remcos | 21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b

Analysis

max time kernel
222s
max time network
237s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe
Size

774KB
MD5

2479c3d14c7d3127b996787da9222db4
SHA1

46a343df094095b8edfcf85f7f5604c9b5619feb
SHA256

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b
SHA512

f118b9e83452722f8c0ae14b6c6622b3eaf4605a0fd927f26c744ed8c30c52aae210c246f3ab3ca3574e49767e65c55485d300916faeaed5aef88d0f17bc0642
SSDEEP

24576:WloNG3Dp09hOX3Mq3jaXhMsFjCshXMQJvTEzNksiD1:WV3DW9hWcqT8Xh8EbG

Score

10^/10

remcos sunshine persistence rat

Malware Config

Extracted

Family

remcos

Botnet

sunshine

sunshine08.ddns.net:5687

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BQS99W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E84B069075A54125AA11CD0ED16723FD = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe\""	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exeCasPol.exe

description	pid	process	target process
PID 3896 set thread context of 2212	3896	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 2212 set thread context of 3164	2212	CasPol.exe	svchost.exe
PID 2212 set thread context of 1168	2212	CasPol.exe	svchost.exe
PID 2212 set thread context of 872	2212	CasPol.exe	svchost.exe
PID 2212 set thread context of 820	2212	CasPol.exe	svchost.exe
PID 2212 set thread context of 5016	2212	CasPol.exe	svchost.exe
PID 2212 set thread context of 3740	2212	CasPol.exe	svchost.exe
PID 2212 set thread context of 5232	2212	CasPol.exe	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
904	msedge.exe
904	msedge.exe
4988	msedge.exe
4988	msedge.exe
4892	msedge.exe
4892	msedge.exe
2920	msedge.exe
2920	msedge.exe
3644	msedge.exe
3644	msedge.exe
4080	msedge.exe
4080	msedge.exe
6132	msedge.exe
6132	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

CasPol.exe

pid process

2212 CasPol.exe
2212 CasPol.exe
2212 CasPol.exe
2212 CasPol.exe
2212 CasPol.exe
2212 CasPol.exe
2212 CasPol.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

4384 msedge.exe
4384 msedge.exe
4384 msedge.exe
4384 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe

description pid process

Token: SeDebugPrivilege 3896 21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msedge.exe

pid process

4384 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CasPol.exe

pid process

2212 CasPol.exe

pid	process
2212	CasPol.exe
2212	CasPol.exe
2212	CasPol.exe
2212	CasPol.exe
2212	CasPol.exe
2212	CasPol.exe
2212	CasPol.exe

pid	process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

description	pid	process
Token: SeDebugPrivilege	3896	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe

pid	process
4384	msedge.exe

pid	process
2212	CasPol.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exeCasPol.exesvchost.exemsedge.exemsedge.exesvchost.exemsedge.exemsedge.exesvchost.exemsedge.exemsedge.exesvchost.exemsedge.exemsedge.exe

