remcos | 93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

Analysis

max time kernel
151s
max time network
149s
platform
windows10_x64
resource
win10v20210408
submitted
23-04-2021 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25c71e37a9cc1bae4bc5227de8c3c17a.exe
Size

1.3MB
MD5

25c71e37a9cc1bae4bc5227de8c3c17a
SHA1

0b841a04228d0774559a70051ce45ecab747ec77
SHA256

93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2
SHA512

1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

fieldsdegreenf.duckdns.org:6553

aaeeerbbbeee.duckdns.org:6553

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

408 remcos.exe
3188 remcos.exe

pid	process
408	remcos.exe
3188	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos.exe25c71e37a9cc1bae4bc5227de8c3c17a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	25c71e37a9cc1bae4bc5227de8c3c17a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	25c71e37a9cc1bae4bc5227de8c3c17a.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

25c71e37a9cc1bae4bc5227de8c3c17a.exeremcos.exeremcos.exe

description	pid	process	target process
PID 488 set thread context of 688	488	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 408 set thread context of 3188	408	remcos.exe	remcos.exe
PID 3188 set thread context of 1800	3188	remcos.exe	svchost.exe
PID 3188 set thread context of 564	3188	remcos.exe	svchost.exe
PID 3188 set thread context of 4948	3188	remcos.exe	svchost.exe
PID 3188 set thread context of 2364	3188	remcos.exe	svchost.exe
PID 3188 set thread context of 5472	3188	remcos.exe	svchost.exe
PID 3188 set thread context of 5904	3188	remcos.exe	svchost.exe
PID 3188 set thread context of 5684	3188	remcos.exe	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\docs.microsoft.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\docs.microsoft.com	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\docs.microsoft.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6c52092a2038d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 72ea58232038d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 9c424c0a2038d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\microsoft.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\microsoft.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000005afec600b48b6fd4bc0f13c7d7ff00ea3abb9d8508e5c386a953cc23cf43f2d563bfb2a39f680acee218a8938e44c9469161ca8e3d0f8b1d43a7	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\docs.microsoft.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

remcos.exe

pid process

3188 remcos.exe

pid	process
3188	remcos.exe

Suspicious behavior: MapViewOfSection 24 IoCs

Processes:

MicrosoftEdgeCP.exe

pid	process
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	1168	MicrosoftEdge.exe
Token: SeDebugPrivilege	1168	MicrosoftEdge.exe
Token: SeDebugPrivilege	1168	MicrosoftEdge.exe
Token: SeDebugPrivilege	1168	MicrosoftEdge.exe
Token: SeDebugPrivilege	628	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	628	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	628	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	628	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4852	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4852	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

remcos.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

3188 remcos.exe
1168 MicrosoftEdge.exe
1272 MicrosoftEdgeCP.exe
1272 MicrosoftEdgeCP.exe

pid	process
3188	remcos.exe
1168	MicrosoftEdge.exe
1272	MicrosoftEdgeCP.exe
1272	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

25c71e37a9cc1bae4bc5227de8c3c17a.exe25c71e37a9cc1bae4bc5227de8c3c17a.exeWScript.execmd.exeremcos.exeremcos.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 488 wrote to memory of 688	488	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 488 wrote to memory of 688	488	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 488 wrote to memory of 688	488	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 488 wrote to memory of 688	488	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 488 wrote to memory of 688	488	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 488 wrote to memory of 688	488	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 488 wrote to memory of 688	488	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 488 wrote to memory of 688	488	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 488 wrote to memory of 688	488	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 488 wrote to memory of 688	488	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 488 wrote to memory of 688	488	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 488 wrote to memory of 688	488	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 688 wrote to memory of 2664	688	25c71e37a9cc1bae4bc5227de8c3c17a.exe	WScript.exe
PID 688 wrote to memory of 2664	688	25c71e37a9cc1bae4bc5227de8c3c17a.exe	WScript.exe
PID 688 wrote to memory of 2664	688	25c71e37a9cc1bae4bc5227de8c3c17a.exe	WScript.exe
PID 2664 wrote to memory of 2100	2664	WScript.exe	cmd.exe
PID 2664 wrote to memory of 2100	2664	WScript.exe	cmd.exe
PID 2664 wrote to memory of 2100	2664	WScript.exe	cmd.exe
PID 2100 wrote to memory of 408	2100	cmd.exe	remcos.exe
PID 2100 wrote to memory of 408	2100	cmd.exe	remcos.exe
PID 2100 wrote to memory of 408	2100	cmd.exe	remcos.exe
PID 408 wrote to memory of 3188	408	remcos.exe	remcos.exe
PID 408 wrote to memory of 3188	408	remcos.exe	remcos.exe
PID 408 wrote to memory of 3188	408	remcos.exe	remcos.exe
PID 408 wrote to memory of 3188	408	remcos.exe	remcos.exe
PID 408 wrote to memory of 3188	408	remcos.exe	remcos.exe
PID 408 wrote to memory of 3188	408	remcos.exe	remcos.exe
PID 408 wrote to memory of 3188	408	remcos.exe	remcos.exe
PID 408 wrote to memory of 3188	408	remcos.exe	remcos.exe
PID 408 wrote to memory of 3188	408	remcos.exe	remcos.exe
PID 408 wrote to memory of 3188	408	remcos.exe	remcos.exe
PID 408 wrote to memory of 3188	408	remcos.exe	remcos.exe
PID 408 wrote to memory of 3188	408	remcos.exe	remcos.exe
PID 3188 wrote to memory of 1800	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 1800	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 1800	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 1800	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 1800	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 1800	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 1800	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 1800	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 564	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 564	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 564	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 564	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 564	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 564	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 564	3188	remcos.exe	svchost.exe
PID 3188 wrote to memory of 564	3188	remcos.exe	svchost.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1272 wrote to memory of 636	1272	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\25c71e37a9cc1bae4bc5227de8c3c17a.exe
"C:\Users\Admin\AppData\Local\Temp\25c71e37a9cc1bae4bc5227de8c3c17a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:488

