360	1596	remcos.exe	remcos.exe
PID 1596 wrote to memory of 2360	1596	remcos.exe	remcos.exe
PID 1596 wrote to memory of 2360	1596	remcos.exe	remcos.exe
PID 1596 wrote to memory of 2360	1596	remcos.exe	remcos.exe
PID 1596 wrote to memory of 2360	1596	remcos.exe	remcos.exe
PID 1596 wrote to memory of 2360	1596	remcos.exe	remcos.exe
PID 1596 wrote to memory of 2360	1596	remcos.exe	remcos.exe
PID 1596 wrote to memory of 2360	1596	remcos.exe	remcos.exe
PID 2360 wrote to memory of 1228	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 1228	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 1228	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 1228	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 1228	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 1228	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 1228	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 1228	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 2548	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 2548	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 2548	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 2548	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 2548	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 2548	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 2548	2360	remcos.exe	svchost.exe
PID 2360 wrote to memory of 2548	2360	remcos.exe	svchost.exe
PID 3920 wrote to memory of 1944	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3920 wrote to memory of 1944	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3920 wrote to memory of 1944	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3920 wrote to memory of 1944	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3920 wrote to memory of 1944	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3920 wrote to memory of 1944	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3920 wrote to memory of 1944	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3920 wrote to memory of 1944	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3920 wrote to memory of 1944	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3920 wrote to memory of 1944	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3920 wrote to memory of 1944	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3920 wrote to memory of 2496	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3920 wrote to memory of 2496	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3920 wrote to memory of 2496	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3920 wrote to memory of 1944	3920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\21731d17093e84bd146460b533627120.exe
"C:\Users\Admin\AppData\Local\Temp\21731d17093e84bd146460b533627120.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Temp\21731d17093e84bd146460b533627120.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1228

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:2548

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:4976

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:4896

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:5464

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:5872

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:5488

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3508

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4704

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5008

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4372

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4912

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5900

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6108

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B811GMMZ\SegoeUI-Roman-VF_web[1].woff2
MD5
bca97218dca3cb15ce0284cbcb452890

SHA1
635298cbbd72b74b1762acc7dad6c79de4b3670d

SHA256
63c12051016796d92bcf4bc20b4881057475e6dfa4937c29c9e16054814ab47d

SHA512
6e850842d1e353a5457262c5c78d20704e8bd24b532368ba5e5dfc7a4b63059d536296b597fd3ccbd541aa8f89083a79d50aaa1b5e65b4d23fc37bfd806f0545

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B811GMMZ\app-could-not-be-started[1].png
MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B811GMMZ\application-not-started[1].htm
MD5
95d5d55fdd517dba91e745b19d7ff3ef

SHA1
80d8544b964ad005dcd26606e21e99c5ebad63b4

SHA256
79c93d9dbd6ca63384f53061768b811d9e5e4127a83914e9979ee8d22874dba0

SHA512
8d23c6882848e648a0724eb9af1d1d14388fc637724555a2ad90411c32147c3e05ac6b620b83549a6114459a45b6951a40951221183042a8b1935c8494c1b587

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B811GMMZ\fetch.umd.min[1].js
MD5
426331495a2310e355c95c3cabb8cf94

SHA1
2ff04aec423d302524a0d613ac5f84eabacc87a3

SHA256
50a4426a6989263c4fce8242ec99518acf9f216b88043c75d10c764bf732bf17

SHA512
a669a8114de0e05fa0e3878aefa167d51c2c21bebcf2ea515c4487dc9a82f70e1b4f102c4c43d2703bb99cff2a2f95d9d76d34a6a5e86318efd79b88233ebb35

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B811GMMZ\latest[1].woff2
MD5
2835ee281b077ca8ac7285702007c894

SHA1
2e3d4d912aaf1c3f1f30d95c2c4fcea1b7bbc29a

SHA256
e172a02b68f977a57a1690507df809db1e43130f0161961709a36dbd70b4d25f

SHA512
80881c074df064795f9cc5aa187bea92f0e258bf9f6b970e61e9d50ee812913bf454cecbe7fd9e151bdaef700ce68253697f545ac56d4e7ef7ade7814a1dbc5a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B811GMMZ\toc[1].json
MD5
86f025aac070c2ea6e186279910c9dbf

