Analysis Overview
SHA256
f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054
Threat Level: Known bad
The file e34683e560b0c2a5cddcffe98956ea62.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
NirSoft WebBrowserPassView
NirSoft MailPassView
Detected Nirsoft tools
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Modifies registry class
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-23 09:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-23 09:18
Reported
2024-07-23 09:20
Platform
win7-20240704-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Remcos
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427888190" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c70000000002000000000010660000000100002000000087f458c692b2cc289bd132ab29247b7833fce0b8b21dd62f8d79350e980f357e000000000e800000000200002000000065bd1449cbdcf378dcf567a525c3f33da634c6d2fe1ec75757f628e20c7064399000000082eefe519230356e9e07ac370ff0ac86f635d6864ef42a863b5801ce5109fb4a62fcb99d90be8a7df33421195db8b32f480b0c304c0b5949943bdd61d19cd9f42b17d4d1eaf20d090f319f3f5594fa02115247d15504382e3fe2099932550bf2465f9f082c0960447ae30864fb96f91f5a9b25b80bf132ca7189ba9df824995a0f508461f037e0a15854a6eb034f88124000000060b0ef503a88aeb654cc6194dbdf67ea17599a434837197e97b21de260cd1b85e1461bfd0e2b5b0ac480c030d7e671ce00e6902dca6ebad1912b42359123a36b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c70000000002000000000010660000000100002000000055864e6c61a3ae7542f7c527f623e83cc97f0b4afe21df044a150480392f391c000000000e800000000200002000000062c44c9c62c9c29561ef7b9a9a43783cb11d40196d7a2b5107b43594274a1f22200000006f7eef340568d432008689588f12c345f283befdc82374ca77f0b880d019843640000000c029f7b38b9893616d32c6703394aa8f7d3132a8d8ead1ac150c8502e87600898dc07c404aa4f583367e98bdd256ae4571e0cd27756692a718968ad6db574118 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8DD44C71-48D4-11EF-AAA3-7AF2B84EB3D8} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 405c0b59e1dcda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe
"C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AZjibU.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpECA0.tmp"
C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe
"C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AZjibU.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\ftltzmiqucb"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\ftltzmiqucb"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\pnymawtkqktbytq"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\rqewapeleslgbheycp"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:275479 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:406562 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:406579 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:1127454 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:1061926 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:1389617 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:1717281 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 107.173.4.16:2404 | tcp | |
| US | 107.173.4.16:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
Files
memory/2556-0-0x00000000746BE000-0x00000000746BF000-memory.dmp
memory/2556-1-0x0000000000AC0000-0x0000000000BA4000-memory.dmp
memory/2556-2-0x00000000746B0000-0x0000000074D9E000-memory.dmp
memory/2556-3-0x00000000006D0000-0x00000000006E0000-memory.dmp
memory/2556-4-0x0000000000710000-0x000000000071E000-memory.dmp
memory/2556-5-0x0000000004FC0000-0x0000000005080000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X5063A6FS1Q2UXWXDDEM.temp
| MD5 | b2312d24052105c981a4383a3b8e5a21 |
| SHA1 | 1a8637211727cf0c3e43f30b2fd589330770206b |
| SHA256 | 9cdaeeb729000c99db332a0a29817c27805aab544551ab98683fe0ada5c80879 |
| SHA512 | 2a9e86b3a7e5c61fb471bb62596769382db772dc031557c5b5e3dcd37cf39bd292a2e0c2390cce57f1e1ae125d8573ea7191e2ee86071a549485557e086f3d7d |
C:\Users\Admin\AppData\Local\Temp\tmpECA0.tmp
| MD5 | c5376c1e821ea489f570df7e1d945c6a |
| SHA1 | 6fedb8a12de4a62bac1ffcddf89d7a17f0f8b201 |
| SHA256 | 51416a02a59c75606f8327c82dbf3d01d5e12473f97a7bd24d464616036627e1 |
| SHA512 | 2e301eddfc73b38d910d62b84f71fb8aca5bab6a5edb63909e8797f89b184b7e65de3494a6e379a5db32f290dc774e64fff6fce93c556064a3b37adfcf66c59a |
memory/2756-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2756-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2756-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2756-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2756-35-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
| MD5 | e34683e560b0c2a5cddcffe98956ea62 |
| SHA1 | 89a3dc3e4b06a8c4bd94bffc48adac82e620d910 |
| SHA256 | f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054 |
| SHA512 | 4bf4a8fef3b740ba3e6a04bedaaa90970a60b72fc950d53de6e2bf597d89d5d399f9258f9f8088f0ea6304bfa219c5537271c9df59c463893d9589370a27ebff |
memory/2756-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2756-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2556-39-0x00000000746B0000-0x0000000074D9E000-memory.dmp