C:\Users\Admin\AppData\Local\Temp\25c71e37a9cc1bae4bc5227de8c3c17a.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:4948

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:4824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:2364

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:5472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:5880

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:5888

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:5896

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:5904

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:5684

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:636

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4548

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4980

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4356

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4512

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5196

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5380

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5504

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6136

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2IVGOPMT\bluebird.min[1].js

MD5
8c0479914b7b3b840bf9f62cffe4adaf

SHA1
c33559d5f359521e58ed375d6863a2e85a37eadd

SHA256
aec354e7dea8b95f5a6242c12dbc66c54d6264795cddf1ce685f59de541cba86

SHA512
7c31c0bd521562cc0f6dd604b568267fc217d198daae568b384a49b9cb93e21a27fed0fab3b2a989f3715a864e0f7f867040474799abfa6c344360310caf4c7a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2IVGOPMT\fetch.umd.min[1].js

MD5
426331495a2310e355c95c3cabb8cf94

SHA1
2ff04aec423d302524a0d613ac5f84eabacc87a3

SHA256
50a4426a6989263c4fce8242ec99518acf9f216b88043c75d10c764bf732bf17

SHA512
a669a8114de0e05fa0e3878aefa167d51c2c21bebcf2ea515c4487dc9a82f70e1b4f102c4c43d2703bb99cff2a2f95d9d76d34a6a5e86318efd79b88233ebb35

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2IVGOPMT\jsll-4[2].js

MD5
211e123b593464f3fef68f0b6e00127a

SHA1
0fae8254d06b487f09a003cb8f610f96a95465d1

SHA256
589303ca15fba4fe95432dbb456ff614d0f2ad12d99f8671f0443a7f0cf48dff

SHA512
dad54d7941a7588675ea9dd11275a60fb6290e1582d1c7a4acb50642af3c2a4aa35e32edd8fa9dd01ce7fd777247d2706d5672a201633bf918b525936e93b14b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2IVGOPMT\repair-tool-changes-complete[1].png

MD5
512625cf8f40021445d74253dc7c28c0

SHA1
f6b27ce0f7d4e48e34fddca8a96337f07cffe730

SHA256
1d4dcee8511d5371fec911660d6049782e12901c662b409a5c675772e9b87369

SHA512
ae02319d03884d758a86c286b6f593bdffd067885d56d82eeb8215fdcb41637c7bb9109039e7fbc93ad246d030c368fb285b3161976ed485abc5a8df6df9a38c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2IVGOPMT\repair-tool-recommended-changes[1].png

MD5
3062488f9d119c0d79448be06ed140d8

SHA1
8a148951c894fc9e968d3e46589a2e978267650e

SHA256
c47a383de6dd60149b37dd24825d42d83cb48be0ed094e3fc3b228d0a7bb9332

SHA512
00bba6bcbfbf44b977129594a47f732809dce7d4e2d22d050338e4eea91fcc02a9b333c45eeb4c9024df076cbda0b46b621bf48309c0d037d19bbeae0367f5ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6GV9XZDQ\MathJax[2].js

MD5
7a3737a82ea79217ebe20f896bceb623

SHA1
96b575bbae7dac6a442095996509b498590fbbf7

SHA256
002a60f162fd4d3081f435860d408ffce6f6ef87398f75bd791cadc8dae0771d

SHA512
e0d1f62bae160008e486a6f4ef8b57aa74c1945980c00deb37b083958f4291f0a47b994e5fdb348c2d4618346b93636ce4c323c6f510ab2fbd7a6547359d28d5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6GV9XZDQ\SegoeUI-Roman-VF_web[1].woff2

