remcos | 379d64b633cf00cd32b301610d7b8a5808d6f48171b1e5ed93f77ca3a38d0b22

Analysis

max time kernel
157s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
Size

275KB
MD5

eb0755f5ec28980f4f492b579db4d5d9
SHA1

1ccb7d6603ecae8ecb19a15201d541b2a2b59eba
SHA256

5bf321a896fab855e09057d986bb3ac868a7d0a2aad468dd5dba498c6ed18357
SHA512

d728d2f367a3cefdbd47509b3a5f9db5dbd0d16f279aa87f17c78122302824c83fbfa948b2d8e9e088569792a6d65975279f565bcd5cf6e4fb545a1cb111ae1e

Score

10^/10

remcos contacts microsoft persistence phishing rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

CONTACTS

194.5.97.48:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-FF7IUM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 5 IoCs

Processes:

remcos.exeremcos.exeremcos.exeremcos.exeremcos.exe

pid process

4388 remcos.exe
3472 remcos.exe
1208 remcos.exe
4284 remcos.exe
3972 remcos.exe

pid	process
4388	remcos.exe
3472	remcos.exe
1208	remcos.exe
4284	remcos.exe
3972	remcos.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 10 IoCs

Processes:

Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exeremcos.exeremcos.exe

description	pid	process	target process
PID 1664 set thread context of 456	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
PID 4388 set thread context of 3972	4388	remcos.exe	remcos.exe
PID 3972 set thread context of 1568	3972	remcos.exe	svchost.exe
PID 3972 set thread context of 5116	3972	remcos.exe	svchost.exe
PID 3972 set thread context of 1148	3972	remcos.exe	svchost.exe
PID 3972 set thread context of 1456	3972	remcos.exe	svchost.exe
PID 3972 set thread context of 4248	3972	remcos.exe	svchost.exe
PID 3972 set thread context of 4536	3972	remcos.exe	svchost.exe
PID 3972 set thread context of 1424	3972	remcos.exe	svchost.exe
PID 3972 set thread context of 400	3972	remcos.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

Processes:

Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exeremcos.exemsedge.exemsedge.exemsedge.exe

pid	process
1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
4388	remcos.exe
4388	remcos.exe
4388	remcos.exe
4388	remcos.exe
4388	remcos.exe
4388	remcos.exe
1240	msedge.exe
1240	msedge.exe
4416	msedge.exe
4416	msedge.exe
3616	msedge.exe
3616	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exe

pid	process
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exeremcos.exe

description	pid	process
Token: SeDebugPrivilege	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
Token: SeDebugPrivilege	4388	remcos.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

3616 msedge.exe
3616 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

3972 remcos.exe

pid	process
3972	remcos.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exePurchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exeWScript.execmd.exeremcos.exeremcos.exesvchost.exemsedge.exemsedge.exe