memory/2756-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2756-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2756-18-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2756-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2500-46-0x00000000002B0000-0x0000000000394000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | e264d2993f0d576936c3e78aa0cfd708 |
| SHA1 | 4841a46f5aa6c6cb23c9342a090f78e2ea46d509 |
| SHA256 | 43924a2c38c4cf3887751fdccb48e0ac75c28384df5b3d762c08c307dc6a59fa |
| SHA512 | 6599ba6e4d3a7241f7110c611989096cf03071cf5c94367ee2216ca484b83cfce6edcc1fb0b8e7bdc25089f34ca2a15eda69e8b90a8ccd21c9873a8d87482463 |
memory/2456-83-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2456-80-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2456-79-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2456-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2820-85-0x0000000000230000-0x0000000000314000-memory.dmp
memory/2820-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2820-87-0x0000000000230000-0x0000000000314000-memory.dmp
memory/2820-86-0x0000000000230000-0x0000000000314000-memory.dmp
memory/2456-88-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2456-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2456-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2456-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2456-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1884-95-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1944-99-0x0000000000400000-0x0000000000462000-memory.dmp
memory/748-109-0x0000000000400000-0x0000000000424000-memory.dmp
memory/748-108-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1944-106-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1884-105-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1944-104-0x0000000000400000-0x0000000000462000-memory.dmp
memory/748-103-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1884-101-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1884-96-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1944-98-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/348-110-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ftltzmiqucb
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\Cab3323.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar3393.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 213faeb6d014be71fcd46a2d95065efd |
| SHA1 | ba99615008c9b077ea32955f70337cd962595429 |
| SHA256 | 17e2c7e6fc2e7584b1056bc1b4e1bdfe8b3b51fe2c73cb3206561885004e6d2d |
| SHA512 | 6146787e2488ae34c36c0984f551aaaf471652b3437734bbee75cf5263b4ead1f00e1434a7815d9738229bdd3ce9da80af69bb22a07b593d867280ce63008cf4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e552307a033abb1a1a680b857f67c1f |
| SHA1 | e15a33ef0bec3e50c4d6a2a9a1cf7dd48c4812a8 |
| SHA256 | ea531a730318a507fb4c7b79050caec0528c4cc7188b48143a4ca380e1eee141 |
| SHA512 | 0e71aa71b6ea246d044ceef9167f239dd4867723ccab90c35c9b3b1cb4e24503c8231958f7101c080b6385acc3a211adadbfd6f8bf5d3bd895e5427e9d7ee5ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4efe78ed4fd3cad76b8303aa4ebd5ee6 |
| SHA1 | 3006378e02df988d2a84d09b5075da15d3539c73 |
| SHA256 | 07f6261774bac47af83f6a1e191ed0047b30acfda5f69ed194718bd6f182ff9a |
| SHA512 | 6333953c82a9dee6104c0c4568c1ca5f10f3ea77e52595c760e821191fbbaadaff088f468d36effaace3c913b573d23f507f7bc27e4929d2daad855a2f3d956f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f944b8e598c298fe3b35aaf75dbf57b0 |
| SHA1 | 6d88d478001a43c9cbfc1ae0e7b6701c4363728d |
| SHA256 | be84c07017862c3e125ee5e704e80180df16be43337bf6fb360f47e9e6201484 |
| SHA512 | a05c72f1b7f95fcae987e235d0e2048e6a130edff7272610c2ed161f0df1e902df4260e38b896980b744168dd252a915fc09343d9b436f15646d73469f2f0b33 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3caa008d23f12e3aeee6a23ca6635b05 |
| SHA1 | 0abab9725a15e4365d6221a2387b8bcbb66da737 |
| SHA256 | 7263e0fb95be35f30fc1f4cacf71252aad0b4d89cf221911f1fa25555cf78365 |
| SHA512 | 100776559bbf093a681adfdec5670382f3c0f7e9c1fc56096f3d9a2bd3e4fcb1ab0976dd93b6b3474e12dd49f9c0eacc70a471bd20798e6383f342bbc7ecb85c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b2ec4a8d2bc9f0464610efad10810cf |
| SHA1 | 25c992814d240da1e33faee4fd2fbb1afa670d7a |
| SHA256 | 5f9ff6cc1d712d77ff833b93f850cc0ab5be74c440f1ebc0b546d46d40d42aa2 |
| SHA512 | d26a266a9eaf4d218d013136d5ce02dbdf41be271c503de80404913a77732d9f84b2f5d80d6ab7e55313505dd9568ef0671ffa94d137728540fa427a31a094f8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
| MD5 | d3cb45dd40aeb138a8c86844963805e7 |
| SHA1 | 02799a2b92e6c1c30a7edbb2130bcc8edb75d22a |
| SHA256 | d1a6a9ffe7a1dcf83c5a53aff9418a3b09f8f681df97bb7e562e65e8569b963b |
| SHA512 | 354617e3f37d30a69f252031183c2ee8b0835e054709022991378da9207b4ea6bb4a4e6f12caaf3e613f53b4666a80f955fab1bef2b93ad424ef8f1c112f8d2a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C
| MD5 | f55da450a5fb287e1e0f0dcc965756ca |
| SHA1 | 7e04de896a3e666d00e687d33ffad93be83d349e |
| SHA256 | 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0 |
| SHA512 | 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c936335045cf3ea465598af749be607a |