description	pid	process	target process
PID 3896 wrote to memory of 2212	3896	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 3896 wrote to memory of 2212	3896	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 3896 wrote to memory of 2212	3896	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 3896 wrote to memory of 2212	3896	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 3896 wrote to memory of 2212	3896	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 3896 wrote to memory of 2212	3896	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 3896 wrote to memory of 2212	3896	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 3896 wrote to memory of 2212	3896	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 3896 wrote to memory of 2212	3896	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 3896 wrote to memory of 2212	3896	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 3896 wrote to memory of 2212	3896	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 3896 wrote to memory of 2212	3896	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 2212 wrote to memory of 3164	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 3164	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 3164	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 3164	2212	CasPol.exe	svchost.exe
PID 3164 wrote to memory of 3856	3164	svchost.exe	msedge.exe
PID 3164 wrote to memory of 3856	3164	svchost.exe	msedge.exe
PID 3856 wrote to memory of 3172	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 3172	3856	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2872	3164	svchost.exe	msedge.exe
PID 3164 wrote to memory of 2872	3164	svchost.exe	msedge.exe
PID 2872 wrote to memory of 4404	2872	msedge.exe	msedge.exe
PID 2872 wrote to memory of 4404	2872	msedge.exe	msedge.exe
PID 2212 wrote to memory of 1168	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 1168	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 1168	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 1168	2212	CasPol.exe	svchost.exe
PID 1168 wrote to memory of 1744	1168	svchost.exe	msedge.exe
PID 1168 wrote to memory of 1744	1168	svchost.exe	msedge.exe
PID 1744 wrote to memory of 2868	1744	msedge.exe	msedge.exe
PID 1744 wrote to memory of 2868	1744	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2852	1168	svchost.exe	msedge.exe
PID 1168 wrote to memory of 2852	1168	svchost.exe	msedge.exe
PID 2852 wrote to memory of 2488	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 2488	2852	msedge.exe	msedge.exe
PID 2212 wrote to memory of 872	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 872	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 872	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 872	2212	CasPol.exe	svchost.exe
PID 872 wrote to memory of 4848	872	svchost.exe	msedge.exe
PID 872 wrote to memory of 4848	872	svchost.exe	msedge.exe
PID 4848 wrote to memory of 4728	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4728	4848	msedge.exe	msedge.exe
PID 872 wrote to memory of 4384	872	svchost.exe	msedge.exe
PID 872 wrote to memory of 4384	872	svchost.exe	msedge.exe
PID 4384 wrote to memory of 1248	4384	msedge.exe	msedge.exe
PID 4384 wrote to memory of 1248	4384	msedge.exe	msedge.exe
PID 2212 wrote to memory of 820	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 820	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 820	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 820	2212	CasPol.exe	svchost.exe
PID 820 wrote to memory of 4032	820	svchost.exe	msedge.exe
PID 820 wrote to memory of 4032	820	svchost.exe	msedge.exe
PID 4032 wrote to memory of 3608	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 3608	4032	msedge.exe	msedge.exe
PID 820 wrote to memory of 3132	820	svchost.exe	msedge.exe
PID 820 wrote to memory of 3132	820	svchost.exe	msedge.exe
PID 3132 wrote to memory of 4432	3132	msedge.exe	msedge.exe
PID 3132 wrote to memory of 4432	3132	msedge.exe	msedge.exe
PID 2212 wrote to memory of 5016	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 5016	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 5016	2212	CasPol.exe	svchost.exe
PID 2212 wrote to memory of 5016	2212	CasPol.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe
"C:\Users\Admin\AppData\Local\Temp\21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff99e7046f8,0x7ff99e704708,0x7ff99e704718
5⤵
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,4197845116250372855,3406140830450825760,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
5⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,4197845116250372855,3406140830450825760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff99e7046f8,0x7ff99e704708,0x7ff99e704718
5⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1619433416406899263,18423125938785302219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1619433416406899263,18423125938785302219,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
5⤵
PID:4688

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff99e7046f8,0x7ff99e704708,0x7ff99e704718
5⤵
PID:2868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5210270389604693134,3425199715341697197,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
5⤵
PID:5984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,5210270389604693134,3425199715341697197,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff99e7046f8,0x7ff99e704708,0x7ff99e704718
5⤵
PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,16989014064193308705,8507781065355377525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,16989014064193308705,8507781065355377525,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
5⤵
PID:2628

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x40,0xfc,0x100,0xdc,0x104,0x7ff99e7046f8,0x7ff99e704708,0x7ff99e704718
5⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,9358907167218351064,5715596161783489105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9358907167218351064,5715596161783489105,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
5⤵
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff99e7046f8,0x7ff99e704708,0x7ff99e704718
5⤵
PID:1248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,4235716317971324897,14416474133579800994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
5⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,4235716317971324897,14416474133579800994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,4235716317971324897,14416474133579800994,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
5⤵
PID:3284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4235716317971324897,14416474133579800994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
5⤵
PID:6020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4235716317971324897,14416474133579800994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
5⤵
PID:5572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4235716317971324897,14416474133579800994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
5⤵
PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4235716317971324897,14416474133579800994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
5⤵
PID:5692

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff99e7046f8,0x7ff99e704708,0x7ff99e704718
5⤵
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,17667116285180697438,11047102377263760392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,17667116285180697438,11047102377263760392,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
5⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff99e7046f8,0x7ff99e704708,0x7ff99e704718
5⤵
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9280592103488414068,12343584086666198493,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
5⤵
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9280592103488414068,12343584086666198493,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
5⤵
PID:4244