MD5
bca97218dca3cb15ce0284cbcb452890

SHA1
635298cbbd72b74b1762acc7dad6c79de4b3670d

SHA256
63c12051016796d92bcf4bc20b4881057475e6dfa4937c29c9e16054814ab47d

SHA512
6e850842d1e353a5457262c5c78d20704e8bd24b532368ba5e5dfc7a4b63059d536296b597fd3ccbd541aa8f89083a79d50aaa1b5e65b4d23fc37bfd806f0545

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6GV9XZDQ\app-could-not-be-started[1].png

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6GV9XZDQ\application-not-started[1].htm

MD5
95d5d55fdd517dba91e745b19d7ff3ef

SHA1
80d8544b964ad005dcd26606e21e99c5ebad63b4

SHA256
79c93d9dbd6ca63384f53061768b811d9e5e4127a83914e9979ee8d22874dba0

SHA512
8d23c6882848e648a0724eb9af1d1d14388fc637724555a2ad90411c32147c3e05ac6b620b83549a6114459a45b6951a40951221183042a8b1935c8494c1b587

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6GV9XZDQ\c4d75c2f.site-ltr[1].css

MD5
540d17afc0e5480d364f86b9bcb3f1ea

SHA1
6daf944b3de1ecdf0dad1c2defb9c5112d968e73

SHA256
25b287ea9434de5bb1fba79b454ede7d53f8a2a912c3f97ab0b43709b34ecd39

SHA512
87dfbb6f43f3dc68a7924569dbcc79a56c3b404ab67c9f3fcc738e5539ae171929ab280bd828d8fb52d69d81517815ada55781ffaaded2bdf347160ea543792a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6GV9XZDQ\install-3-5[1].png

MD5
f6ec97c43480d41695065ad55a97b382

SHA1
d9c3d0895a5ed1a3951b8774b519b8217f0a54c5

SHA256
07a599fab1e66babc430e5fed3029f25ff3f4ea2dd0ec8968ffba71ef1872f68

SHA512
22462763178409d60609761a2af734f97b35b9a818ec1fd9046afab489aad83ce34896ee8586efe402ea7739ecf088bc2db5c1c8e4fb39e6a0fc5b3adc6b4a9b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\I7ALY8OL\12971179[1].jpg

MD5
0e4994ae0e03d9611e7655286675f156

SHA1
e650534844a7197b328371318f288ae081448a97

SHA256
07b979b12f1cb506df7675efe227a2e78accfa1f5954af2b7bb66295e5cf881c

SHA512
07aaae5347fa8e82f86d0ba7c28127fac952d84bad3dce119654b5ba1cd2550c8d064770473f34f89fc383847b2f1594b3600d9fd01e6275d67868c41638e34a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\I7ALY8OL\2672110[1].png

MD5
7dc91895d24c825c361387611f6593e9

SHA1
fc0d26031ba690ac7748c759c35005fe627beb8f

SHA256
f37ad9b56d806d06267f9a290196dfe4200edb7729b41d789b8f1ec8adc5cdbf

SHA512
ba27fdbf02294cc78ede7972f20da383c20027ab172a4ea6ad5006ff58e404032d92f875e642dfe73985428c28bbbe1befc546c2666a672afacf23195425d7c2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\I7ALY8OL\MSDocsHeader-DotNet[1].json

MD5
5b27339798f512c07dc7dc5375d2adac

SHA1
bdf29fa27494e9973aa2a357a042a4912cc912bb

SHA256
8ab847f2e467717c24ca2b35d83336b7d8289478ff21010a27906e12a4ec2245

SHA512
e555dc11d08cf52207e0f49e105e07b052b9d38d9aea6d9a017ae637cd19a5e4f22d90f7185ffddff50a9d63246fb9def17573981f57e511faabdc96eea521e2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\I7ALY8OL\f8642e01.index-docs[1].js

MD5
daac4e1a9cbf2a8ac760fb198738addf

SHA1
9fb4d19de70fc21b73e0d2d839278ea8dc36698e

SHA256
6b4d41d60615dcd43c142a4c2339d6186617214617c20b7462cc87b3baf621ed

SHA512
0d6ef7628618ab6537722577f8ee053b94c945d44d0fbd1a99bc8480a105ab6f85a00c5f7617428694c96f09cd07567e4a930c54169a0ff20a5e5fb64d3d8137

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\I7ALY8OL\ms.jsll-3[1].js

MD5
a1adc22dac79bdccd4826eb07dec500c

SHA1
c456e7577677d55e28d39366b72041df6bef6f6d

SHA256
7cda7115588ca6583b6dfae0c768b9daf3815567985bd0371df95039ecb801a5

SHA512
e70b72305ec3470c77fc49958ebe4dbb98fe08947c97091b9bba6e1e1c55bd3802a33c3253898391daaecbaa3f2ab5137b1817d3a1a36e71c4b98e5b15e2ee83