SHA1
1df78c27dcd4bbce23577e26d61f97b60f3fca85

SHA256
c79a4a86abae68b7d082c3e3dd11f0416c9780471bfb1c2dc1d4ad1eca0d040e

SHA512
58c9c59176c9eb85e68df3237480bf86bfe2eeabc59ab842a4a75598e621e046b9ba760f236b6a55a12003244598e7fead70ff909bacee22ad1891f22343276e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\S557CAWS\MSDocsHeader-DotNet[1].json
MD5
5b27339798f512c07dc7dc5375d2adac

SHA1
bdf29fa27494e9973aa2a357a042a4912cc912bb

SHA256
8ab847f2e467717c24ca2b35d83336b7d8289478ff21010a27906e12a4ec2245

SHA512
e555dc11d08cf52207e0f49e105e07b052b9d38d9aea6d9a017ae637cd19a5e4f22d90f7185ffddff50a9d63246fb9def17573981f57e511faabdc96eea521e2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\S557CAWS\MathJax[1].js
MD5
7a3737a82ea79217ebe20f896bceb623

SHA1
96b575bbae7dac6a442095996509b498590fbbf7

SHA256
002a60f162fd4d3081f435860d408ffce6f6ef87398f75bd791cadc8dae0771d

SHA512
e0d1f62bae160008e486a6f4ef8b57aa74c1945980c00deb37b083958f4291f0a47b994e5fdb348c2d4618346b93636ce4c323c6f510ab2fbd7a6547359d28d5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\S557CAWS\c4d75c2f.site-ltr[2].css
MD5
540d17afc0e5480d364f86b9bcb3f1ea

SHA1
6daf944b3de1ecdf0dad1c2defb9c5112d968e73

SHA256
25b287ea9434de5bb1fba79b454ede7d53f8a2a912c3f97ab0b43709b34ecd39

SHA512
87dfbb6f43f3dc68a7924569dbcc79a56c3b404ab67c9f3fcc738e5539ae171929ab280bd828d8fb52d69d81517815ada55781ffaaded2bdf347160ea543792a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\S557CAWS\repair-tool-recommended-changes[1].png
MD5
3062488f9d119c0d79448be06ed140d8

SHA1
8a148951c894fc9e968d3e46589a2e978267650e

SHA256
c47a383de6dd60149b37dd24825d42d83cb48be0ed094e3fc3b228d0a7bb9332

SHA512
00bba6bcbfbf44b977129594a47f732809dce7d4e2d22d050338e4eea91fcc02a9b333c45eeb4c9024df076cbda0b46b621bf48309c0d037d19bbeae0367f5ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\S557CAWS\template.min[2].js
MD5
6daed083086c521d306f7d9f77b8533b

SHA1
ba854384cd7984635159f57c52707fb8bb8d3b63

SHA256
b1421ef2407b4f269d9e9083a99cf3219ff24bede5deac557aaf60108f197724

SHA512
b0568c40d96dc4c3672040391fddb1afc5be52823ad460eff67c5335b40ddf7eb42ba8dbfa8bcab0004c8e23e7a51e41162a678c8ec01c6eb785091b0b9f958c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\S557CAWS\url.min[1].js
MD5
715749b6973b4268c2993bc2b73f8faa

SHA1
405ad2061df73f752ee53623822ebaaec1f89e02

SHA256
e3f01a42ab36248bfca392804d39abfc388b3cabb22e0364526cd3e359d92c9d

SHA512
75b57a03db3aca77c857bf07ec789ea540603001279508edf4889195eadaae1dd629498d58d62a8ab7ae64669a776a0a44d10f0dd342dc863d9082e08fa4f041

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U4236DIV\12971179[1].jpg
MD5
0e4994ae0e03d9611e7655286675f156

SHA1
e650534844a7197b328371318f288ae081448a97

SHA256
07b979b12f1cb506df7675efe227a2e78accfa1f5954af2b7bb66295e5cf881c

SHA512
07aaae5347fa8e82f86d0ba7c28127fac952d84bad3dce119654b5ba1cd2550c8d064770473f34f89fc383847b2f1594b3600d9fd01e6275d67868c41638e34a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U4236DIV\8a64e446.index-polyfills[1].js
MD5
c2838dd9c16c1d2d90afcbd2bd542ac5