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:5692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x9c,0x104,0x7ff99e7046f8,0x7ff99e704708,0x7ff99e704718
5⤵
PID:5716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xa4,0x108,0x7ff99e7046f8,0x7ff99e704708,0x7ff99e704718
5⤵
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,11142543409423013956,673669954067684291,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
5⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,11142543409423013956,673669954067684291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
5⤵
PID:4520

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99e7046f8,0x7ff99e704708,0x7ff99e704718
5⤵
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:4268

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:5232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A7891822FCFF127E4EADADE9757112B
Filesize
246B

MD5
0a91a19ac69cc402a40278fc0e19a8ca

SHA1
78ceb13228fb424f5abe420e0b2531709040fdac

SHA256
b9090b75d959c504bed0ce744970597a09a1090a211646cfa14b5c4c8fb66ee7

SHA512
6e6d12393102e91ec8684322aa67674d75fa1f45d37827b593e74ed77a2dcf4b425085769e32e8ece705a98ad7cd27fb8b9d59fb3eb93295a25a77871874b158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
3094b3540e86dda2ae226edbb6bc20e3

SHA1
ff0b2ec16ad6417a1a85cbadaa3e2d254a2de448

SHA256
c553337469178f554e8c03d87dbf0a370eb306c5c49074128608009c4b9d8a3d

SHA512
10d986fc4d2f0e65d0ab73d9681090f1662e01c802e66ae6fd61124f4a0849c45b48e5147676e5b57b814a993add4438f8870679b1a67fb609fd7f9162a41609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
3094b3540e86dda2ae226edbb6bc20e3

SHA1
ff0b2ec16ad6417a1a85cbadaa3e2d254a2de448

SHA256
c553337469178f554e8c03d87dbf0a370eb306c5c49074128608009c4b9d8a3d

SHA512
10d986fc4d2f0e65d0ab73d9681090f1662e01c802e66ae6fd61124f4a0849c45b48e5147676e5b57b814a993add4438f8870679b1a67fb609fd7f9162a41609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
51f073fcff4baefbd1d8aad09b471fe2

SHA1
72bfb60bc66cdcda51d7e36486b54ce1fc4bca0c

SHA256
6a6a173e58b368c2100a6350742a664d1cc4b6a0bdeabafa3736755cc215b708

SHA512
bf5781f842c20321fc49427ffd0673b1cb4a68a18b94fc6f354513994404d6d9115cc9e6c40937df22ce9aa581a84d506431d7e1628ee25543477281e291fd11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
51f073fcff4baefbd1d8aad09b471fe2

SHA1
72bfb60bc66cdcda51d7e36486b54ce1fc4bca0c

SHA256
6a6a173e58b368c2100a6350742a664d1cc4b6a0bdeabafa3736755cc215b708

SHA512
bf5781f842c20321fc49427ffd0673b1cb4a68a18b94fc6f354513994404d6d9115cc9e6c40937df22ce9aa581a84d506431d7e1628ee25543477281e291fd11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
4b70326e13274174979ddbc074841c75

SHA1
f8c589a7b19ed463cff0a4d2c6ee45e376316d5b

SHA256
903428c22dbb140713e619d7344b8202acd3d2752393571171044d92ff6f6ddb

SHA512
a6add03390d97562a40a22ea88c5fee929814d78254c10b4a0a33d12742d9039a9f6091f38ff1e11a6746c06dc123084f74fc31353b03d1592fbbaa4cadf46cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
a62968f9d8ae5fa0d00b23afe2f5720b

SHA1
06fc2ed484b9f8b515c3dae18972d7f9ae9cf49f

SHA256
35e751aba09693d552ea4d63e1a4187bd160f56dfa9352eea94186e4afca1046

SHA512
26ec18949fecfb6868d6f18b875a9977a45081a611dce43d8eca11f1610ead16774048fcdf4a42f4ec9eeb5ac3cd1adb5d397f05d109a9db1b5fee8883f5db72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
598659a81766c67cda2cbf604b57717a

SHA1
5202ddd5c190f28d1e15ea93f590b4a784cdb966

SHA256
7e51d5ef71ab8bad7e1125dc7d38e669305a2210d03e488760df780ae591d39a

SHA512
b476285258b8138469ba182a0c0915a9fb238f03153957dccd7cab158d235b326fca51a2ab6741221813e5fe49b5eadd4effd77990fd6339775e4d866de42259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
774e3c99382d733fc2b7b0ab7327d410