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\I7ALY8OL\url.min[1].js

MD5
715749b6973b4268c2993bc2b73f8faa

SHA1
405ad2061df73f752ee53623822ebaaec1f89e02

SHA256
e3f01a42ab36248bfca392804d39abfc388b3cabb22e0364526cd3e359d92c9d

SHA512
75b57a03db3aca77c857bf07ec789ea540603001279508edf4889195eadaae1dd629498d58d62a8ab7ae64669a776a0a44d10f0dd342dc863d9082e08fa4f041

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\I7ALY8OL\wcp-consent[1].js

MD5
38b769522dd0e4c2998c9034a54e174e

SHA1
d95ef070878d50342b045dcf9abd3ff4cca0aaf3

SHA256
208edbed32b2adac9446df83caa4a093a261492ba6b8b3bcfe6a75efb8b70294

SHA512
f0a10a4c1ca4bac8a2dbd41f80bbe1f83d767a4d289b149e1a7b6e7f4dba41236c5ff244350b04e2ef485fdf6eb774b9565a858331389ca3cb474172465eb3ef

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TSV6OA8I\24882762[2].jpg

MD5
905e1cef9ad39a2d0cba0341cd1d56b7

SHA1
0d5c98207854ba27a8933b96a820235ced711ebb

SHA256
62e14d112854a2b2b086741e52eb60713c2286cafdebdd576df02ed319aa931a

SHA512
8aa59589d2e107dd8d91db8e38778e04de1e221aa8e2b8df0ae9f738030915e4bc0039584370552799184e5edd12f7183ca7d337dd8afa6fdb3e1b5ee7d522e5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TSV6OA8I\8a64e446.index-polyfills[1].js

MD5
c2838dd9c16c1d2d90afcbd2bd542ac5

SHA1
d4042ed31a2ffab7d312c66a527851b0bb8ad7a3

SHA256
aa7dd71eebadc1039eea7308114eae927fb442b27d701a670db43c5da5b551f2

SHA512
df5ad8f7d60ad5b7463192a6fc07310c3b9df443594faead2c9a19cd3da6adea9e58c01775eb9efa37d1024797a61fb45c96d40b9b0af34edd7802e937372faa

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TSV6OA8I\TeX-AMS_CHTML[1].js

MD5
a7d2b67197a986636d79842a081ea85e

SHA1
b5e05ef7d8028a2741ec475f21560cf4e8cb2136

SHA256
9e0394a3a7bf16a1effb14fcc5557be82d9b2d662ba83bd84e303b4bdf791ef9

SHA512
ad234df68e34eb185222c24c30b384201f1e1793ad6c3dca2f54d510c7baa67eabdc39225f10e6b783757c0db859ce2ea32d6e78317c30a02d1765aee9f07109

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TSV6OA8I\latest[1].woff2

MD5
2835ee281b077ca8ac7285702007c894

SHA1
2e3d4d912aaf1c3f1f30d95c2c4fcea1b7bbc29a

SHA256
e172a02b68f977a57a1690507df809db1e43130f0161961709a36dbd70b4d25f

SHA512
80881c074df064795f9cc5aa187bea92f0e258bf9f6b970e61e9d50ee812913bf454cecbe7fd9e151bdaef700ce68253697f545ac56d4e7ef7ade7814a1dbc5a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TSV6OA8I\repair-tool-no-resolution[1].png

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TSV6OA8I\template.min[1].js

MD5
6daed083086c521d306f7d9f77b8533b

SHA1
ba854384cd7984635159f57c52707fb8bb8d3b63

SHA256
b1421ef2407b4f269d9e9083a99cf3219ff24bede5deac557aaf60108f197724

SHA512
b0568c40d96dc4c3672040391fddb1afc5be52823ad460eff67c5335b40ddf7eb42ba8dbfa8bcab0004c8e23e7a51e41162a678c8ec01c6eb785091b0b9f958c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TSV6OA8I\toc[1].json

MD5
86f025aac070c2ea6e186279910c9dbf

SHA1
1df78c27dcd4bbce23577e26d61f97b60f3fca85

SHA256
c79a4a86abae68b7d082c3e3dd11f0416c9780471bfb1c2dc1d4ad1eca0d040e

SHA512
58c9c59176c9eb85e68df3237480bf86bfe2eeabc59ab842a4a75598e621e046b9ba760f236b6a55a12003244598e7fead70ff909bacee22ad1891f22343276e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\1NN6EF8V.cookie