SHA1
d4042ed31a2ffab7d312c66a527851b0bb8ad7a3

SHA256
aa7dd71eebadc1039eea7308114eae927fb442b27d701a670db43c5da5b551f2

SHA512
df5ad8f7d60ad5b7463192a6fc07310c3b9df443594faead2c9a19cd3da6adea9e58c01775eb9efa37d1024797a61fb45c96d40b9b0af34edd7802e937372faa

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U4236DIV\TeX-AMS_CHTML[1].js
MD5
a7d2b67197a986636d79842a081ea85e

SHA1
b5e05ef7d8028a2741ec475f21560cf4e8cb2136

SHA256
9e0394a3a7bf16a1effb14fcc5557be82d9b2d662ba83bd84e303b4bdf791ef9

SHA512
ad234df68e34eb185222c24c30b384201f1e1793ad6c3dca2f54d510c7baa67eabdc39225f10e6b783757c0db859ce2ea32d6e78317c30a02d1765aee9f07109

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U4236DIV\bluebird.min[1].js
MD5
8c0479914b7b3b840bf9f62cffe4adaf

SHA1
c33559d5f359521e58ed375d6863a2e85a37eadd

SHA256
aec354e7dea8b95f5a6242c12dbc66c54d6264795cddf1ce685f59de541cba86

SHA512
7c31c0bd521562cc0f6dd604b568267fc217d198daae568b384a49b9cb93e21a27fed0fab3b2a989f3715a864e0f7f867040474799abfa6c344360310caf4c7a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U4236DIV\f8642e01.index-docs[1].js
MD5
daac4e1a9cbf2a8ac760fb198738addf

SHA1
9fb4d19de70fc21b73e0d2d839278ea8dc36698e

SHA256
6b4d41d60615dcd43c142a4c2339d6186617214617c20b7462cc87b3baf621ed

SHA512
0d6ef7628618ab6537722577f8ee053b94c945d44d0fbd1a99bc8480a105ab6f85a00c5f7617428694c96f09cd07567e4a930c54169a0ff20a5e5fb64d3d8137

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U4236DIV\install-3-5[1].png
MD5
f6ec97c43480d41695065ad55a97b382

SHA1
d9c3d0895a5ed1a3951b8774b519b8217f0a54c5

SHA256
07a599fab1e66babc430e5fed3029f25ff3f4ea2dd0ec8968ffba71ef1872f68

SHA512
22462763178409d60609761a2af734f97b35b9a818ec1fd9046afab489aad83ce34896ee8586efe402ea7739ecf088bc2db5c1c8e4fb39e6a0fc5b3adc6b4a9b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U8P5P9XE\jsll-4[1].js
MD5
211e123b593464f3fef68f0b6e00127a

SHA1
0fae8254d06b487f09a003cb8f610f96a95465d1

SHA256
589303ca15fba4fe95432dbb456ff614d0f2ad12d99f8671f0443a7f0cf48dff

SHA512
dad54d7941a7588675ea9dd11275a60fb6290e1582d1c7a4acb50642af3c2a4aa35e32edd8fa9dd01ce7fd777247d2706d5672a201633bf918b525936e93b14b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U8P5P9XE\ms.jsll-3[1].js
MD5
a1adc22dac79bdccd4826eb07dec500c

SHA1
c456e7577677d55e28d39366b72041df6bef6f6d

SHA256
7cda7115588ca6583b6dfae0c768b9daf3815567985bd0371df95039ecb801a5

SHA512
e70b72305ec3470c77fc49958ebe4dbb98fe08947c97091b9bba6e1e1c55bd3802a33c3253898391daaecbaa3f2ab5137b1817d3a1a36e71c4b98e5b15e2ee83

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U8P5P9XE\repair-tool-changes-complete[1].png
MD5
512625cf8f40021445d74253dc7c28c0