description	pid	process	target process
PID 1664 wrote to memory of 4956	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
PID 1664 wrote to memory of 4956	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
PID 1664 wrote to memory of 4956	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
PID 1664 wrote to memory of 456	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
PID 1664 wrote to memory of 456	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
PID 1664 wrote to memory of 456	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
PID 1664 wrote to memory of 456	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
PID 1664 wrote to memory of 456	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
PID 1664 wrote to memory of 456	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
PID 1664 wrote to memory of 456	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
PID 1664 wrote to memory of 456	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
PID 1664 wrote to memory of 456	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
PID 1664 wrote to memory of 456	1664	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
PID 456 wrote to memory of 4084	456	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	WScript.exe
PID 456 wrote to memory of 4084	456	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	WScript.exe
PID 456 wrote to memory of 4084	456	Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe	WScript.exe
PID 4084 wrote to memory of 2016	4084	WScript.exe	cmd.exe
PID 4084 wrote to memory of 2016	4084	WScript.exe	cmd.exe
PID 4084 wrote to memory of 2016	4084	WScript.exe	cmd.exe
PID 2016 wrote to memory of 4388	2016	cmd.exe	remcos.exe
PID 2016 wrote to memory of 4388	2016	cmd.exe	remcos.exe
PID 2016 wrote to memory of 4388	2016	cmd.exe	remcos.exe
PID 4388 wrote to memory of 3472	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 3472	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 3472	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 1208	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 1208	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 1208	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 4284	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 4284	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 4284	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 3972	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 3972	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 3972	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 3972	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 3972	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 3972	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 3972	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 3972	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 3972	4388	remcos.exe	remcos.exe
PID 4388 wrote to memory of 3972	4388	remcos.exe	remcos.exe
PID 3972 wrote to memory of 1568	3972	remcos.exe	svchost.exe
PID 3972 wrote to memory of 1568	3972	remcos.exe	svchost.exe
PID 3972 wrote to memory of 1568	3972	remcos.exe	svchost.exe
PID 3972 wrote to memory of 1568	3972	remcos.exe	svchost.exe
PID 3972 wrote to memory of 1568	3972	remcos.exe	svchost.exe
PID 3972 wrote to memory of 1568	3972	remcos.exe	svchost.exe
PID 3972 wrote to memory of 1568	3972	remcos.exe	svchost.exe
PID 3972 wrote to memory of 1568	3972	remcos.exe	svchost.exe
PID 1568 wrote to memory of 3616	1568	svchost.exe	msedge.exe
PID 1568 wrote to memory of 3616	1568	svchost.exe	msedge.exe
PID 3616 wrote to memory of 968	3616	msedge.exe	msedge.exe
PID 3616 wrote to memory of 968	3616	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4224	1568	svchost.exe	msedge.exe
PID 1568 wrote to memory of 4224	1568	svchost.exe	msedge.exe
PID 3972 wrote to memory of 5116	3972	remcos.exe	svchost.exe
PID 3972 wrote to memory of 5116	3972	remcos.exe	svchost.exe
PID 3972 wrote to memory of 5116	3972	remcos.exe	svchost.exe
PID 4224 wrote to memory of 4264	4224	msedge.exe	msedge.exe
PID 4224 wrote to memory of 4264	4224	msedge.exe	msedge.exe
PID 3972 wrote to memory of 5116	3972	remcos.exe	svchost.exe
PID 3972 wrote to memory of 5116	3972	remcos.exe	svchost.exe
PID 3972 wrote to memory of 5116	3972	remcos.exe	svchost.exe
PID 3972 wrote to memory of 5116	3972	remcos.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
"{path}"
2⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\Purchase_Order#PO7211A20_RFQ_Hangzhou_Zhongniu_Import_Export_Co.exe
"{path}"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
PID:3472

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
PID:1208

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
PID:4284

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffb50df46f8,0x7ffb50df4708,0x7ffb50df4718
9⤵
PID:968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
9⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3152 /prefetch:8
9⤵
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
9⤵
PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
9⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
9⤵
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
9⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
9⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
9⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5668 /prefetch:8
9⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
9⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
9⤵
PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
9⤵
PID:480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7084 /prefetch:8
9⤵
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
9⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2488 /prefetch:1
9⤵
PID:1732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
9⤵
PID:5080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7628 /prefetch:1
9⤵
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7920 /prefetch:1
9⤵
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7972 /prefetch:1
9⤵
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8172 /prefetch:1
9⤵
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
9⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11682014686085520680,5400579967461736186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8224 /prefetch:8
9⤵
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
- Suspicious use of WriteProcessMemory
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb50df46f8,0x7ffb50df4708,0x7ffb50df4718
9⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,10160429838915813049,2897825099170326617,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
9⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,10160429838915813049,2897825099170326617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4416

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffb50df46f8,0x7ffb50df4708,0x7ffb50df4718
9⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb50df46f8,0x7ffb50df4708,0x7ffb50df4718
9⤵
PID:5072

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x74,0x104,0x7ffb50df46f8,0x7ffb50df4708,0x7ffb50df4718
9⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb50df46f8,0x7ffb50df4708,0x7ffb50df4718
9⤵
PID:5000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb50df46f8,0x7ffb50df4708,0x7ffb50df4718
9⤵
PID:1300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb50df46f8,0x7ffb50df4708,0x7ffb50df4718
9⤵
PID:2652

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:3712

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb50df46f8,0x7ffb50df4708,0x7ffb50df4718
9⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb50df46f8,0x7ffb50df4708,0x7ffb50df4718
9⤵
PID:1820

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb50df46f8,0x7ffb50df4708,0x7ffb50df4718
9⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffb50df46f8,0x7ffb50df4708,0x7ffb50df4718
9⤵
PID:4932

