remcos | f6c8e461b7d3452351bb118c2ed32f0479ba7924cf1fa9ba13e69a2edfc7ac7e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

382410201721.exe
Size

972KB
MD5

53ee3e51b223773a7db458eba4bd0528
SHA1

5ead7b026aa51ba272548be89118991378f54fb3
SHA256

941d7828d89da175afca52906a1e519707a09685f30332937917505fa8999f87
SHA512

90d7f487adbc5af048cf6c8bbbe4f1997201fbb7bec28a44c55c3a5009995b9377bc09bb48bd62244eecd0910b1e16cc2f7361e2dae195b95d0271ec1e7cc0ad
SSDEEP

12288:bmQWhajfdJLszbiBtI4h9vBGY+RC+dCmFZ59QM8/z+Tw6MapxpYDVp+aN/trfwjY:bk6fdJoqBBy9C0CmAdzBtQXofgxy

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

3.1.0 Pro

Botnet

RemoteHost

fgtrert.duckdns.org:8494

qweerreww.duckdns.org:8494

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-PHNHQQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	382410201721.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
3980	remcos.exe
1636	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	382410201721.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 3936 set thread context of 676	3936	382410201721.exe	91
PID 3980 set thread context of 1636	3980	remcos.exe	96
PID 1636 set thread context of 1184	1636	remcos.exe	97
PID 1636 set thread context of 2392	1636	remcos.exe	119
PID 1636 set thread context of 4156	1636	remcos.exe	129
PID 1636 set thread context of 1096	1636	remcos.exe	138
PID 1636 set thread context of 1000	1636	remcos.exe	147

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	382410201721.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3936	382410201721.exe
3936	382410201721.exe
4344	msedge.exe
4344	msedge.exe
1992	msedge.exe
1992	msedge.exe
2296	identity_helper.exe
2296	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	382410201721.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1636	remcos.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 2680	3936	382410201721.exe	90
PID 3936 wrote to memory of 2680	3936	382410201721.exe	90
PID 3936 wrote to memory of 2680	3936	382410201721.exe	90
PID 3936 wrote to memory of 676	3936	382410201721.exe	91
PID 3936 wrote to memory of 676	3936	382410201721.exe	91
PID 3936 wrote to memory of 676	3936	382410201721.exe	91
PID 3936 wrote to memory of 676	3936	382410201721.exe	91
PID 3936 wrote to memory of 676	3936	382410201721.exe	91
PID 3936 wrote to memory of 676	3936	382410201721.exe	91
PID 3936 wrote to memory of 676	3936	382410201721.exe	91
PID 3936 wrote to memory of 676	3936	382410201721.exe	91
PID 3936 wrote to memory of 676	3936	382410201721.exe	91
PID 3936 wrote to memory of 676	3936	382410201721.exe	91
PID 3936 wrote to memory of 676	3936	382410201721.exe	91
PID 3936 wrote to memory of 676	3936	382410201721.exe	91
PID 676 wrote to memory of 1800	676	382410201721.exe	92
PID 676 wrote to memory of 1800	676	382410201721.exe	92
PID 676 wrote to memory of 1800	676	382410201721.exe	92
PID 1800 wrote to memory of 1144	1800	WScript.exe	93
PID 1800 wrote to memory of 1144	1800	WScript.exe	93
PID 1800 wrote to memory of 1144	1800	WScript.exe	93
PID 1144 wrote to memory of 3980	1144	cmd.exe	95
PID 1144 wrote to memory of 3980	1144	cmd.exe	95
PID 1144 wrote to memory of 3980	1144	cmd.exe	95
PID 3980 wrote to memory of 1636	3980	remcos.exe	96
PID 3980 wrote to memory of 1636	3980	remcos.exe	96
PID 3980 wrote to memory of 1636	3980	remcos.exe	96
PID 3980 wrote to memory of 1636	3980	remcos.exe	96
PID 3980 wrote to memory of 1636	3980	remcos.exe	96
PID 3980 wrote to memory of 1636	3980	remcos.exe	96
PID 3980 wrote to memory of 1636	3980	remcos.exe	96
PID 3980 wrote to memory of 1636	3980	remcos.exe	96
PID 3980 wrote to memory of 1636	3980	remcos.exe	96
PID 3980 wrote to memory of 1636	3980	remcos.exe	96
PID 3980 wrote to memory of 1636	3980	remcos.exe	96
PID 3980 wrote to memory of 1636	3980	remcos.exe	96
PID 1636 wrote to memory of 1184	1636	remcos.exe	97
PID 1636 wrote to memory of 1184	1636	remcos.exe	97
PID 1636 wrote to memory of 1184	1636	remcos.exe	97
PID 1636 wrote to memory of 1184	1636	remcos.exe	97
PID 1636 wrote to memory of 1184	1636	remcos.exe	97
PID 1636 wrote to memory of 1184	1636	remcos.exe	97
PID 1636 wrote to memory of 1184	1636	remcos.exe	97
PID 1636 wrote to memory of 1184	1636	remcos.exe	97
PID 1184 wrote to memory of 1992	1184	svchost.exe	98
PID 1184 wrote to memory of 1992	1184	svchost.exe	98
PID 1992 wrote to memory of 2772	1992	msedge.exe	99
PID 1992 wrote to memory of 2772	1992	msedge.exe	99
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100
PID 1992 wrote to memory of 3712	1992	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\382410201721.exe
"C:\Users\Admin\AppData\Local\Temp\382410201721.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Users\Admin\AppData\Local\Temp\382410201721.exe
  "{path}"
  2⤵
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\382410201721.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3980
      - C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xfc,0x108,0x7ffe5a5d46f8,0x7ffe5a5d4708,0x7ffe5a5d4718
        9⤵
        