SHA1
f6b27ce0f7d4e48e34fddca8a96337f07cffe730

SHA256
1d4dcee8511d5371fec911660d6049782e12901c662b409a5c675772e9b87369

SHA512
ae02319d03884d758a86c286b6f593bdffd067885d56d82eeb8215fdcb41637c7bb9109039e7fbc93ad246d030c368fb285b3161976ed485abc5a8df6df9a38c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U8P5P9XE\repair-tool-no-resolution[1].png
MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U8P5P9XE\toc[1].json
MD5
7bdf223ebd8f0b205630f1ecf716deba

SHA1
a1c787afcb2c1fdeec5ffc56c2a74361108c87d8

SHA256
5c3d7b5b2d8ad34746c79830dc8331f9c0426131285ffe588b27cdc2488fbc0c

SHA512
6444cd8f25fdd1d6ee05c0967fbb9b406e136c813048d40ab3fc1ee24bdf0b6010c70f3c5a4a26eb90ae5ec4fc3f8f6e21ef5a3c1e2375af6f9c0d7f2a727e2f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\U8P5P9XE\wcp-consent[1].js
MD5
38b769522dd0e4c2998c9034a54e174e

SHA1
d95ef070878d50342b045dcf9abd3ff4cca0aaf3

SHA256
208edbed32b2adac9446df83caa4a093a261492ba6b8b3bcfe6a75efb8b70294

SHA512
f0a10a4c1ca4bac8a2dbd41f80bbe1f83d767a4d289b149e1a7b6e7f4dba41236c5ff244350b04e2ef485fdf6eb774b9565a858331389ca3cb474172465eb3ef

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\0TU0Q7C2.cookie
MD5
faf0c383c3c194d1be5e9fd4e9bc2c02

SHA1
903782b3957972bba7e8dfe8df9fe9fdc3f792d5

SHA256
93e9e2a8354cc388e41b89cffc32866a5dab0c4d8965143d8cb2e46829fc1bec

SHA512
b6bf0cf9c807d9363bd59c902d753b42d5e19d93a3a602b9d432194a541733dd80b59ea869d9c5260638419e5edecece525ed72545add7fa284af1c972cd3e04

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\4F3QHTBV.cookie
MD5
cf56ee727d564d31c028bbf1de56acb6

SHA1
72014ceac5abf6f9830b4de01e489ef734ad7bf0

SHA256
b83f55cff257f702f73a92fbee94a6d1e19a3ad79d39141c771b9d112aab7936

SHA512
f5473ed5aa3a55d5253c17e59afa649ae222c1925eaeabea961178c721dc06a543ac3bc78cf17dd7e121e1b8d179456b937ca01165b5f3f3a594decf23f8963e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\7Z6FVA55.cookie
MD5
12034d734d03a3dcf96b3063bd8e8276

SHA1
5f1ccc9f5895b878ae88ae9ce1459071d02d43de

SHA256
06dbb393e395e4166c37185aa7c0a041f534fd970f19754d96fbbe2cd9ec5d76

SHA512
51f82fb42ee734397fccd84043aed319320c0798de0bf26e8e02b068e4f4cbe53d41ea8704295fb45682778951d9efab584cff85c2243a5de3159e39aeaa8215

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\B3SI3BGG.cookie
MD5
6fcd14987d1b25e8bdafa362ca226732

SHA1
88cdc27b017aea7d94ebddef85046a434f94cd26

SHA256
b581068a716878ac46362e2ce9d521b6d242ad40631a9748497007bb05d90f73

SHA512
fa400cbe42d8e917d47b38f483ff6e1a3b1b246851c29782e7bd62740c62e0a8428dcd16f35eb510e6b7ca689ce4ad7522cf2220edf259a811aaada520c3b8ae

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\FXP0DXV6.cookie
MD5
efb9c882be921a6c8abac514dd3fec5d

SHA1
2f230a21317423be75e6fba3a0521653fffd4819

SHA256
d24a06364c2e312df8cb1e33faf1b88f249f72f63f6e8badfcb676dec7d4e49f

SHA512
f02961ef612929b9fc8254754e55e6adee3393e6cf2381200cd538f179772cdbfea7fef2841ff88b97f044c161b852dd2a48aef62bcbac8ab3279fb8ca17c326

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\K9GP13C6.cookie
MD5
fa8569dbeafeb9c4c5c0f64daf89fa02