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
PID:668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb50df46f8,0x7ffb50df4708,0x7ffb50df4718
9⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xc0,0x104,0x7ffb50df46f8,0x7ffb50df4708,0x7ffb50df4718
9⤵
PID:2684

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:4516

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
471B

MD5
86e5931bb76e39a4b31fc0ad769c22b2

SHA1
ae2bfd27c609cfe509b398874fdb3df448d0ccb6

SHA256
cfa2eadcb43d3cef400f5c6055e7e56b08770b144365a9cb8ff6e5da52074d60

SHA512
70c726e8a8a47a7bcf0af10a07753c7bd877150b135fc11130d1ad9d69aab2028364edda20108d0f0ce47184c96ea0b3c621f83178f01da1ba7d34e6d0e30744

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
136ba521784a8ce47a3850452207b885

SHA1
b654f686e5c96c5d4300bc81822c22c0928fe1cd

SHA256
8fb5921945889e17a35d67a61a81a767323f57fe0edd07a1fa6dadbd62669117

SHA512
619f1e14e419c77e511e27d55116b66a934ba550893a794d274a35c02d0d0e9a177eef2b7ec5f40a821a5c501bb000872822fd5a41d71d209a6dc23ed88e11bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
412B

MD5
55d7db76db4af1480d3a012330eec40c

SHA1
c9d15d65087b9b7c53448a397167d6cc61175c2a

SHA256
98388f861312b29ac348110ae562d5aaa63a1a42a5bfb5cd44e73e3f3507adf0

SHA512
d2044010f84e80823b7168536f4f0a398f8833956dda5d27c9521010bd8d201013589aeb905cda5f186ca5a3c3e9c06719f3f8ca53cb12c373e3f19ba2eafbaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
416B

MD5
732f83504dba0c7145ce281100f463f6

SHA1
d001b7606cc4d00919c00d6a459c609bd6eff259

SHA256
72aaf4b91e8dcc8f5c6280c8e1764b7f259f5044a1036f67a3bb9d9eb4e87cd0

SHA512
8f1949212d4d9bab060db554a3905a3dc1fa5d4543f4a25331dd7b6214b3c35029ac722d8523c972b3506a17281eb320071976d859c210159b19a8148f98f8b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
57df4904eea85aeb7b4d9b9d9130ecad

SHA1
f6b26bbbf2a5f6645e1a400b49a8bb1c346a0cc4

SHA256
ad7f7e5f652cca952b91effac780ae3f46aa02eb9de5f18340d8f55efd8a4c68

SHA512
9ee0ab6f4e4a55f748e0177bbdac33c824c2b02cd3110fd3a0545f5885a6e4da6da3eb61f30880e5a30b29eb33274cd518f548b527f9da9cd74c8413bec57f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
57df4904eea85aeb7b4d9b9d9130ecad

SHA1
f6b26bbbf2a5f6645e1a400b49a8bb1c346a0cc4

SHA256
ad7f7e5f652cca952b91effac780ae3f46aa02eb9de5f18340d8f55efd8a4c68

SHA512
9ee0ab6f4e4a55f748e0177bbdac33c824c2b02cd3110fd3a0545f5885a6e4da6da3eb61f30880e5a30b29eb33274cd518f548b527f9da9cd74c8413bec57f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
57df4904eea85aeb7b4d9b9d9130ecad

SHA1
f6b26bbbf2a5f6645e1a400b49a8bb1c346a0cc4

SHA256
ad7f7e5f652cca952b91effac780ae3f46aa02eb9de5f18340d8f55efd8a4c68

SHA512
9ee0ab6f4e4a55f748e0177bbdac33c824c2b02cd3110fd3a0545f5885a6e4da6da3eb61f30880e5a30b29eb33274cd518f548b527f9da9cd74c8413bec57f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
57df4904eea85aeb7b4d9b9d9130ecad

SHA1
f6b26bbbf2a5f6645e1a400b49a8bb1c346a0cc4

SHA256
ad7f7e5f652cca952b91effac780ae3f46aa02eb9de5f18340d8f55efd8a4c68

SHA512
9ee0ab6f4e4a55f748e0177bbdac33c824c2b02cd3110fd3a0545f5885a6e4da6da3eb61f30880e5a30b29eb33274cd518f548b527f9da9cd74c8413bec57f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
57df4904eea85aeb7b4d9b9d9130ecad