        PID:2772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1944 /prefetch:2
        9⤵
        
        PID:3712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2576 /prefetch:3
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
        9⤵
        
        PID:3880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
        9⤵
        
        PID:3244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        9⤵
        
        PID:3932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
        9⤵
        
        PID:2800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
        9⤵
        
        PID:2068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
        9⤵
        
        PID:3068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
        9⤵
        
        PID:512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
        9⤵
        
        PID:2368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
        9⤵
        
        PID:3784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
        9⤵
        
        PID:4736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
        9⤵
        
        PID:4244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
        9⤵
        
        PID:1332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
        9⤵
        
        PID:2068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
        9⤵
        
        PID:3956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
        9⤵
        
        PID:2896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
        9⤵
        
        PID:1420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1
        9⤵
        
        PID:4636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
        9⤵
        
        PID:1180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2304 /prefetch:1
        9⤵
        
        PID:4340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
        9⤵
        
        PID:1648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
        9⤵
        
        PID:1772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:1
        9⤵
        
        PID:1384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
        9⤵
        
        PID:5140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2796 /prefetch:1
        9⤵
        
        PID:5680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1378400234779435778,15307919944142168385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1
        9⤵
        
        PID:5768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5a5d46f8,0x7ffe5a5d4708,0x7ffe5a5d4718
        9⤵
        
        PID:676
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        
        PID:2392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:2904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5a5d46f8,0x7ffe5a5d4708,0x7ffe5a5d4718
        9⤵
        
        PID:1800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:2684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffe5a5d46f8,0x7ffe5a5d4708,0x7ffe5a5d4718
        9⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        
        PID:4156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:4936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5a5d46f8,0x7ffe5a5d4708,0x7ffe5a5d4718
        9⤵
        
        PID:2156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:4296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5a5d46f8,0x7ffe5a5d4708,0x7ffe5a5d4718
        9⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        
        PID:1096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:3836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5a5d46f8,0x7ffe5a5d4708,0x7ffe5a5d4718
        9⤵
        
        PID:4964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:2256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5a5d46f8,0x7ffe5a5d4708,0x7ffe5a5d4718
        9⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        
        PID:1000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:5612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffe5a5d46f8,0x7ffe5a5d4708,0x7ffe5a5d4718
        9⤵
        
        PID:5624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
65KB

MD5
017f1df1f5d47c8620f027babbfd07a9

SHA1
99626c13915560865ea8f088bd4efe292154021b

SHA256
5bf19dc43b7829e877b92522b1566a7c11bc09ae636b30fa24f69f97c6646bfc

SHA512
b5ad8ada1093f836fb643e8ea96db1b9e792c53b664e0bca184a7f2d777d4da89fbb8c81a33c84b59aed09b88a46c00ae2810760596f5176ae167f1c2f86f107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
88KB

MD5
b30dc7a93ad91e993b51f9c6a2514f1a

SHA1
6e509879c7c6b8569b789c8ce529cf920ac1993b

SHA256
e1f3db77f49d3347744c550c6eb1b9787bfdac6fa1afc6a588994ef11685dbe5

SHA512
55e368872a5b8c615131a2e16287b0447552b5e1406eba54956474d3084580da2fda7929129534ff793db559cf202b405e77b024fddb6161dafd94f7f75afde9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
475KB