SHA1
01ea534ce125d777e290b549470782d3111d7c23

SHA256
c95c777e9f572681cc57848f2ba49a101b47fba9eb0c0976c6f1c754d39281d9

SHA512
20f16d5a727ae5a15655a6c676e702de9ad5f0ca79d23b5e3118ae7a8a416193cd54d5cb5fb5ef1196d9486e2c1abc5ebd16db367d77d29350d05e193cd5836c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\L4DBQSXA.cookie
MD5
a6465719e0c293f7771e48f27cb46bc8

SHA1
18a02c8e888c04a42d00897397b0174e0340af30

SHA256
da5bcdb8eb801e7b6ffb62dd971533a2ba914c3dba91d3931d884d88aa71a802

SHA512
e12868f342e9e20d4ab43fae9d73e5bdb4646de1d161fd936e2796be5ebc2a9008bd0d8ffa663b8719c9910c11359c4edc99fd53c16d6ff3bbba67ef02ae2804

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\Z30XW3UC.cookie
MD5
939e8b38bc5ed832e9103e2688ddabdc

SHA1
b4a629e589471980647f594c0430794b64f7fb82

SHA256
3aef1c07baf3ce0a1b379280910f6deb11d20edef9060c7ff5020c0d367a66bc

SHA512
689b3378c3309fa5159b1a1b64aba95b5a4d12069e6611509627ad7e10a0e8d736b271752cb596c22feca461df1cd8a42276bc0b98ffa41402b6af57564243d0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\JPPAO372\docs.microsoft[1].xml
MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
1b4f8c8e8cced9e6f9f126ef5db396ce

SHA1
539e809d6dede4dfd5c0f60678325794d92482f3

SHA256
e1234092ce82224627d86d9ab74ea563a6266b9eced5a3ecf84fa1824d822d75

SHA512
3b70088e71eb1aa044365b58945d04c2afdcf1898a58dfc917179b9c09e98ac22a8d2f428fb70a4498b0b86dc443de22a7aeeae8a8c80b2ec6f34455c104eef7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
1b4f8c8e8cced9e6f9f126ef5db396ce

SHA1
539e809d6dede4dfd5c0f60678325794d92482f3

SHA256
e1234092ce82224627d86d9ab74ea563a6266b9eced5a3ecf84fa1824d822d75

SHA512
3b70088e71eb1aa044365b58945d04c2afdcf1898a58dfc917179b9c09e98ac22a8d2f428fb70a4498b0b86dc443de22a7aeeae8a8c80b2ec6f34455c104eef7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
82b73370ecc38d620b05e8a1a15c608d

SHA1
8e30b6b344f0e28c3b9f8b71c6259e152445e27d

SHA256
da0ea07443d92aa4bde910139f07b1d5590065b3d2dc2fa17e6824a81ef05c35

SHA512
0cd45612726e8f7e30166e195f6111be7d2779fb85f4d6cc6da8c8849feb39ff2bb0239bae5946d26f1fcf2951314e3dc583243dc302a1e2482593073e2ccd1b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
82b73370ecc38d620b05e8a1a15c608d

SHA1
8e30b6b344f0e28c3b9f8b71c6259e152445e27d

SHA256
da0ea07443d92aa4bde910139f07b1d5590065b3d2dc2fa17e6824a81ef05c35

SHA512
0cd45612726e8f7e30166e195f6111be7d2779fb85f4d6cc6da8c8849feb39ff2bb0239bae5946d26f1fcf2951314e3dc583243dc302a1e2482593073e2ccd1b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
2c1c6af4b1d6212f0c82bcefb930a3be

SHA1
7de2b2e7c9d41e5dab0ff1c15d5c5d32d5025067

SHA256
4063ea0dbd8701c9fb821f7fefd618249e7968762a7847504085806319f248a1

SHA512
319a731e67aee1bc96aee3a4968be70febff2c0cb68cb0b1efa84d51827b36c3ec7ac407904db8c220efd5791227ea6762208e69ab4c07fd815c911f2987aabb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
e48e3d0d3c268ceec788c4a1593834f9