SHA1
f6b26bbbf2a5f6645e1a400b49a8bb1c346a0cc4

SHA256
ad7f7e5f652cca952b91effac780ae3f46aa02eb9de5f18340d8f55efd8a4c68

SHA512
9ee0ab6f4e4a55f748e0177bbdac33c824c2b02cd3110fd3a0545f5885a6e4da6da3eb61f30880e5a30b29eb33274cd518f548b527f9da9cd74c8413bec57f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
53473ab893aa74c050da4b15a702cea9

SHA1
85c34c1138235afa21eae7c142640358ee110a5d

SHA256
0ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852

SHA512
3ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
53473ab893aa74c050da4b15a702cea9

SHA1
85c34c1138235afa21eae7c142640358ee110a5d

SHA256
0ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852

SHA512
3ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
53473ab893aa74c050da4b15a702cea9

SHA1
85c34c1138235afa21eae7c142640358ee110a5d

SHA256
0ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852

SHA512
3ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
53473ab893aa74c050da4b15a702cea9

SHA1
85c34c1138235afa21eae7c142640358ee110a5d

SHA256
0ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852

SHA512
3ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
53473ab893aa74c050da4b15a702cea9

SHA1
85c34c1138235afa21eae7c142640358ee110a5d

SHA256
0ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852

SHA512
3ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
53473ab893aa74c050da4b15a702cea9

SHA1
85c34c1138235afa21eae7c142640358ee110a5d

SHA256
0ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852

SHA512
3ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
53473ab893aa74c050da4b15a702cea9

SHA1
85c34c1138235afa21eae7c142640358ee110a5d

SHA256
0ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852

SHA512
3ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
276bdc7e03be9360feffecaec2538675

SHA1
5959a5592d98337e392fd42276803203edd59463

SHA256
41b635463c2e250188d7fede1f2469893af4302c9369fbc73b79c17988d3aa1f

SHA512
78a71fd2a0cd531b936aa9f3404ab55aecabcc8da048057538ee98a59ea50c62e8abce9c4324a7c1b679d8f9f5defd19400da3728e8350a94acaf48affcbd7a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
276bdc7e03be9360feffecaec2538675

SHA1
5959a5592d98337e392fd42276803203edd59463

SHA256
41b635463c2e250188d7fede1f2469893af4302c9369fbc73b79c17988d3aa1f

SHA512
78a71fd2a0cd531b936aa9f3404ab55aecabcc8da048057538ee98a59ea50c62e8abce9c4324a7c1b679d8f9f5defd19400da3728e8350a94acaf48affcbd7a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
3d82a2bb8ae4785943e6e7a14412f474

SHA1
af5e0cde6d0a747738c5d86b231312711a2c4624

SHA256
29bd8b563495e5ed63b7a11c073a2c556f496a0877b981c81796a045688e3e7a

SHA512
155177e62a09870a7551f07106ed8e718bf99697e2897a4a05941859bdc278cb77a74eba80c96dbf9081e4cf6313a4ba81e6ce71549397745c0e34d34a7fb9ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
Filesize
40B

MD5
0560a7584ae78ed2364c7c77375b2966

SHA1
b8c2f13a6e8322c3cbe344ec722a9b679cb1f4dc

SHA256
f69495609352e7ea6b221043e88e488b59d3127dec22a92997d46634feddb8e8

SHA512
e68e9a1db6f3c57368ffee8b2041af4cffbcdd8f2ede0339c2df71db37bd81f15bd578f2f694ed9cddc65c4038853773d7a123bca2b078d8d50a01e9144e04d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637886962631232470
Filesize
4KB

MD5
a567f5864dc99f2e1ec052e7e0fbc58f

SHA1
56ec2357c25652b6308c4bdffc6ce6cba2f051f0

SHA256
f781f61d19dfb399e4af3ae115b65a3692e85247254805ede5f58ab5a608b00a

SHA512
b9eb27a4b55c58e04ee74487019bd106cfb5125770f38d83094f0d38723eeb2c9e42183b876eceb582a553498d4ece1500f7d5fd5d62c8107da2c3a28402fa8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
Filesize
29B