MD5
4f12abcbf4ce4371b6ec06a87c44f6e7

SHA1
8dc044044eb4bb8b29168fea8e96aff04e916a42

SHA256
b104db18cab223d09cab7418f7862ddd93d98530b68791c40c8c38fe95912744

SHA512
c1b994ac8896fbeee0b61271de7d823cfb3a5db692156c1f4e2282797eb4a66d8dcd47dc30e9f2b0402a74996bbf871fd121265e0c979c27531697d926c7439c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
18KB

MD5
870b357c3bae1178740236d64790e444

SHA1
5fa06435d0ecf28cbd005773f8c335c44d7df522

SHA256
0227bd6a0408946e9b4df6f1a340e3713759a42a7677bdb8cb34698e4edf541e

SHA512
7fc902e787b1f51b86d967354c0f2987ea9fd582fef2959831ea6dbc5e7bf998a8f24ba906f0ee99ae8493aeb0c53af06bee106d60b448ac50b827c63b1ed169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
49a1bbfc1b7862668c4e34a39d7e56bb

SHA1
49a07ecccaacc3c6d8cd03078842feabdcf69cd3

SHA256
111d35b7469aa2abe8b2a8ac31e6e6d193aaa3d59510af65ae48a615fb51d781

SHA512
6d4887eb53a94164b57d33b512ffa833f49430dcf0f15eea6425736b427df0516e14f8e9629c2903c5aeb50f135e8e17797bd93dabdc6725c055d8578ce2d9d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4cc0907080953362_0

Filesize
295KB

MD5
f48076670d6189d0fc7b0f7e39f658f6

SHA1
7da04c4ef99a751b57dad1a835e24f056607cd79

SHA256
135ab1104fa767d278197e2df3a246f524e941c8f8166a00def2580cd23459da

SHA512
483587a213179a8caeba3631df41d1c09f58ee1b5bc91ce99afb67a7bf3d5f228591857afaa2ade4e6cd4c571b38851fec3f7972cc0c151416ff0fd32587f124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
b3265b4b5d6f8fcea9d694a7b5bc08c8

SHA1
9ea532295ef81b0b593c9f1b7fd25717cf9c4f67

SHA256
360183dcdb57e5c0856fb3c0294fb9601fe0843ffa5fade0a8eaae941cc84fcb

SHA512
afc30578e8a48f575261e15c44170e9a22fe72b5928d4871b6aaa28a4c9e59a7d66193e473d2911532c95c8b92be9a8086f48e9f501c2a8b7c10a01ea15614c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7c2e051428d0061f_0

Filesize
1.2MB

MD5
20282b35201cd12ca2df78665166875d

SHA1
013974ec7fe3f21f406f3896384b2882bdf5617c

SHA256
0448d4ee4a86d38d4eefbf083a89c3358490a9a82d4becd215c8222098809ed6

SHA512
235929b1b424f3045dbe0dab95a84ac61ca59cf3f36c8357db0b8466844d260b9b448e6cc2ba86a62501df1ccc3bfc220b3bb24613ea4b2451df89a9e674c3c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\acdef3933f2837f9_0

Filesize
1.3MB

MD5
bceaf7786bb0e2b5b44d635738273cf3

SHA1
b45bd6ba941f0dca43d982773c471495b7f9276e

SHA256
f12fb432744f97b2f8bf040549c5393066f19456ea39422b8136d65b1cfc52b9

SHA512
3b39f7d463b1c1af291da80993e9b783af27d5b091a1cdfff507910cc27d64ddab9512a38cd21eb30e8b1617962c5f496b2c279663a0266077331f753a1ba0a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d0b2d7f4541799ec_0

Filesize
297B

MD5
2f0a9b18f8b4f1264351cad2f90e84e5

SHA1
c82a9a2853d329006a751a34929286020e617723

SHA256
070d1d4983346fe1093d25e2d063113f0d5335f87b01700c4dd47db07f41841a

SHA512
a59e053a5718d44d320c669e62b9f211eda0a811547a2c4fb927245f46af9ab744a81cc748494ad74682f71620e50e75a24845e2d8baab4d9781634424064344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e3c3d566c88fe359_0

Filesize
186KB

MD5
ee6b07b0775c7ddef36eb4265ee5a985

SHA1
bb98d215732431415fb963053d7627c62df41b2a

SHA256
ab9c6b39c93da2ff1d2afa2bc09e9893ea59e24de9a8add54974dba25c679372

SHA512
664e2e029bfdaaae7ace62830afe23976a709a13668b2bcee0319c1ac91baa14d737ee72e50790d620da8f4ebedbee7dd2fc013100b90df17aa797aa05c1fe2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e64d1f5367585392_0