| SHA1 | 28451198d112a5dd3607c726a0255a32d340bc4b |
| SHA256 | 1d21343fa108ffe5d3de2483baf5cf0be1bde8527383bc57d9a67cdf29655a75 |
| SHA512 | e976157a7cd6322e244874f16e46eaa863a0e5f463003c524a9c8a277bfe53a8201c69d26dfc2f9a699764d012ee16631085ea134c20f0e6e0a0b4c84463e836 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 12cc26c9f8d18f998ef5107d4c6e8900 |
| SHA1 | aa4476a17fda02bf5f501cdb77388c70397d1be1 |
| SHA256 | fc286e1e00b74e73d245e20eb1db031525740dd25778760adc4af258b2f2342e |
| SHA512 | 6c9aad4d33f88612e7a3c5288577e04a4fca65475dcc0df49eff81ae0e39a25547d4aca130d10891355aec1094ce54e9eea8843919cf593e21095bc4de33f886 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 727a9dd25236f7970fef94be54c35181 |
| SHA1 | a68b0be94eae9c85c9274ba285fbfc5f4c608205 |
| SHA256 | f1544ded090f09fb075e0087c0964049ccce508c427528161acb246a5a732d01 |
| SHA512 | aae6ca4002ca13edc01f3693082e8fb2602ccf2b68b6422da2661b0b1a96df059cff179ef0b4dc65d74a8a822b7a5727d9c00ad7bb352b0533ca1a893a3440e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 615ace28def9ea9214fcce4ed76f464a |
| SHA1 | a7338a700f706b0d25ba5535dce837737483a8b9 |
| SHA256 | 276006da405aad9c080c555fd3bbe6e0d803d23dc0f21d338ca233e7aa0096f3 |
| SHA512 | b7d4dfbf3bdd68b866c265cdf7a61698eb87189b39bbb458b83ef94f0422fb6060905442b47ee02699f957409373d1d7e6c64de994cbd863fabe68d48a6e4e4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 348fb5d7aa27337d161e8b5077f74c66 |
| SHA1 | caf39a9358daa05ad1965a5f951c4e70da5e19c4 |
| SHA256 | 6668f3e56d927eb7d5eb97ac313158b9e7b6dfae3336e3b73bbc9394e686e8c5 |
| SHA512 | d77f373284891b76b24d0b5ff712548e87eb7881abfc4f1bf6a5697d994a48173d6a2749a9ece4fc58263fddc8a08d2e3b2fe3c174bcfdbc04ad373ae3f8bf55 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0918d65ae8c3dcfdbdfe95cfb480fa66 |
| SHA1 | a7b06f6a7fe2de3ca03e1587a8866b50e3f24f0f |
| SHA256 | 1ca6199af2e9a6154a4d7d4c10255967fd4518ce3e810a76ed93f81d149b796d |
| SHA512 | 7f02d125d844e65d849e30066cb7ce41fcd0d52798ac693eb93cd7ba44019eaa0f13a8597e743afebf8ed4e9f51098fa7f3726a4c5280f100d1aed50ad8e85bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 913306006354bef8ff841289b695137b |
| SHA1 | af7ba8f32645624d63c57331a7e30fcd7db327d5 |
| SHA256 | 0f00d518ba40f04e27be723ab485dd243e9677f98e15948d881d06092e71b117 |
| SHA512 | b6f9f89fe7bd94bf339759ca7be4f61360b7332eb71f84ad19f2a422b2bb9424d55b870333981dd4339c72cc563e46f3e24a5c307441b1ff24a2e843cbb31549 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7363fcae17b761834a623c2aaa3c250d |
| SHA1 | cd56e0833b2d4d49d759bbaa2376b1e08bd8ea48 |
| SHA256 | 6b09649d4ae90c9caae9182841d0055c25483c6e28ed1a737a4e59c8526d64af |
| SHA512 | e13e680edc90b1ae7b2b481fda4d1211d4c9cd5b4dbf60892b0441d79150d8a80ec1dbc5acb509aca0bdfee41ef25ad26db0b570515ded6913a47f660ebeb8e3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a50853d9cf680a78152485767c1f553 |
| SHA1 | e0a81c806c6a70a8a369079c93114cb07fb6c4bc |
| SHA256 | eb3fad69cde125ca85cae3f74e6b285a072ceb612c64afa3d06c0de2b77b74a2 |
| SHA512 | 22b562c5d7811f76d6e0b516b4649fa6656dfc5d9863a2d21029b517084c4eeb0f39bff2a1a1e6ef653b604b14edf2209617a5d3b8b13c1914631dbc2e853e90 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 182eb86f31d53d8f1a4ae000b14c4139 |
| SHA1 | ab22acca087effb26704a59fbbc353b5ccecb7c2 |
| SHA256 | 66390473384ed20c1f8fc09b57467948bd0e4997abef0097731cbcfa92c0d171 |
| SHA512 | 35144eb89c32844d8a97b3e826b23bab49108ffe5cd6562fcbf5224274b0ae3e0561d54075dd0d2e9cbf0d17b0275b6aa730cb46d37113642b98a59a3ca3c0de |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 70165ee04499aa6b4492bfdc930d5fac |
| SHA1 | a44c3f369afc02fdafd9362913d7ca4d5c0b5f3e |
| SHA256 | add71b1ac6f4c228eeac267ecf5fdf6199024bb3cd6c719fa9eb70e939427673 |
| SHA512 | 93aa540f76cb4389374dbbf5593f7276cbf9e7b461e8e6599a40c010353c040d57ceba5cf7785a666bc03cab574abf3e13eec9b63c74bf7f66a20200252c89c8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6fc71e8e6c70407a9aab3def80878c8d |
| SHA1 | e133823f3969867291258d7ddd53b8f1b80def6c |
| SHA256 | 238078d8f42ccb9866ef05b7100542e1e104b138f7f2e2fb123bbfab480739f6 |
| SHA512 | 7d6368f0c51a2e8795f10ccdedab2a4b0f223b53c715e75fd4d470b59a1abb5e46c8bdb38cee13c8e6b7f042af8a19f5c11e9044b82da4de34d015ab10780b3f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 274821adaa87b954610b8f3f916aaca9 |
| SHA1 | 6b429da89c6a7c28b897b36db2c6156a8158a0ed |
| SHA256 | fc38b7493973a54d88f44b4379e4869c7125080cf9731c82d1b305a11760e599 |
| SHA512 | ffa5d18d2aa35f69dd26bdafcb46208f2c366cce5c1ea1fdf3291c6c9c23dfdf9f372f2c00e698547838e744e378c1cf7bd48fce9c314a06ff19a1eb6527acb9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 566732ff26c7ee13bf8889811e5de7b4 |
| SHA1 | de3df976bfbe3aa70c3f6fe88a4e92460f82f60f |
| SHA256 | d99ab51a103e2ed257b1dad1dafa1437538239649f72d94cecc73a2c8316f9c8 |
| SHA512 | 0a4ec4bfb5833c9632ee4cf7da60e0ba59dae5f8942d73809c903ed945c25c9d9bd3353d59d292afd2400e6188916a36ef450e899658599e76bdce85e0cd8dcd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7fb944a59e5ff35990ca7bf09ec4dae2 |
| SHA1 | 1195c33a48f2cca56536c1cc6f2faf8afff1c571 |
| SHA256 | bf40b5f26b065f7b86828ef12314763480ca13062fea32127847ef67dcb697e1 |