MD5
ce545b52b20b2f56ffb26d2ca2ed4491

SHA1
ebe904c20bb43891db4560f458e66663826aa885

SHA256
e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899

SHA512
1ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684
Filesize
450KB

MD5
a7aab197b91381bcdec092e1910a3d62

SHA1
35794f2d2df163223391a2b21e1610f14f46a78f

SHA256
6337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b

SHA512
cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
418B

MD5
ff449f6f7bc5e2d800eb30e2d2c56611

SHA1
93419ea805b9ce35a766e5c56db50d54c2d3f94b

SHA256
655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

SHA512
02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
Filesize
275KB

MD5
eb0755f5ec28980f4f492b579db4d5d9

SHA1
1ccb7d6603ecae8ecb19a15201d541b2a2b59eba

SHA256
5bf321a896fab855e09057d986bb3ac868a7d0a2aad468dd5dba498c6ed18357

SHA512
d728d2f367a3cefdbd47509b3a5f9db5dbd0d16f279aa87f17c78122302824c83fbfa948b2d8e9e088569792a6d65975279f565bcd5cf6e4fb545a1cb111ae1e

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
Filesize
275KB

MD5
eb0755f5ec28980f4f492b579db4d5d9

SHA1
1ccb7d6603ecae8ecb19a15201d541b2a2b59eba

SHA256
5bf321a896fab855e09057d986bb3ac868a7d0a2aad468dd5dba498c6ed18357

SHA512
d728d2f367a3cefdbd47509b3a5f9db5dbd0d16f279aa87f17c78122302824c83fbfa948b2d8e9e088569792a6d65975279f565bcd5cf6e4fb545a1cb111ae1e

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
Filesize
275KB

MD5
eb0755f5ec28980f4f492b579db4d5d9

SHA1
1ccb7d6603ecae8ecb19a15201d541b2a2b59eba

SHA256
5bf321a896fab855e09057d986bb3ac868a7d0a2aad468dd5dba498c6ed18357

SHA512
d728d2f367a3cefdbd47509b3a5f9db5dbd0d16f279aa87f17c78122302824c83fbfa948b2d8e9e088569792a6d65975279f565bcd5cf6e4fb545a1cb111ae1e

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
Filesize
275KB

MD5
eb0755f5ec28980f4f492b579db4d5d9

SHA1
1ccb7d6603ecae8ecb19a15201d541b2a2b59eba

SHA256
5bf321a896fab855e09057d986bb3ac868a7d0a2aad468dd5dba498c6ed18357

SHA512
d728d2f367a3cefdbd47509b3a5f9db5dbd0d16f279aa87f17c78122302824c83fbfa948b2d8e9e088569792a6d65975279f565bcd5cf6e4fb545a1cb111ae1e

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
Filesize
275KB

MD5
eb0755f5ec28980f4f492b579db4d5d9

SHA1
1ccb7d6603ecae8ecb19a15201d541b2a2b59eba

SHA256
5bf321a896fab855e09057d986bb3ac868a7d0a2aad468dd5dba498c6ed18357

SHA512
d728d2f367a3cefdbd47509b3a5f9db5dbd0d16f279aa87f17c78122302824c83fbfa948b2d8e9e088569792a6d65975279f565bcd5cf6e4fb545a1cb111ae1e

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
Filesize
275KB

MD5
eb0755f5ec28980f4f492b579db4d5d9

SHA1
1ccb7d6603ecae8ecb19a15201d541b2a2b59eba

SHA256
5bf321a896fab855e09057d986bb3ac868a7d0a2aad468dd5dba498c6ed18357

SHA512
d728d2f367a3cefdbd47509b3a5f9db5dbd0d16f279aa87f17c78122302824c83fbfa948b2d8e9e088569792a6d65975279f565bcd5cf6e4fb545a1cb111ae1e

Download Submit
\??\pipe\LOCAL\crashpad_3616_BLJXPRSZHYNCGDQF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4224_VFCFULHQVYPFQNQU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/400-215-0x0000000000000000-mapping.dmp

Download
memory/456-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/456-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/456-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/456-132-0x0000000000000000-mapping.dmp