MD5
3b9ddcad2f1b7da0e858e59b19f9fde3

SHA1
874b48e5780a13332b25bd199a69ae3820ede309

SHA256
08a6eeac77c983f5fe35cf19767ea0db637bccf262c0c75065f888a9934d9aa9

SHA512
fe597c60f06222ae78be347609da03e9cc43d806fcb16b6f5d82f215d3b28ef5f1fbcbf608e0375620212552948727a552de208725664112170dd5120739d7d1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\5XKKIRAJ.cookie

MD5
5f394b07f56c23f855a06a0a88cebfb1

SHA1
3119f329ad90ecd9233c74c25fb2706c68fe1fbc

SHA256
17392fda128b34fedcfe4df75a4eb9d0b9c96c4aaeb16e37d6df73f3563df9d6

SHA512
8e04bcdfce37d96cd20e07cbda2848152350226342bdf5b3b585e3f0b8a442935695de2aebcbfc53ebdd6be51a3f1c4afad35df29795c30e390bde014758687f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\971T2A7A.cookie

MD5
f44fd4ac31d69667b490319c15a9d47c

SHA1
d58b0dffdcd3f4306b76aab27f546c0a2462986c

SHA256
7dbf4f7138d7833df4fcf1dc88352a403d9060d67a759999cd5fb262207fc093

SHA512
746fcb76ec1a07247f56f5d48d357f045680ef0017744412e89a6b965a62ea943afaadc2fd09ff9f62837e0108948402398d16fe2cba05148a72194430b78930

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\E00QSCEL.cookie

MD5
25f4c6c5c82b0c3d5644753e108a4ddc

SHA1
6dcff18176c65448eceea95c12d2d4a3025ca864

SHA256
91cdbc402cd6df738e070a44b8bb20de96d5a262657b1a769b7fa40496426f33

SHA512
fc9e02727f4ea33bce08f04a48924c004d3d936900b6dbb32cdef01943f29e9d6d4db3d5f77553214c38280f342396359dc69cf2cd3df55a74cfa98f4be948b6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\QQAISAFL.cookie

MD5
f238c1aabc74372e96e6e26ca66b2b86

SHA1
0320ff47a59f9278913ae9ce93d0acf6f40e7e5d

SHA256
813f6ac0166189376815726e555e4889f36e0230982b85144c761b9c2f555e61

SHA512
ab4e743f349d1b1c5917443471d108827b43c76fcf9b1457f0d04b4dd50703252b51374b6164c38d9c133be1074e373f72bc46e2425ce2886944d4cdfee6c36f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\RPRV1MQS.cookie

MD5
932331dec107f61649450e163a0cdbd9

SHA1
e804835b6532083176182e15c9014ba4c1cb6c1e

SHA256
df550d43bae94094c152225c8b50a1296c61f6657108654738a11eb70f150888

SHA512
183c076faf3e41c3ae41e6fbb9582f3b9a42fff5f180aa7cb3d5a8deea9f32c0e71b088595cd85829fed1ad51e1430d5ff230a0fcf1af71ef72c6c6c71c264c8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\T6ZA0JLL.cookie

MD5
4ecd4c0cff650b67ae8e6155d941aa60

SHA1
c622ba8ccb141f86571b3a00fffa552d14484c1a

SHA256
4e52324255e9996775c841b06fdd8e06abb9e1ff4360aafb710596d7f2d13243

SHA512
837d41a482d0fe6d017ae6678eb21a8780906c2bbdcae078319e2ba0f30428ccb9e9f80c8664b7b3a142687e9622a4c87e77de48f7990ff1dcbe52f61df10f9f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\Y4VD3X3P.cookie

MD5
4623f4ee6522350c6389100cf2fc5a00

SHA1
8f33d75e3fd6960cc3d29fed397bc73b4982864c

SHA256
dcca6fe2808c36cfa541480e66a5cca9993015fb661f7c204c27ab511d4d5041

SHA512
d444458f2529863c02a7f5ee2007cbd24397a578979e6a48c9e1cb6163bb6f5a6fe74c613b202f366e5c897206ff060abcb226c9e03055efe334abe0efde96db

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\AYM3MG3K\docs.microsoft[1].xml

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3

MD5
1b4f8c8e8cced9e6f9f126ef5db396ce

SHA1
539e809d6dede4dfd5c0f60678325794d92482f3

SHA256
e1234092ce82224627d86d9ab74ea563a6266b9eced5a3ecf84fa1824d822d75

SHA512
3b70088e71eb1aa044365b58945d04c2afdcf1898a58dfc917179b9c09e98ac22a8d2f428fb70a4498b0b86dc443de22a7aeeae8a8c80b2ec6f34455c104eef7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3