SHA1
3e2b1ca5c8def67ef0a393dc3f3a8e858705383e

SHA256
d1311d9c13d9352a0df1d2878237548a8a2c70780c8098a4a9bb40a37de7c30d

SHA512
695ce2c728d254c9b92201c14634fa04af97bfd2abc825307ecb81894986cd91a6737810aa5714da11a996ac22dada5de7b21c3fc226b0016721898887665d80

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
e48e3d0d3c268ceec788c4a1593834f9

SHA1
3e2b1ca5c8def67ef0a393dc3f3a8e858705383e

SHA256
d1311d9c13d9352a0df1d2878237548a8a2c70780c8098a4a9bb40a37de7c30d

SHA512
695ce2c728d254c9b92201c14634fa04af97bfd2abc825307ecb81894986cd91a6737810aa5714da11a996ac22dada5de7b21c3fc226b0016721898887665d80

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
01d8f42f7ea882e58d58c037dc9fa4a9

SHA1
caa786f403d88ac41c2be518905f0741ac1a9fe1

SHA256
cb26a3f27208885a6c45c72d2b599a4a1cf4f61c7284ad588c867781927bf714

SHA512
ad7290c0e5536cd777b2b7568c2a007ead3503f8630f840802a53b1e370672c3fbda331e7e3b86a0674fb264664b994469d33a98de7047fd9e103408698d41d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
8452c92de8235989bafc893cf85dccde

SHA1
b6da79c46d1d13d68ec5ee44f442ec7ba7904669

SHA256
3e653788bc7dc147686eb0943bcbee5360322843506e8f1df3b963c4a445000e

SHA512
2c4dab748af8ef78924b17085b27b05421be3cf7cb6fc041af517f0ed175b0770f12e6e69617679d5e321e9291f5b2ac5f8313fe598e2be35a835c2e23aaabe7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
f8eb4dc802d78a88e0152d4fe3468a47

SHA1
5a984fa6d34c194ddedf56bdb92422ba347dfdf7

SHA256
e1107dbb0b8944991dbfe1072801fff2ff9f6759f01c0260573d4fe0cd0adcee

SHA512
73592e42883e6248981f9c8b08ae58c68e107194b5e66c65a49ea179d007c1cc0165f8550028872291300e36b69ee61be5f8ac7683227035430a04bbbf2e3f79

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
89b447fdb17370b725c9ac0163cafc7f

SHA1
61b42f7c4c5616dadac6f8cb5f9a6f27755de2dd

SHA256
89b95c6950143900f7fddc0ce8c3ca710e59f70ad9b0bb559db928a510301f0f

SHA512
1ef55daee8eeeeb8d390e2a56fdcb0395179ac7e71ee4eae75fed6f07c1fdd1332ee5110792e7e5e24727fe8dbb1f018034728e63e073f9e9a64f4d761d8f5d4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
d47b592d5206211bd31794abba1a9098

SHA1
352ba7635f927ee9b1463b0c51c7671d7c04b324

SHA256
3d968a2f6498b6d7bf02a1d4436dc276aa23b84d422275ffcbde2539557ff09f

SHA512
786db6b3a77f54f4e13cdcccb71f406aa54ae74372a600ba75b5d227a136511c0ab12d4b0bd59b8f4d18ea7cd20a7d99928f74c6eff27013c2501528e142f582

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
531b0988d7ef28102982914da0f6357d

SHA1
d08274d4510e0b02d8fb9d125aab1b85e998d373

SHA256
47b35f4a0fcb59bba516b6e4bca6c6ef8f2499c3696af158883928a651f51ac8

SHA512
2929f8e67e9d816a43318b0185e043e9e120b6b1220301ad1848c183e11b4a9747ce8db4797a5f7b47ee6812b4ca80c8ea15faa9af912b755640422781cdeded

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
0c5c9c9e21ab468c0b772c12dfc36689

SHA1
9ecc13d47b6c3ec379981eb7b552a71ece258f59

SHA256
e21273cf48d3191eaf7f7c2931c2b6da902e5d225c8e3a202a6beaf3446b52e4

SHA512
747bd48796b18ec69ac4c56e956a35107caee62c6e1264f61a2aeb7eac5614353c2c331d8ccda3b72894dc1d595410df15baaf2119fc2c7546f700f50323fe44