SHA1
4857d727d5fe84b023e24af8dbc759f619c14147

SHA256
9135d1ec75d777eb2755b18807254232d15c21da589489ee10049e5427f7e3e6

SHA512
96dfdb1b2cf4eb62662e2d9bb4f4521f3a6bbe8ac2c077b2cded2ca72f52e6894c57d0081fff49fea8d85cf2fed8eba9ef81a16c8fd912eefdbcc18c82c9209e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
da62c17e23af363569157998f64ab0d1

SHA1
681b993211289a493bc7eb4619e777b1f227cb96

SHA256
95d437c6068c8d5da023b0960f1b55aad728ea7d980e09c89866f3ac3c0286cb

SHA512
0cd05411849610d33c5d54349aaa29de23de2f69ff9334f4e901a0c29cdea8fdcdb7c520ae99490932f76d35a6dbb9e70aacb6e945db67b0bd5d7ed39271e4d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
774e3c99382d733fc2b7b0ab7327d410

SHA1
4857d727d5fe84b023e24af8dbc759f619c14147

SHA256
9135d1ec75d777eb2755b18807254232d15c21da589489ee10049e5427f7e3e6

SHA512
96dfdb1b2cf4eb62662e2d9bb4f4521f3a6bbe8ac2c077b2cded2ca72f52e6894c57d0081fff49fea8d85cf2fed8eba9ef81a16c8fd912eefdbcc18c82c9209e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
a62968f9d8ae5fa0d00b23afe2f5720b

SHA1
06fc2ed484b9f8b515c3dae18972d7f9ae9cf49f

SHA256
35e751aba09693d552ea4d63e1a4187bd160f56dfa9352eea94186e4afca1046

SHA512
26ec18949fecfb6868d6f18b875a9977a45081a611dce43d8eca11f1610ead16774048fcdf4a42f4ec9eeb5ac3cd1adb5d397f05d109a9db1b5fee8883f5db72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
598659a81766c67cda2cbf604b57717a

SHA1
5202ddd5c190f28d1e15ea93f590b4a784cdb966

SHA256
7e51d5ef71ab8bad7e1125dc7d38e669305a2210d03e488760df780ae591d39a

SHA512
b476285258b8138469ba182a0c0915a9fb238f03153957dccd7cab158d235b326fca51a2ab6741221813e5fe49b5eadd4effd77990fd6339775e4d866de42259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
4b70326e13274174979ddbc074841c75

SHA1
f8c589a7b19ed463cff0a4d2c6ee45e376316d5b

SHA256
903428c22dbb140713e619d7344b8202acd3d2752393571171044d92ff6f6ddb

SHA512
a6add03390d97562a40a22ea88c5fee929814d78254c10b4a0a33d12742d9039a9f6091f38ff1e11a6746c06dc123084f74fc31353b03d1592fbbaa4cadf46cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
Filesize
40B

MD5
15361cc8adf2e3dc282c9f6139f9a2ce

SHA1
c18fa560d8f9b372c304d61370b11e6144d52d39

SHA256
0f73c7f64a61cfbdccb3f1a09a523af1c8acfb9a751d55b692169aba48fafaad

SHA512
b88bd6985ae3bd6ad7ca4008196abc81c457c22632b3855a3d590ecbd991e6ba7e4706cba91c311e1521d4988ab334ecc1eb3619227c28f2787141a23637be83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638059218506389375
Filesize
4KB

MD5
60d46ee5f088a57ab6bf82fe126cd98d

SHA1
45f7aeb5de37f94029f659f7f70ae362613e8991

SHA256
8e6ebc5713a43490f821a79d0c6a0a7f9ca39d3e15487db01abdd863a6005261

SHA512
d956d2de9d68ab51f19ea89df8fe693b80a82f4a608e496d7e31bcd55ef6c77fe2f4bfcf003f159ed1dec6392d40003366697c8de503cb62e21c8df256c01cfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982
Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
\??\pipe\LOCAL\crashpad_1744_NEVRBUCCBZYYGZQI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2852_LFHCMTFWZJGJEJZN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2872_QYXANBDKGXFKQXWF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3132_WVCWLJRZJXFITAUW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3856_FGGHEKRVCIXMJZVJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4032_BDIZPTGUBXLQFPAZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4384_FCWSZDLIWYUJVPWX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4848_CSBLOMTEWVSHVQXH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/820-161-0x0000000000000000-mapping.dmp