MD5
1b4f8c8e8cced9e6f9f126ef5db396ce

SHA1
539e809d6dede4dfd5c0f60678325794d92482f3

SHA256
e1234092ce82224627d86d9ab74ea563a6266b9eced5a3ecf84fa1824d822d75

SHA512
3b70088e71eb1aa044365b58945d04c2afdcf1898a58dfc917179b9c09e98ac22a8d2f428fb70a4498b0b86dc443de22a7aeeae8a8c80b2ec6f34455c104eef7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1

MD5
82b73370ecc38d620b05e8a1a15c608d

SHA1
8e30b6b344f0e28c3b9f8b71c6259e152445e27d

SHA256
da0ea07443d92aa4bde910139f07b1d5590065b3d2dc2fa17e6824a81ef05c35

SHA512
0cd45612726e8f7e30166e195f6111be7d2779fb85f4d6cc6da8c8849feb39ff2bb0239bae5946d26f1fcf2951314e3dc583243dc302a1e2482593073e2ccd1b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

MD5
2c1c6af4b1d6212f0c82bcefb930a3be

SHA1
7de2b2e7c9d41e5dab0ff1c15d5c5d32d5025067

SHA256
4063ea0dbd8701c9fb821f7fefd618249e7968762a7847504085806319f248a1

SHA512
319a731e67aee1bc96aee3a4968be70febff2c0cb68cb0b1efa84d51827b36c3ec7ac407904db8c220efd5791227ea6762208e69ab4c07fd815c911f2987aabb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5
e48e3d0d3c268ceec788c4a1593834f9

SHA1
3e2b1ca5c8def67ef0a393dc3f3a8e858705383e

SHA256
d1311d9c13d9352a0df1d2878237548a8a2c70780c8098a4a9bb40a37de7c30d

SHA512
695ce2c728d254c9b92201c14634fa04af97bfd2abc825307ecb81894986cd91a6737810aa5714da11a996ac22dada5de7b21c3fc226b0016721898887665d80

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
01d8f42f7ea882e58d58c037dc9fa4a9

SHA1
caa786f403d88ac41c2be518905f0741ac1a9fe1

SHA256
cb26a3f27208885a6c45c72d2b599a4a1cf4f61c7284ad588c867781927bf714

SHA512
ad7290c0e5536cd777b2b7568c2a007ead3503f8630f840802a53b1e370672c3fbda331e7e3b86a0674fb264664b994469d33a98de7047fd9e103408698d41d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

MD5
8452c92de8235989bafc893cf85dccde

SHA1
b6da79c46d1d13d68ec5ee44f442ec7ba7904669

SHA256
3e653788bc7dc147686eb0943bcbee5360322843506e8f1df3b963c4a445000e

SHA512
2c4dab748af8ef78924b17085b27b05421be3cf7cb6fc041af517f0ed175b0770f12e6e69617679d5e321e9291f5b2ac5f8313fe598e2be35a835c2e23aaabe7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

MD5
8452c92de8235989bafc893cf85dccde

SHA1
b6da79c46d1d13d68ec5ee44f442ec7ba7904669

SHA256
3e653788bc7dc147686eb0943bcbee5360322843506e8f1df3b963c4a445000e

SHA512
2c4dab748af8ef78924b17085b27b05421be3cf7cb6fc041af517f0ed175b0770f12e6e69617679d5e321e9291f5b2ac5f8313fe598e2be35a835c2e23aaabe7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

MD5
f8eb4dc802d78a88e0152d4fe3468a47

SHA1
5a984fa6d34c194ddedf56bdb92422ba347dfdf7

SHA256
e1107dbb0b8944991dbfe1072801fff2ff9f6759f01c0260573d4fe0cd0adcee

SHA512
73592e42883e6248981f9c8b08ae58c68e107194b5e66c65a49ea179d007c1cc0165f8550028872291300e36b69ee61be5f8ac7683227035430a04bbbf2e3f79

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

MD5
f8eb4dc802d78a88e0152d4fe3468a47

SHA1
5a984fa6d34c194ddedf56bdb92422ba347dfdf7

SHA256
e1107dbb0b8944991dbfe1072801fff2ff9f6759f01c0260573d4fe0cd0adcee

SHA512
73592e42883e6248981f9c8b08ae58c68e107194b5e66c65a49ea179d007c1cc0165f8550028872291300e36b69ee61be5f8ac7683227035430a04bbbf2e3f79

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3

MD5
84c4095723272629a65e3bb2de2b70ae

SHA1
9c3157c58e70e7c17d101af20724646d68bb1126

SHA256
620ce0c7283b76a34e808b8f73ad2a0e98fb85372e4f958acd0c33be303ec4b1

SHA512
4327c52d962b5aa69fe96b287cd27f26234fa1b866adfb7676b5bebeaeefdce1a9cb4aaf28873b41cdff71e53215f807e2d96388fbacc8fbc99da28335fbb340