| SHA512 | 34633aed091b77e8717087aff40e86b75d99612cf53a59de6f7ceec626f9a646f750a1d01168825cea7ed9ed55087b0924e4ce6180a4774157eb1592e12cf948 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a84a3f34b418fc6f8c2de2aadaa4cf85 |
| SHA1 | 95794da95439975da78f79a8bf90574664c1bbee |
| SHA256 | cdb2cf26dc11befd35ea207302260eab52eb5b6a0d616a270cd545780d54063e |
| SHA512 | 619330a8fc20b7cb372875f271736c9c4aaf22ed455a95d39523e528743fb8f422ea7a5ad9dd25cd7947429b66ad040ca56ddf77603729e069fb3796cc069e64 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bd41d0d7ac5a46309c80ee5d4acdcd58 |
| SHA1 | 3749954cfed5255eaf3e216a90576febdf6f84a4 |
| SHA256 | 9012a4170843e0da6f4cebc7f8c59d98ffe8f43339975d28e06ffae523b58b84 |
| SHA512 | 6290a6ed7f0dad71049e16ab69a160fe35a984696ef40f57291d6e71b1026f0331e572bcd55e02050550dfe22f9a637755c33500497c3db421210e1e2d19ab39 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 10449c16fc1d3d61b07125f6dbfb97b8 |
| SHA1 | 205e2993c5c36b510d4acc947dd06e555d980af9 |
| SHA256 | 24a87827c09fcf84a7a076cecb62bf6fb1706545da58a3bd19bc01c4ac5db7f9 |
| SHA512 | f85e25ad41fba016b95d7ec2c1726431f1e60fde05795c937c6526ec7619dfd557cef2b883a0edb5882b381711f845322536885a367f9f34d00dc52c068b65f9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VCY0HBA7\invalidcert[1]
| MD5 | a5d6ba8403d720f2085365c16cebebef |
| SHA1 | 487dcb1af9d7be778032159f5c0bc0d25a1bf683 |
| SHA256 | 59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7 |
| SHA512 | 6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNZH54VQ\ErrorPageTemplate[1]
| MD5 | f4fe1cb77e758e1ba56b8a8ec20417c5 |
| SHA1 | f4eda06901edb98633a686b11d02f4925f827bf0 |
| SHA256 | 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f |
| SHA512 | 62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GA43GQEJ\errorPageStrings[1]
| MD5 | e3e4a98353f119b80b323302f26b78fa |
| SHA1 | 20ee35a370cdd3a8a7d04b506410300fd0a6a864 |
| SHA256 | 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66 |
| SHA512 | d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7H6XY0V\httpErrorPagesScripts[1]
| MD5 | 3f57b781cb3ef114dd0b665151571b7b |
| SHA1 | ce6a63f996df3a1cccb81720e21204b825e0238c |
| SHA256 | 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad |
| SHA512 | 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GA43GQEJ\invalidcert[1]
| MD5 | 8ce0833cca8957bda3ad7e4fe051e1dc |
| SHA1 | e5b9df3b327f52a9ed2d3821851e9fdd05a4b558 |
| SHA256 | f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3 |
| SHA512 | 283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7H6XY0V\red_shield_48[1]
| MD5 | 7c588d6bb88d85c7040c6ffef8d753ec |
| SHA1 | 7fdd217323d2dcc4a25b024eafd09ae34da3bfef |
| SHA256 | 5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0 |
| SHA512 | 0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VCY0HBA7\green_shield[1]
| MD5 | c6452b941907e0f0865ca7cf9e59b97d |
| SHA1 | f9a2c03d1be04b53f2301d3d984d73bf27985081 |
| SHA256 | 1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439 |
| SHA512 | beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNZH54VQ\red_shield[1]
| MD5 | 006def2acbd0d2487dffc287b27654d6 |
| SHA1 | c95647a113afc5241bdb313f911bf338b9aeffdc |
| SHA256 | 4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e |
| SHA512 | 9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GA43GQEJ\down[1]
| MD5 | c4f558c4c8b56858f15c09037cd6625a |
| SHA1 | ee497cc061d6a7a59bb66defea65f9a8145ba240 |
| SHA256 | 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781 |
| SHA512 | d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7H6XY0V\background_gradient_red[1]
| MD5 | 337038e78cf3c521402fc7352bdd5ea6 |
| SHA1 | 017eaf48983c31ae36b5de5de4db36bf953b3136 |
| SHA256 | fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61 |
| SHA512 | 0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 32176665130f271a950d964f24ff1941 |
| SHA1 | b17e14db38f23555719b05af0b98242c9fa2388f |
| SHA256 | 833db1123ecc89a388b24d51295924fc59e1f854a6a07e2a9e4ac0a33e8c1cce |
| SHA512 | 9bcf5b1d8ce1d4c969f6953d22ffe9ade9e8208220204e500be3b8f9df78f9b55f28b15b3710713dd14e0ea8ca0c330991a8e2985f1393c28be80ff85944ed15 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5fcb0ac8d99531cae1f4f2b936ff6c21 |
| SHA1 | 7dfa15d86284f2ea00b0745452332e38b3be5ff2 |
| SHA256 | 093f875c676b7abe724df2edfebf7fdbda17943eecdcd709f9d2e75b3f10eea2 |
| SHA512 | bc0bb33d05f16ed7e71d014145d78c14dc3ad375a8edc3419f48759487f191c89e1607ee1075a777a2bde7f93aeb2da96800e77470ce2af2fa2e93b5337747cb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 45ccbc5cdcdc69df6b17fa4b794a3e10 |
| SHA1 | 3a04cf05d677d11ce748e28e0b033d89e709b801 |
| SHA256 | 5c177fe9ff492949f279bd4775de10f224422b7ac7bc25ba0c6ac4cc14713fc3 |
| SHA512 | 3123b0513cae367f241df1bec5dd4c61d418b1949a986611c37cc0c022f7377ea88095044824b93b39b9083dc497012ce6cc703a1e175537fbcea73b88ebb45d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 551caf8acd5f77b655cc0a10d82648ac |
| SHA1 | 4e4cbdfd53657c1fd436cda014430ea95ecec5e0 |
| SHA256 | 6c8fe67fe1d5dddea0f214bcbd150dcea35ff6d38b553e9ef624799bda9038eb |