Download
memory/872-153-0x0000000000000000-mapping.dmp

Download
memory/904-193-0x0000000000000000-mapping.dmp

Download
memory/1168-147-0x0000000000000000-mapping.dmp

Download
memory/1248-160-0x0000000000000000-mapping.dmp

Download
memory/1396-190-0x0000000000000000-mapping.dmp

Download
memory/1744-148-0x0000000000000000-mapping.dmp

Download
memory/1948-226-0x0000000000000000-mapping.dmp

Download
memory/2212-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-137-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-136-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2212-135-0x000000000043292E-mapping.dmp

Download
memory/2212-134-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2488-152-0x0000000000000000-mapping.dmp

Download
memory/2628-187-0x0000000000000000-mapping.dmp

Download
memory/2852-151-0x0000000000000000-mapping.dmp

Download
memory/2856-244-0x0000000000000000-mapping.dmp

Download
memory/2868-149-0x0000000000000000-mapping.dmp

Download
memory/2872-144-0x0000000000000000-mapping.dmp

Download
memory/2920-198-0x0000000000000000-mapping.dmp

Download
memory/3132-171-0x0000000000000000-mapping.dmp

Download
memory/3164-139-0x0000000000000000-mapping.dmp

Download
memory/3172-143-0x0000000000000000-mapping.dmp

Download
memory/3236-242-0x0000000000000000-mapping.dmp

Download
memory/3284-188-0x0000000000000000-mapping.dmp

Download
memory/3368-241-0x0000000000000000-mapping.dmp

Download
memory/3608-169-0x0000000000000000-mapping.dmp

Download
memory/3644-194-0x0000000000000000-mapping.dmp

Download
memory/3740-243-0x0000000000000000-mapping.dmp

Download
memory/3856-142-0x0000000000000000-mapping.dmp

Download
memory/3896-133-0x00007FF99E610000-0x00007FF99F0D1000-memory.dmp

Filesize
10.8MB

Download
memory/3896-132-0x0000016B6F1E0000-0x0000016B6F2A4000-memory.dmp

Filesize
784KB

Download
memory/3896-138-0x00007FF99E610000-0x00007FF99F0D1000-memory.dmp

Filesize
10.8MB

Download
memory/3968-202-0x0000000000000000-mapping.dmp

Download
memory/4032-168-0x0000000000000000-mapping.dmp

Download
memory/4080-196-0x0000000000000000-mapping.dmp

Download
memory/4244-227-0x0000000000000000-mapping.dmp

Download
memory/4268-258-0x0000000000000000-mapping.dmp

Download
memory/4352-252-0x0000000000000000-mapping.dmp

Download
memory/4384-159-0x0000000000000000-mapping.dmp

Download
memory/4404-145-0x0000000000000000-mapping.dmp

Download
memory/4432-172-0x0000000000000000-mapping.dmp

Download
memory/4520-253-0x0000000000000000-mapping.dmp

Download
memory/4688-192-0x0000000000000000-mapping.dmp

Download
memory/4724-191-0x0000000000000000-mapping.dmp

Download
memory/4728-156-0x0000000000000000-mapping.dmp

Download
memory/4848-155-0x0000000000000000-mapping.dmp

Download
memory/4892-197-0x0000000000000000-mapping.dmp

Download
memory/4908-189-0x0000000000000000-mapping.dmp

Download
memory/4988-195-0x0000000000000000-mapping.dmp

Download
memory/5016-173-0x0000000000000000-mapping.dmp

Download
memory/5116-256-0x0000000000000000-mapping.dmp

Download
memory/5232-259-0x0000000000000000-mapping.dmp

Download
memory/5572-237-0x0000000000000000-mapping.dmp

Download
memory/5692-207-0x0000000000000000-mapping.dmp

Download
memory/5692-255-0x0000000000000000-mapping.dmp

Download
memory/5716-208-0x0000000000000000-mapping.dmp

Download
memory/5956-257-0x0000000000000000-mapping.dmp

Download
memory/5984-219-0x0000000000000000-mapping.dmp

Download
memory/6020-239-0x0000000000000000-mapping.dmp

Download
memory/6132-223-0x0000000000000000-mapping.dmp

Download