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
0c5c9c9e21ab468c0b772c12dfc36689

SHA1
9ecc13d47b6c3ec379981eb7b552a71ece258f59

SHA256
e21273cf48d3191eaf7f7c2931c2b6da902e5d225c8e3a202a6beaf3446b52e4

SHA512
747bd48796b18ec69ac4c56e956a35107caee62c6e1264f61a2aeb7eac5614353c2c331d8ccda3b72894dc1d595410df15baaf2119fc2c7546f700f50323fe44

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
0c5c9c9e21ab468c0b772c12dfc36689

SHA1
9ecc13d47b6c3ec379981eb7b552a71ece258f59

SHA256
e21273cf48d3191eaf7f7c2931c2b6da902e5d225c8e3a202a6beaf3446b52e4

SHA512
747bd48796b18ec69ac4c56e956a35107caee62c6e1264f61a2aeb7eac5614353c2c331d8ccda3b72894dc1d595410df15baaf2119fc2c7546f700f50323fe44

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
9ee20a436c1dd91746bfcf1c8243dfd1

SHA1
f3f363fdd4d8ec88d9f0df5d30d612f72a12b2de

SHA256
d472a60b699e1a06295506c61df63179276d6a35aacc33cb6c31e5bac700deb7

SHA512
7572cc48f10c3f23b2ebd39b1bc1726de2af530c52e5c518b3a6580d6b29836d8af384015c24a3abdf5e0b249e7ca0674e798707b415dd23e911487892f1b747

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
49b4294de7f13cf4ad9b9b55f0dd7a90

SHA1
15be391bcc1e1f2ef9d77969c5358dc5a5c6447a

SHA256
1638ff8a7a3d14c2477cd42e501adf75efc2b6eb6e8522b5d92b16d2b8066e67

SHA512
a5577bcc580f1e09163be5e1eae695547c82a369c32b70b2dab6dfc9091e2331e03f0a4a616c797ecd5fe311748df2171fed6c96ff1e52019709bd5b746111bf

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
d7178cae2275df2a1db21b25d4328efc

SHA1
c09fc69ffe4e864b1ce50ade67388f4e7761a234

SHA256
52b91f23d695e266fca0a7726914d10dd4dd87d0053a9f1f68a7ba6a9e1f73f8

SHA512
3318965d35f60856df30961bde2059fa98ae1df7b51906d34b8223977499a883933e1ebde685fe6b6f95a4059b184357259f19455d7c5583de17de8f990fda76

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
d7178cae2275df2a1db21b25d4328efc

SHA1
c09fc69ffe4e864b1ce50ade67388f4e7761a234

SHA256
52b91f23d695e266fca0a7726914d10dd4dd87d0053a9f1f68a7ba6a9e1f73f8

SHA512
3318965d35f60856df30961bde2059fa98ae1df7b51906d34b8223977499a883933e1ebde685fe6b6f95a4059b184357259f19455d7c5583de17de8f990fda76

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
d8275ed6b5a75dc365058d982e24a9a9

SHA1
98f492a5a75eb001353d242f79af54a459ccaab7

SHA256
1236576731beccd9b1cc72b088e04b408814947e06d5c82477e50102bfae67e0

SHA512
d8aa62e2f33c5e12240ba0d37e2f33ec49e9514970d4a228dfbcd5fe75d4b2d97fda24bb05faccab86cfca1641e35d551ff33de418a8e91d1debd825db6e80e1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
72dbe997aa8b6172bb521ee416049583

SHA1
c860375716c15946b7ca763f4588dce131a13125

SHA256
a4c361af8e6cf1a2e778a612a77a023ad504d4f498e2e939da72fb1c0d1ee475

SHA512
265e2d67069d5de218571548648812d6eb53027e12ffc3792c57865efca908a288b07784a5151e75910df8fd589ffc22e183055c5a5253b7b3ab859803d21a71

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
582427eb0e9882d0a035d7b3a8a261ca

SHA1
d89ce828e4c4a3c4bcb785c3d56237d00654bd69

SHA256
d23d231aefe69635a7e5541aba0896ffdbf939e52cbf8820ebc015870a8c6e71

SHA512
9180be8621c85081e2d98ff409ed5986a167860abbaa5113fdec5dfc68cb716db7499ae4c3b5a9b726d77881e69ac605ef73a829535469821cef258fb39d0ecd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
366d0e253cf86ee23d43e3351ea75c7a