| SHA512 | d9d6df6740a4be9ca9f8386b4e715b8f366c1378258cdbf48c2d5e0c8c786b773976787070b5cf3c4366aa3501e40f5478751e691d68c800f94092c434e2a4c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 029b45de8a4db131a356a989d5b25e61 |
| SHA1 | dd6849e95e7056df96b0de00333bf6871788ad66 |
| SHA256 | c2a908b33f9c9dbf726b84b7cb110c4c99bcf5aaf4e05377c7fed246995720ab |
| SHA512 | 5585bfdee7e7f05e1854288b53eaf07629ed50dbbf4b9e2a48acb71b146aead2864479d4bd0bfd339e0ebbf648266db3bd38633091c21e83b2480a5e324beffe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b7974ed3cffc38877fa6e5fbed631680 |
| SHA1 | be419b57a25f558291bef88213a68813814c225a |
| SHA256 | f5313affdfc5bb8a0f032836a9306a09a3851ec083b0534b0f5e5984c76312e6 |
| SHA512 | 4df5fae7599b215253500530ace205e8a3ccaf5bc034a5b432ac2387adbcdcf255822e5036ed3c845f6c495919aba0de7a454f636e99b46f2ec84d4314d90381 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9a2acf32a24cac45444cbeb6ead4b0c1 |
| SHA1 | 05bb05d94f54a8c604983b1f2676cb638da0fbc9 |
| SHA256 | ee74a8485485cdd2f24dbd571faa03a8abb5e24815d8fc974d61607b3f46d1e3 |
| SHA512 | 1fe4941c5ae3f08cee46666bafc70ce1e98701b2f007d3b3833153b1b97599328511df92a01d1f428512df508749c570bef557892328b8c341c4ff0508388b2e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 52575f7829ed75f47de501afc2568b54 |
| SHA1 | 77825e4206e75f3196d1949f4a9db068640a7400 |
| SHA256 | a86b5ffdaa01e2cc3a400601a83874bf369eef23fcfdeb7a42d6c33f9a5ddc83 |
| SHA512 | 1fbcd1234b7f77f86d0c85de001e06734351dbc80cdd11923b9e254c4ea033c47d2017c49ed781f5578a6acc62f6e21fa9fa68bc0bbb3c7c3790c1a4556cc1a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac02f80a0a921567b33abf3afa1d922a |
| SHA1 | 6e1daf3346e1fdd9d9d99a6bbe7bb5d9562b1034 |
| SHA256 | 9b9750c6a25b649364bd61bb36396085cbd25066aab6b28a951f840e75f86754 |
| SHA512 | 7747b4da8065d1242c9247d999f8e447998dcb979375413a5b7097ac0c8b6f1f56d7a77316d509bb4d5542c504a49e6ceb11ab33f15fbaa3f310095e6b232878 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ce77bff74977b377cfd43081a1777136 |
| SHA1 | f15fb766422788d87cf8276714073b23d488ceb8 |
| SHA256 | 620cac86e0f50df4216e135e638e69c64875223e744ca209870ff3b86979f731 |
| SHA512 | 53c58d865d964280b8108aa3bfba4f5ac7a77d86312318e6a8ac65a8ad3cfe7e4d5ad1622f565923100b7bf6509290b7d74b4846b227b53d5604b9de0ddb7470 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 75342f688628bb4fef3433658946a491 |
| SHA1 | e6a39d58fc0d54bc5beb0628ff062097c1e12f03 |
| SHA256 | ccda1842ab38001074f2f1ac6c996121c04b5a472c5ee6a1aa1d5f33b7716a1c |
| SHA512 | be98a08cf4dfb8755d0abeeba1d37135791b6e495a1b8a05abc481a0e40cbe0e25a5855ece134d1e53630fe226e40162b72c89bccbb25f512de4bc8485abd0d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 41e0c99db8d79dbe629ce933fe0bcece |
| SHA1 | e4a44666b20efe6750f7324e58fdf83ccd8605a4 |
| SHA256 | 7c67b27bb0d17c3dee5c0feef70dfe01e6ee07910d61522d341626c7f564308d |
| SHA512 | e7d3ec3277a279a9cc3da7e2f532575be9aa8cb66ef2cb49000fe0bdee39d64bf7e5437ce343c6d258ce3f68e573c2e041075973be01f7cb581d0fe9fb17446d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c3206051cabb26249d55997552328e69 |
| SHA1 | 0b74c5d8d485b567ba4dff2d1c7114e7941d870a |
| SHA256 | 3c476655af4f04c8a0ed34aa2d7e17b137861db1eb6f3666aa63375a217d60f9 |
| SHA512 | 6c488feee8caf9d7a78eddd71581444d4f38525a87718b50dc8a925c027ca0cb8f56dc1845e7db112a3657ae206142465063e72d0a1970bbe25568d94484ef99 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1f95aa78aadca17549c153b47c595964 |
| SHA1 | 050f3ab0c8ec38dc0d266fe49af7ffe6022379a4 |
| SHA256 | fe44dc0905675e530029d0a2a8a0fd5ca7ed8b453909168b748b5f437a0ae450 |
| SHA512 | 3fe7475d5f3301c0f8175726522ed9c6649ff102ead19115c81a2c8940a5a97df5dd554c3561383f2663aa6dd443318cccef9a3735514341905b7336dd7a3507 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 11ac7ca10363151ec0233475e6dd2731 |
| SHA1 | 157179fc3ec212043c9fc664b2d0465fa027386a |
| SHA256 | 40984910a0b76154efc0551484a862d9e5b639c76e70a34ae8345dc81eed19ce |
| SHA512 | 5f7df38b57dbb0cd51a2227d03085c297c473d5840e41708ad38279aa420629ab60ebd66af34666fb608fd34eaf058e1f7bd1de533195777cf395e86885229d6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-23 09:18
Reported
2024-07-23 09:20
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Remcos
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe
"C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AZjibU.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF9A2.tmp"
C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe
"C:\Users\Admin\AppData\Local\Temp\e34683e560b0c2a5cddcffe98956ea62.exe"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AZjibU.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2FA6.tmp"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\qvfqa"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\bylbakqbp"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\bylbakqbp"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\dsqtbcivlcvw"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99fdd46f8,0x7ff99fdd4708,0x7ff99fdd4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99fdd46f8,0x7ff99fdd4708,0x7ff99fdd4718