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3

MD5
84c4095723272629a65e3bb2de2b70ae

SHA1
9c3157c58e70e7c17d101af20724646d68bb1126

SHA256
620ce0c7283b76a34e808b8f73ad2a0e98fb85372e4f958acd0c33be303ec4b1

SHA512
4327c52d962b5aa69fe96b287cd27f26234fa1b866adfb7676b5bebeaeefdce1a9cb4aaf28873b41cdff71e53215f807e2d96388fbacc8fbc99da28335fbb340

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1

MD5
666c5a2d7703ccddcf0010768ffbc69a

SHA1
4978629d0f3f549736288a17e9539cd69c66611e

SHA256
ee879a04652f6e346edc5402b2b16dc61f9d1f85ce1b71ba251f769580a22630

SHA512
7c5f37702bc3c2d07b5f105c469be6cdc951ed67d562f6ce0f7e613467d9c4e1704e66065cfdd80ce7153fad060cd9db021f28455b4b7386bd15dbdfaeff1a5d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1

MD5
0891f9720095926be027ce6458b31567

SHA1
de43096742d7ab0ffe75ccdd9384845d1820e065

SHA256
804c70e4e868bee5576fa5c7920025c5f06dfabc58562511ebdc3e4d5aef17ad

SHA512
9c21252b78527d2082c39fcfe31af95d89eb257b3b7cb28d02bb2cf55ee38039bafd7d9baf88fb2794f87f59014f1507bc8c3258d8f688cfdc4ffe5b65614b28

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

MD5
a1e866994d0b37911e6a269d07ef7fc5

SHA1
288f7bb190c571d6a2119215262fc3a420d87e79

SHA256
299196d1c55ac2e6f34ff5804ff0378b1e505e2f0b344ddc9d524b1e74dd9a5f

SHA512
fb4b91167c61edc6b663d455d066aece3b334758b371d862d58ac37a26fb385a36e4a4657ee9531b49b8def4eee8377a67263bb817c1c215bd4a5fe495866dbb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5
f2cdf1b6d19800abd95b794eaa16c618

SHA1
58fbc26a323a1945ccbf3abff7526b6c57a693b1

SHA256
e3cf825544df052e5ca1bd9f8aa365c58200217f81326a477b8e277796088a7d

SHA512
b79c2a448f40433118259937d034dec5d929335b30fba5900bf94777a7de4d6b1e2ef3677055eeb4ad9956e1c43e5b7e1ce449cf322fc8f9472a6740c319b00c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5
f2cdf1b6d19800abd95b794eaa16c618

SHA1
58fbc26a323a1945ccbf3abff7526b6c57a693b1

SHA256
e3cf825544df052e5ca1bd9f8aa365c58200217f81326a477b8e277796088a7d

SHA512
b79c2a448f40433118259937d034dec5d929335b30fba5900bf94777a7de4d6b1e2ef3677055eeb4ad9956e1c43e5b7e1ce449cf322fc8f9472a6740c319b00c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5
f2cdf1b6d19800abd95b794eaa16c618

SHA1
58fbc26a323a1945ccbf3abff7526b6c57a693b1

SHA256
e3cf825544df052e5ca1bd9f8aa365c58200217f81326a477b8e277796088a7d

SHA512
b79c2a448f40433118259937d034dec5d929335b30fba5900bf94777a7de4d6b1e2ef3677055eeb4ad9956e1c43e5b7e1ce449cf322fc8f9472a6740c319b00c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
5f4fa3dc8ccfea55d34816128e0a1a7b

SHA1
7765b5895a21a55383aa7a3650b5e4577d7333bc

SHA256
81593564008db24ad818812def8f033519d56893e6f1679b5e53b102a869b53e

SHA512
1247d4584f049048ed14f833be930d49ee392e9c781bc43d65de36af99dec26aaf123e059ea7d6a8c6b355016e3a55111462db8497d013af7c6661d94341863b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
c3251bde4963b56f97bfb335451c3697

SHA1
7c8344c92965f1c02af762940f028f65b59a32f5

SHA256
c170823b4cddecf117b18ca4ea4386d855218662a8438b2385e7a24811e5b4fe

SHA512
e89697d5a09d7ef8b54befb9677ccd2f5ffb0ddbc0cd06f8b5fd5267ccb41d68cac56c312cbe2417d6ebbcea41e3881c31d8d82a6a37a3e492aae324dcece797

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

MD5
6a6d0cd5395bc139668b65ffa83e3cb9

SHA1
555e9557237ae9d1f71d1d6d8aed10cc0cafd2e1

SHA256
62e10f225ab80bd1345c9e7ec2cd0e3ab998dd55cf1f6d6fd071f44db61d7000

SHA512
0ec632eb04e69bda9527148411613772f18e5617c3fdc68128500d21dc67b2adb8d05e3f1017c8ffca4c6b5453d8aa036f53e28a7662181d689476a68891d530