Filesize
1KB

MD5
151ee9befdc840273a6b65769600f76e

SHA1
7b46d4a0fa30a1ba672ce6fece87046da1a9d3e2

SHA256
aea82f5828ce888067dda1e4b5ad56f0836d42124f4d9dc971194d93ae95d86c

SHA512
00b67fe6ca3f93f6fef39fa8fc80ac956f468674561f392fb6d2ffe751b90f87a1c1438c1d0ff8c894a8b56dd650970f9118443912120e6a62f8ce3268e442c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
341e99f34b924cd6453873e122b6cf6b

SHA1
2ad32ae08e54c87b2ce615a13ccc91d8306cebe6

SHA256
e5de4f125689dfcda961e3d0bea4055120b842639d67bef888033ab239d00e34

SHA512
abda8f64d90a91153dbba7532edd8d9ac6142f3fcd1920dffc978fb03e3c8d66912df56b173a625acd6494a0a506ee45748371b4e8b7ed9b53408067a309fa6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5b3e6b9636d83c7c6d96918b1bd328e7

SHA1
6acacc264b03f28fad96d0774ca3adaac494fb49

SHA256
36dd20ab729f506b90cef2749c6ad1eb8420a1ad398326225a42970ca1f3642f

SHA512
e96bd5a04f998729118624b12503bac5ca857b3b087f2b16e4e231625f1c3a4bfa4c3ee08873ad3984f43351763ef743971978c279c1b2309a35c630f1642b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cbf2cacb3f9feb743fd7ea802277b46b

SHA1
59fbb20faddcb021925727c61f911126ce9d5e53

SHA256
ab5dfb622077a4869907cbc44a9138efd6b9e7c2652f0bb8d98542d6becfcd6d

SHA512
97a6474309a07cb61ad40a8db88f55df4495c818e5cb4684542b8eea8c8fe4bc268d5b33a5585d12ea1c3989aedca9b8f03dbfc800fb55f38fb1d1dbea150584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
11e6978f9994666dbedee003bd63609b

SHA1
1d8ca3bbb8632963175c0494c655201a237f19d2

SHA256
6d49cec67c8a0d84e490fc4d30166ca02583928cd3f50a1905d7d0f04effa634

SHA512
457dbfd0a766410a7efb6447448749032053adac99405cdb2aadf917fc865fbc5cabebee922d0a8d8ec3bd169600581fd14ac6a9067a117a83ceebb6a9024f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d6a4190641db7d7264fe15058966183e

SHA1
1b4db7ac9a5a08fa13f13b52991808577f6056d9

SHA256
5d6d85285061f766f6e9342640d4504d5427035620aab193d1ac6510feae10a8

SHA512
75c593a02ca8127da102e8cc6758318002ce1ab6f52d7ad3df4c1861c48bb129d9cbb64313669a0c556eff28697828b5b5ce140ca9bb9baec685e83885fefaa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cd9a70a9f2cdf2689f87c8416c11a434

SHA1
ec7f86b2c0b16cd7fbb392d3018cff3efd6984a6

SHA256
bdb8879766a5f85ddd0c2d41d83e53da54795791b09e08b2d2da9c034a23390e

SHA512
706feb10dcac5734a97f1f398a376cc6b77cfa3c264641ad3b900ef848d3c838824602b75eb6d129c046232a519e8b417f9b48ab101e7e82df10961d3937d6a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ba24ce8d472dfbd614bc3151263a1b93

SHA1
127cce7407fd33befe01829f866e9c449fe60385

SHA256
70dbf1ac37776992ac47bef9aa0bfc2a864665ad9302c67394f1f627e278de4c

SHA512
af1e972ef92e270f8f58658b39424534f8558a090aba6e97407f2f5594b40997382d7e6a3f87d068bea9cd032540b6725e0522bc16b7ead9c5bb6acece1c032d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
369B

MD5
9fe48760ef30076b569d529010999622

SHA1
0e1e2a406b97ed9732185f207c834d13d9f22677

SHA256
39de3fb3066db87be7c2848bc7f1155c84ae2613287f259a4508e46acd4f38dc

SHA512
ff68da089136e199cd5e5013cccb85137f1a8afb6624c98db088033b16095db2a3826dcb1acdc9553c7c85e7d91b4d331a100579e367e19e4d33d6f00ecd0e5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
26fdd90a257592cd3a09bae960e4f907