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99fdd46f8,0x7ff99fdd4708,0x7ff99fdd4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x80,0x7ff99fdd46f8,0x7ff99fdd4708,0x7ff99fdd4718
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff99fdd46f8,0x7ff99fdd4708,0x7ff99fdd4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99fdd46f8,0x7ff99fdd4708,0x7ff99fdd4718
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99fdd46f8,0x7ff99fdd4708,0x7ff99fdd4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99fdd46f8,0x7ff99fdd4708,0x7ff99fdd4718
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99fdd46f8,0x7ff99fdd4708,0x7ff99fdd4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99fdd46f8,0x7ff99fdd4708,0x7ff99fdd4718
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99fdd46f8,0x7ff99fdd4708,0x7ff99fdd4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99fdd46f8,0x7ff99fdd4708,0x7ff99fdd4718
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7ff99fdd46f8,0x7ff99fdd4708,0x7ff99fdd4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7572 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,1324003045777823046,8971440825762362194,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7544 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 107.173.4.16:2404 | tcp | |
| US | 8.8.8.8:53 | 16.4.173.107.in-addr.arpa | udp |
| US | 107.173.4.16:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 13.107.246.64:443 | js.monitor.azure.com | tcp |
| US | 13.107.253.64:443 | wcpstatic.microsoft.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.246.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.253.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 52.168.117.171:443 | browser.events.data.microsoft.com | tcp |
| US | 52.168.117.171:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 13.107.246.64:443 | js.monitor.azure.com | tcp |
| US | 13.107.246.64:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | 66.229.138.52.in-addr.arpa | udp |
Files
memory/3812-0-0x000000007500E000-0x000000007500F000-memory.dmp
memory/3812-1-0x0000000000E90000-0x0000000000F74000-memory.dmp
memory/3812-2-0x0000000005F70000-0x0000000006514000-memory.dmp
memory/3812-3-0x00000000059C0000-0x0000000005A52000-memory.dmp
memory/3812-5-0x0000000005C30000-0x0000000005CCC000-memory.dmp
memory/3812-6-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3812-4-0x0000000005970000-0x000000000597A000-memory.dmp
memory/3812-7-0x0000000005CF0000-0x0000000005D00000-memory.dmp
memory/3812-8-0x0000000006C90000-0x0000000006C9E000-memory.dmp
memory/3812-9-0x0000000006CD0000-0x0000000006D90000-memory.dmp
memory/4024-14-0x0000000002A10000-0x0000000002A46000-memory.dmp
memory/4024-16-0x00000000053F0000-0x0000000005A18000-memory.dmp
memory/4024-15-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4024-17-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4748-18-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4748-19-0x0000000075000000-0x00000000757B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF9A2.tmp
| MD5 | 166923428686b614a2fc9030a06e9da4 |
| SHA1 | ee3993fdffe5d11f0ac7a3422ef3fedd28a03ee6 |
| SHA256 | c2491db4cdb9e806c60ee47a115fb15c444513480d6fc866412652f7f88bb89f |
| SHA512 | 25397ba66054ff5d6ad1615feb0a58c2807d87f250474f11b744da824f665f96b47dfbbb1509e5685a1c24a15de5e8e6643d29caf6473906f0e8f5bca8fcc2fc |
memory/4024-21-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4748-22-0x0000000005500000-0x0000000005522000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfqkorbr.c0p.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4748-34-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4748-24-0x0000000005C50000-0x0000000005CB6000-memory.dmp
memory/4748-44-0x0000000005E70000-0x00000000061C4000-memory.dmp
memory/3276-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3276-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4748-23-0x0000000005BE0000-0x0000000005C46000-memory.dmp
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
| MD5 | e34683e560b0c2a5cddcffe98956ea62 |
| SHA1 | 89a3dc3e4b06a8c4bd94bffc48adac82e620d910 |
| SHA256 | f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054 |
| SHA512 | 4bf4a8fef3b740ba3e6a04bedaaa90970a60b72fc950d53de6e2bf597d89d5d399f9258f9f8088f0ea6304bfa219c5537271c9df59c463893d9589370a27ebff |
memory/3812-50-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4748-51-0x00000000064B0000-0x00000000064CE000-memory.dmp
memory/4748-100-0x00000000068C0000-0x000000000690C000-memory.dmp
memory/4748-112-0x0000000071430000-0x000000007147C000-memory.dmp
memory/4748-111-0x0000000006A70000-0x0000000006AA2000-memory.dmp
memory/4748-123-0x0000000006AB0000-0x0000000006ACE000-memory.dmp
memory/4024-133-0x00000000075C0000-0x0000000007663000-memory.dmp
memory/4024-122-0x0000000071430000-0x000000007147C000-memory.dmp
memory/4748-134-0x0000000007F30000-0x00000000085AA000-memory.dmp
memory/4748-135-0x00000000075D0000-0x00000000075EA000-memory.dmp
memory/4748-136-0x0000000007640000-0x000000000764A000-memory.dmp
memory/4748-137-0x0000000007A90000-0x0000000007B26000-memory.dmp