SHA1
dff35954540e019dced99ee92c38ce75820bdbd8

SHA256
b9841b22ad283605d85448168b29e6ff614b883a7b56f6883f2a437bc7335171

SHA512
71de7abc38e63afb3d97db13cf9fdb098a24eac282403024fd431997770fcf70fb9fb1f7735665bb9a694e910b5c94484a96d76a3e8b7590a6d63fd2a22e8d4a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
c450565e9a8ed309199c42b7aa21a623

SHA1
5f063f16491d68d1c19fc4eb5991110eaf947373

SHA256
ba794d3dfd7bec842f0fce9ebf5550ed67a41a42c52d307683e8b5263e1ca6fe

SHA512
aa333ad1341f950d569b95b82b74ef9c9c98019975fc197cb70f81b6f2e58791f4276137da64c696d44ed5eda64497662e053dabc9bcae8a95dbf238ae92abb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
21731d17093e84bd146460b533627120

SHA1
4437ace2b80a89732e1f292d50e767b646c9b05a

SHA256
974b3b9247ead5b640b495a96efba657ebee885fd25374e294ce55d7472ee402

SHA512
eda88fb8c937b5cf071f6cf2b3c37af5b6885dcfd63100f065c3d81243d23c81a3a4df82782bfd6c7c06b17c5ffc2fa5d9a7a508a6136109218a0ad7a8e6c160

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
21731d17093e84bd146460b533627120

SHA1
4437ace2b80a89732e1f292d50e767b646c9b05a

SHA256
974b3b9247ead5b640b495a96efba657ebee885fd25374e294ce55d7472ee402

SHA512
eda88fb8c937b5cf071f6cf2b3c37af5b6885dcfd63100f065c3d81243d23c81a3a4df82782bfd6c7c06b17c5ffc2fa5d9a7a508a6136109218a0ad7a8e6c160

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
21731d17093e84bd146460b533627120

SHA1
4437ace2b80a89732e1f292d50e767b646c9b05a

SHA256
974b3b9247ead5b640b495a96efba657ebee885fd25374e294ce55d7472ee402

SHA512
eda88fb8c937b5cf071f6cf2b3c37af5b6885dcfd63100f065c3d81243d23c81a3a4df82782bfd6c7c06b17c5ffc2fa5d9a7a508a6136109218a0ad7a8e6c160

Download Submit
memory/1092-129-0x0000000000000000-mapping.dmp

Download
memory/1228-146-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1228-147-0x00000000004FB24E-mapping.dmp

Download
memory/1596-140-0x0000000005450000-0x000000000594E000-memory.dmp

Filesize
5.0MB

Download
memory/1596-130-0x0000000000000000-mapping.dmp

Download
memory/2360-144-0x000000000042EEEF-mapping.dmp

Download
memory/2360-150-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2548-152-0x00000000004FB24E-mapping.dmp

Download
memory/3020-127-0x0000000000000000-mapping.dmp

Download
memory/3392-124-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3392-126-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3392-125-0x000000000042EEEF-mapping.dmp

Download
memory/4020-119-0x0000000004C40000-0x000000000513E000-memory.dmp

Filesize
5.0MB

Download
memory/4020-117-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/4020-122-0x0000000008410000-0x00000000084F4000-memory.dmp

Filesize
912KB

Download
memory/4020-121-0x0000000005130000-0x000000000513E000-memory.dmp

Filesize
56KB

Download
memory/4020-120-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/4020-114-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/4020-118-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/4020-123-0x000000000ABF0000-0x000000000AC96000-memory.dmp

Filesize
664KB

Download
memory/4020-116-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4896-225-0x00000000004FB24E-mapping.dmp

Download
memory/4976-219-0x00000000004FB24E-mapping.dmp

Download
memory/5464-231-0x00000000004FB24E-mapping.dmp

Download
memory/5488-243-0x00000000004FB24E-mapping.dmp

Download
memory/5872-237-0x00000000004FB24E-mapping.dmp

Download