SHA1
1105de5c7d721c0a9d8bc4ceec79c3e66c9238f7

SHA256
796d34f7a373f97efce9d9565a9233371273e06bc13ae60fcc7c2feba887a253

SHA512
77464e53939554d26a0603fa198cf82b1abbd7ca1a9708c82159575742b83f21a260fb7cc98901f60f2b0328150f4fac92a7d38c5b36572f8aea517f68c63a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
369B

MD5
2277731edd7183597096561a112939ad

SHA1
3bfaa8ce49644f70c140ddff4012d744d79e0932

SHA256
ad5bbc85f8da7caebbbd786e3859ed8fb3677372ed7631bd4ee7e33557e6e289

SHA512
d496d2da04bc5f9957d6a91fc6ef2890374a0e75273a098251114b6a9e9e9f3c8dc2aeeebf0313675b089ba610896fa3535c81b990a329ca493f41c07d6e5dbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
0a9dd48ade99545d30976cab84eaf497

SHA1
50dbed8c4e652f6eecb5642a5095f8a841bad114

SHA256
b54f9ab107dfcace2a7ff3720ff99b9b5ca37f20604c893e5d3d05b0415ce7aa

SHA512
e3e80bf90633c7925b6a6a566c9f8d6406aa681091c77b02c0221cd3d3df0c2151df4b56de83dbe6c82ed26c7227b4293a88b17f0f194084f4ccddf8091d632f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c0ab.TMP

Filesize
371B

MD5
64bab904fc44b5c23333ad28164f9d99

SHA1
f2fb2a8cf026cad24cc802a9b2407a22cf2d3252

SHA256
18317fedfc0602f3a508ddc5d42d6ed3f24ab43b572eb2b31c174bbdf9184919

SHA512
2c896f7606a75e558e5ef852be8f0ae2e4e030f9c61d51cc16ad89f275ea665df52e4719a4c8fde7b1cd21ab58632bc8ea350931ad3fbc74fed16143daf5e572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8eeec6988b6f451e7b294f28a43424b6

SHA1
107a46975cd44cfb38d8b1e25c79382678bd9b50

SHA256
1b12c7322e6777679b5ba29e9afbde45374642cc48da517dabf1cf9278d14102

SHA512
5997f8df2da09ce4382057292e0980091c0f09067976540ec7b462effe538d81236adf764287f71802190666a8267118b501dba41e26d20d2ae368f34ff40f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6943fadea1245ecf16caa33f3468a31e

SHA1
5b640f315966de1e0af9040c619b5d57c16424e6

SHA256
d0b1f7c3fa6a4828b411a156bb7f5867eb338748eddab630a9a16d13f7d1ab2a

SHA512
f03d70691eb1c02d9b5c73582aa5310e2ab2a7ac001dc469dd457e3e0f783ae468205eb302dccc168950e5ffc3b4d4a89a5c3404351f2537428ac2b7c454331e

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
418B

MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\logs.dat

Filesize
111B

MD5
9ba66b44d45f9b3587e83994fec9305c

SHA1
b918e851a2aa83a8fc3015465cc788f0e6e3d281

SHA256
6be2b01dc18116c8698fdd6a5120d4d7b127e1178b73c39c3acf4e378fea0b90

SHA512
a30ab79e653382426979dbcb3d5844f8f7ba571ce53b9e5f235547e67234a03f3e4637e2bb81e7b983dfc09b2d86e6adfd9c7160fe596d22e11e54cfaf23c3a9

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Filesize
972KB

MD5
53ee3e51b223773a7db458eba4bd0528

SHA1
5ead7b026aa51ba272548be89118991378f54fb3

SHA256
941d7828d89da175afca52906a1e519707a09685f30332937917505fa8999f87

SHA512
90d7f487adbc5af048cf6c8bbbe4f1997201fbb7bec28a44c55c3a5009995b9377bc09bb48bd62244eecd0910b1e16cc2f7361e2dae195b95d0271ec1e7cc0ad

Download Submit
memory/676-21-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/676-17-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/676-14-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/676-12-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/676-11-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1636-33-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1636-30-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1636-29-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3936-8-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

Filesize
4KB

Download
memory/3936-9-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/3936-7-0x0000000005960000-0x0000000005968000-memory.dmp

Filesize
32KB

Download
memory/3936-6-0x00000000081E0000-0x000000000827C000-memory.dmp

Filesize
624KB

Download
memory/3936-5-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/3936-4-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/3936-3-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/3936-10-0x00000000087F0000-0x00000000088C2000-memory.dmp

Filesize
840KB

Download
memory/3936-2-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/3936-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

Filesize
4KB

Download
memory/3936-18-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/3936-1-0x0000000000A90000-0x0000000000B8A000-memory.dmp

Filesize
1000KB

Download