memory/4024-138-0x0000000007880000-0x0000000007891000-memory.dmp
memory/4748-139-0x0000000007A10000-0x0000000007A1E000-memory.dmp
memory/4748-140-0x0000000007A20000-0x0000000007A34000-memory.dmp
memory/4748-141-0x0000000007B30000-0x0000000007B4A000-memory.dmp
memory/4748-142-0x0000000007A60000-0x0000000007A68000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | de4d34d4b8ab9251d15200e0d1fe8f54 |
| SHA1 | 633384b085c0b86256380b8c7c6318fc625bfc9b |
| SHA256 | 5da2ba8aa02552bc448515b9da1b0f57898354263c16d85f45638a80efceb7fa |
| SHA512 | deb7ba24d118f732f1a61343b674b890984132bf2e88fb0a8fa04eb5e42697d5f5523c00ba87c2020546259025a23f930a69399091f1a68ef12dda0bd526d236 |
memory/4024-148-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4748-149-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/788-163-0x0000000005D80000-0x00000000060D4000-memory.dmp
memory/3352-168-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1748-169-0x00000000008F0000-0x00000000009D4000-memory.dmp
memory/3352-165-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3352-164-0x0000000000400000-0x0000000000482000-memory.dmp
memory/788-181-0x0000000006340000-0x000000000638C000-memory.dmp
memory/3352-182-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3352-183-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3352-184-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3352-185-0x0000000000400000-0x0000000000482000-memory.dmp
memory/788-186-0x0000000071560000-0x00000000715AC000-memory.dmp
memory/788-196-0x0000000007540000-0x00000000075E3000-memory.dmp
memory/2292-197-0x0000000071560000-0x00000000715AC000-memory.dmp
memory/3352-208-0x0000000000400000-0x0000000000482000-memory.dmp
memory/788-209-0x0000000007830000-0x0000000007841000-memory.dmp
memory/788-210-0x0000000007860000-0x0000000007874000-memory.dmp
memory/3408-211-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4928-218-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4928-219-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4784-226-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a8afa7421cbcfdb91faec9caa4a295ea |
| SHA1 | dadc1221ecab28e0e7dce5d45007914bb8e29f93 |
| SHA256 | b8cd18a8601be9615f04b68b82525d06e2ac2dff0837047e59f774b182a6016e |
| SHA512 | 2baf17ac900131061282645ed88477c3707dd575823aa6b5feaafbaf0d3b4f20098d2fa4062ca98b4785db29d61f9ccce9f6c42cc055779a091c823d9081b40f |
memory/4784-225-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4784-223-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4928-216-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3408-214-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3408-213-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a499254d6b5d91f97eb7a86e5f8ca573 |
| SHA1 | 03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1 |
| SHA256 | fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499 |
| SHA512 | d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c |
C:\Users\Admin\AppData\Local\Temp\qvfqa
| MD5 | 1d22632ab7786a15873206bd9aeaaf47 |
| SHA1 | f982816e813cfdd43ad3339fa6ca7bf2425651e7 |
| SHA256 | c26d371c3209dea4e8cb298ab279746f0209643a1ef95ff627e2cfe193be838b |
| SHA512 | 456ee2bf5faefb56b5c9864ecb340293412c0ab50d47ff8ead5b0db88f3e61e74278a46063d4b816e1143020344add8bfd8f6baac142d984693e0d7be72e4ae0 |
memory/3352-238-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3352-242-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3352-241-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3352-243-0x0000000000400000-0x0000000000482000-memory.dmp
\??\pipe\LOCAL\crashpad_4556_EDCXXKHMACUHYXXJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bafce9e4c53a0cb85310891b6b21791b |
| SHA1 | 5d70027cc137a7cbb38f5801b15fd97b05e89ee2 |
| SHA256 | 71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00 |
| SHA512 | c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c3da102532994ddc07fc721dc3f85b9e |
| SHA1 | 75ec1b4f084f44456c72a61bc3fbb84233ed44e9 |
| SHA256 | 2aac0e4b807a03ea41eaacb5ba38024b44f0c7d408243d699c5e270662df7be0 |
| SHA512 | a33f5a6fe5878ad6b9ec45f9e7e0b4fd9d01412cdac258d6c82773145ef7ddbba7e8a33dc1f34e6347c343fe885ada52fea8cdfa134fc5c202944a5a873160e5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/3352-293-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3352-294-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2cdf2cf95572e142eb650dcd03c794a6 |
| SHA1 | dfb54ccbb142ebca891102c7aea3689fa7cee62c |
| SHA256 | 525ef1d55414a0ef4725bb377a6d9d7c98f6432f4564b0fe6dbefae2fe97bd03 |
| SHA512 | f2f798559e5665567dd3a7f137cea64235d86a3d62ac6eab8864a0b64d0fbdc3aae098528b9f5d8f8ddbb07349eae62d433fcc01dbce5be4595857fac653e649 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9a437f3484f9220e42908b93992bc2e0 |
| SHA1 | 3d4b08d4ba154f1e58628ebaf130e6450aaa797f |
| SHA256 | e7cdfd06cd34392aa5c304d7691366d2fbe016f75321d286e55c9ce1ee79b2f2 |
| SHA512 | 958e7da9cef5ee4629baaf5b3189dd7a9b0eb6fba384351ade9e50b8046221dd444422863af4146b97b23ec2b41ce8d40f59f745a2439bcca462c973bc8f4ab5 |
memory/4512-314-0x00000000008D0000-0x00000000009B4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0d91b837ba25c4df3b14263b61eb5fd9 |