Download
memory/480-226-0x0000000000000000-mapping.dmp

Download
memory/636-237-0x0000000000000000-mapping.dmp

Download
memory/968-159-0x0000000000000000-mapping.dmp

Download
memory/1148-186-0x0000000000000000-mapping.dmp

Download
memory/1180-206-0x0000000000000000-mapping.dmp

Download
memory/1208-146-0x0000000000000000-mapping.dmp

Download
memory/1240-167-0x0000000000000000-mapping.dmp

Download
memory/1300-239-0x0000000000000000-mapping.dmp

Download
memory/1444-218-0x0000000000000000-mapping.dmp

Download
memory/1456-221-0x0000000000000000-mapping.dmp

Download
memory/1528-208-0x0000000000000000-mapping.dmp

Download
memory/1568-155-0x0000000000000000-mapping.dmp

Download
memory/1568-156-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1664-130-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/1732-230-0x0000000000000000-mapping.dmp

Download
memory/1776-193-0x0000000000000000-mapping.dmp

Download
memory/1820-258-0x0000000000000000-mapping.dmp

Download
memory/2016-139-0x0000000000000000-mapping.dmp

Download
memory/2088-202-0x0000000000000000-mapping.dmp

Download
memory/2100-177-0x0000000000000000-mapping.dmp

Download
memory/2276-260-0x0000000000000000-mapping.dmp

Download
memory/2652-243-0x0000000000000000-mapping.dmp

Download
memory/2968-240-0x0000000000000000-mapping.dmp

Download
memory/3268-236-0x0000000000000000-mapping.dmp

Download
memory/3392-217-0x0000000000000000-mapping.dmp

Download
memory/3472-144-0x0000000000000000-mapping.dmp

Download
memory/3616-158-0x0000000000000000-mapping.dmp

Download
memory/3624-242-0x0000000000000000-mapping.dmp

Download
memory/3684-255-0x0000000000000000-mapping.dmp

Download
memory/3704-249-0x0000000000000000-mapping.dmp

Download
memory/3712-245-0x0000000000000000-mapping.dmp

Download
memory/3716-172-0x0000000000000000-mapping.dmp

Download
memory/3812-228-0x0000000000000000-mapping.dmp

Download
memory/3820-200-0x0000000000000000-mapping.dmp

Download
memory/3972-150-0x0000000000000000-mapping.dmp

Download
memory/3972-154-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3972-157-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4068-204-0x0000000000000000-mapping.dmp

Download
memory/4084-136-0x0000000000000000-mapping.dmp

Download
memory/4224-160-0x0000000000000000-mapping.dmp

Download
memory/4248-246-0x0000000000000000-mapping.dmp

Download
memory/4264-162-0x0000000000000000-mapping.dmp

Download
memory/4284-148-0x0000000000000000-mapping.dmp

Download
memory/4348-263-0x0000000000000000-mapping.dmp

Download
memory/4388-140-0x0000000000000000-mapping.dmp

Download
memory/4388-143-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/4416-173-0x0000000000000000-mapping.dmp

Download
memory/4536-256-0x0000000000000000-mapping.dmp

Download
memory/4544-251-0x0000000000000000-mapping.dmp

Download
memory/4552-178-0x0000000000000000-mapping.dmp

Download
memory/4564-194-0x0000000000000000-mapping.dmp

Download
memory/4592-252-0x0000000000000000-mapping.dmp

Download
memory/4604-253-0x0000000000000000-mapping.dmp

Download
memory/4708-210-0x0000000000000000-mapping.dmp

Download
memory/4716-166-0x0000000000000000-mapping.dmp

Download
memory/4932-264-0x0000000000000000-mapping.dmp

Download
memory/4956-234-0x0000000000000000-mapping.dmp

Download
memory/4956-131-0x0000000000000000-mapping.dmp

Download
memory/4980-224-0x0000000000000000-mapping.dmp

Download
memory/5000-219-0x0000000000000000-mapping.dmp

Download
memory/5016-170-0x0000000000000000-mapping.dmp

Download
memory/5052-184-0x0000000000000000-mapping.dmp

Download
memory/5072-185-0x0000000000000000-mapping.dmp

Download
memory/5080-232-0x0000000000000000-mapping.dmp

Download
memory/5088-259-0x0000000000000000-mapping.dmp

Download
memory/5112-212-0x0000000000000000-mapping.dmp

Download
memory/5116-161-0x0000000000000000-mapping.dmp

Download