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

MD5
6a6d0cd5395bc139668b65ffa83e3cb9

SHA1
555e9557237ae9d1f71d1d6d8aed10cc0cafd2e1

SHA256
62e10f225ab80bd1345c9e7ec2cd0e3ab998dd55cf1f6d6fd071f44db61d7000

SHA512
0ec632eb04e69bda9527148411613772f18e5617c3fdc68128500d21dc67b2adb8d05e3f1017c8ffca4c6b5453d8aa036f53e28a7662181d689476a68891d530

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

MD5
c79065d1412363e84c8755c7751d1bf0

SHA1
62ff83b80261112b3bb4baf89f324c0ef45bbf0e

SHA256
63d046620a4163ee4cf3870582342df23d116aa94602e4ac03883e530c906c62

SHA512
47516e865f4648718eda16500418bd5b55e8a10421cdcdde00208c50bc72ee947d9426675ac2b365f31658d8d8384b54cbd79d1ffa1a3ee24954bef3a7009931

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

MD5
df76e12ace72a428ca4e97b2a8e9aaaa

SHA1
7ff4a891702ef97a3ab97e6dab254a90396dd0d7

SHA256
45aa581382fc887732ba19c3feef18dceb8a972dc256ac6c1dc409e37b9c4a49

SHA512
86fc5e88c2505e5676572d2ef9ea2bae60841d25bc29d834e4b03a3708e2eff2e69a28f1e2a305ea00412d8f326130a0c96f032b7f949f18d58079db943a81dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

MD5
df76e12ace72a428ca4e97b2a8e9aaaa

SHA1
7ff4a891702ef97a3ab97e6dab254a90396dd0d7

SHA256
45aa581382fc887732ba19c3feef18dceb8a972dc256ac6c1dc409e37b9c4a49

SHA512
86fc5e88c2505e5676572d2ef9ea2bae60841d25bc29d834e4b03a3708e2eff2e69a28f1e2a305ea00412d8f326130a0c96f032b7f949f18d58079db943a81dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

MD5
df76e12ace72a428ca4e97b2a8e9aaaa

SHA1
7ff4a891702ef97a3ab97e6dab254a90396dd0d7

SHA256
45aa581382fc887732ba19c3feef18dceb8a972dc256ac6c1dc409e37b9c4a49

SHA512
86fc5e88c2505e5676572d2ef9ea2bae60841d25bc29d834e4b03a3708e2eff2e69a28f1e2a305ea00412d8f326130a0c96f032b7f949f18d58079db943a81dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
25c71e37a9cc1bae4bc5227de8c3c17a

SHA1
0b841a04228d0774559a70051ce45ecab747ec77

SHA256
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

SHA512
1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
25c71e37a9cc1bae4bc5227de8c3c17a

SHA1
0b841a04228d0774559a70051ce45ecab747ec77

SHA256
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

SHA512
1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
25c71e37a9cc1bae4bc5227de8c3c17a

SHA1
0b841a04228d0774559a70051ce45ecab747ec77

SHA256
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

SHA512
1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Download Submit
memory/408-140-0x0000000005450000-0x000000000594E000-memory.dmp

Filesize
5.0MB

Download
memory/408-130-0x0000000000000000-mapping.dmp

Download
memory/488-120-0x00000000050F0000-0x00000000050FE000-memory.dmp

Filesize
56KB

Download
memory/488-114-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/488-116-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/488-117-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/488-118-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/488-119-0x0000000004E80000-0x000000000537E000-memory.dmp

Filesize
5.0MB

Download
memory/488-123-0x000000000AF30000-0x000000000AFF9000-memory.dmp

Filesize
804KB

Download
memory/488-122-0x0000000008730000-0x000000000882D000-memory.dmp

Filesize
1012KB

Download
memory/488-121-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/564-153-0x000000000054A3EE-mapping.dmp

Download
memory/688-124-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/688-125-0x000000000042EEEF-mapping.dmp

Download
memory/688-126-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1800-147-0x000000000054A3EE-mapping.dmp

Download
memory/1800-146-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2100-129-0x0000000000000000-mapping.dmp

Download
memory/2364-225-0x000000000054A3EE-mapping.dmp

Download
memory/2664-127-0x0000000000000000-mapping.dmp

Download
memory/3188-144-0x000000000042EEEF-mapping.dmp

Download
memory/3188-150-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4948-219-0x000000000054A3EE-mapping.dmp

Download
memory/5472-231-0x000000000054A3EE-mapping.dmp

Download
memory/5684-243-0x000000000054A3EE-mapping.dmp

Download
memory/5904-237-0x000000000054A3EE-mapping.dmp

Download