| SHA1 | 4a538553dc1b382d4ec4b9b9213c0b0b1d312bb0 |
| SHA256 | 143d1fc38c7c7ddc737f39fcb9e5d89248e4293b258afd384904f6da62bfe325 |
| SHA512 | fef9b43e0bee5589dd15fdea8c9bee55fc36603c0107c0e960d3c92844a3a6ea19d2f425436642739fae50d973bc731626e5a36e9b03c42bb93c8946e8db5447 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 506d5a9de03070f21268dd419e9296b8 |
| SHA1 | 062867b038ccfc05a51ffa64d65b305d51860dd8 |
| SHA256 | 90a92fc3be4ec8c7647f3042265a33cd0e73f2755f5a4ab0c6f4d61c1847a342 |
| SHA512 | 704aff9870758038b479149c58cae2e01cd67bb29538a6502380b89930a3dba22f0011b977b30886b5d407cc0fa5c4a3da1900beaecd19aeb32126fda5963672 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589093.TMP
| MD5 | ce7f9df5794bfd30eca164a501b57f46 |
| SHA1 | f831ddc629df4ea8bf27f85c57b17902d4cb6ec1 |
| SHA256 | 7ce65490c9e1697108827786ec40166466554e8ddd5ab2a45b141f8e17a5a664 |
| SHA512 | c6a7c630c941b671daebc611736db78e0cd91225f0b53dbade1f7b63083dfb7a994a139103aaff7d1bc49eb7b02aef7c5fcb35024fea311b7f90270d17f5e558 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | e51f388b62281af5b4a9193cce419941 |
| SHA1 | 364f3d737462b7fd063107fe2c580fdb9781a45a |
| SHA256 | 348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c |
| SHA512 | 1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
| MD5 | c74489f38af9c35da06e303efdd81bf8 |
| SHA1 | 0b6fe1b83b0e67e9494854ed3340b9f2048ce868 |
| SHA256 | 82de249fcefe94d3c9ef4ea1c7e79964db15c77da30f06fbdf838ede96d01342 |
| SHA512 | b187cdae13496a6a727ae9387f95dba488cd9e9a2c370913c5d58630c9c46e13483c4f943d13710288b02e5a27a4c81faf6014be77c36606f2c522f675551c94 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | f57bd672fe614986d4123ee65ef4f1df |
| SHA1 | 2cc726dbf325b3a303602098110a3a0906c03ba1 |
| SHA256 | 6b26decf834976a09886a7af692ab99d01936cb8e9367803053f29eddf13ab3d |
| SHA512 | a1df656360c2f18b3043e48be62c3fbee2c55b66cbd8c2b29e42065071549a1a52ea6a26d55581d7088b075bed2aedaf2d3a0d7985ebf59f488394854c907495 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
| MD5 | 63c35f2b03afd6f49ce397af057d8b62 |
| SHA1 | a774cb5bb994665701c05a95387c14816a98ecc3 |
| SHA256 | ab87b1b3dddef062db66a5775b95d1d796bc7f1ba502aa06513c372ac5ba6f00 |
| SHA512 | f030f522de2d6e431c9a8c1ee05e8f81dc10357ab0f3336ca618b2a7655ec7d86ce3ab38f3d4152c8727ca7f854f635b7b3ef669874f1bc6651dcf2764d98b7b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
| MD5 | 34504ed4414852e907ecc19528c2a9f0 |
| SHA1 | 0694ca8841b146adcaf21c84dedc1b14e0a70646 |
| SHA256 | c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810 |
| SHA512 | 173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | 522037f008e03c9448ae0aaaf09e93cb |
| SHA1 | 8a32997eab79246beed5a37db0c92fbfb006bef2 |
| SHA256 | 983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7 |
| SHA512 | 643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | 240c4cc15d9fd65405bb642ab81be615 |
| SHA1 | 5a66783fe5dd932082f40811ae0769526874bfd3 |
| SHA256 | 030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07 |
| SHA512 | 267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
| MD5 | 870b357c3bae1178740236d64790e444 |
| SHA1 | 5fa06435d0ecf28cbd005773f8c335c44d7df522 |
| SHA256 | 0227bd6a0408946e9b4df6f1a340e3713759a42a7677bdb8cb34698e4edf541e |
| SHA512 | 7fc902e787b1f51b86d967354c0f2987ea9fd582fef2959831ea6dbc5e7bf998a8f24ba906f0ee99ae8493aeb0c53af06bee106d60b448ac50b827c63b1ed169 |
memory/5344-410-0x0000000000E00000-0x0000000000EE4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e8eef126f385dd94b731f00f4ad5502a |
| SHA1 | 753356a5e5579bbfc68b6da56b8be06ee4fe51ca |
| SHA256 | 88d22cf88d570dfcc5f6adbe877389fd35b2be15391a5769ae0a4fea4b25dfea |
| SHA512 | b36fb232e2a94afc9636afb0d7e73bcd7498656ac373edd80677b8dbf3aa1a40af98c7011f8cc18316aa425a2fcc54055003a5d9e8024f99239e38235e62bb8c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\98a72a60-3254-42c6-919e-d06ce1c145b6.tmp
| MD5 | 7ec646ba97968c6465627c9cec4104c0 |
| SHA1 | 30905d5dc47a67ce44809e30b736ef2fdcaf853b |
| SHA256 | ee9cda40f68254886313240801a705b9e16dd40a586b38090694bd15c1bb6f88 |
| SHA512 | bf147b6057a159116cd298ab908fbcdae4946273f3793d31201525f8d82000eb2ef0f576742b5c6ebff857a977d79726183c4898eec6151296ac69301e8ff8c7 |
memory/3352-470-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3352-469-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5532-503-0x0000000000C90000-0x0000000000D74000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6fed1a1199331f15_0
| MD5 | 5fcc9beebf0d071c10f4ed31c98f648e |
| SHA1 | 47ae04b36256429f1a02048292f09ce3d35c4a15 |
| SHA256 | 962f578bf0feed4b6ae8aaa0361963fadc28cac1ede235f2eaa43f1e61b63f20 |
| SHA512 | 81866c9f02f07385e146853dfd6111e988c6d3f963bd853fc408dcace65dd8e4ec6666778a6d1e6d668812459b933f6439f01985c5955276bb8c42ca9bc22d0b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3e816d913a789618_0
| MD5 | 71e59fd3ce3bd94afc62c360759f681f |
| SHA1 | ccb08a2781ccb75785c0da1c4627281180f85433 |
| SHA256 | c098c9dd68b986270f35dc61e216db830e04e89bb21ca388a4eaeb00c402d9d5 |
| SHA512 | bb66d8ae8c29ed9de300c40bf6eb89e2be3665b2c86bec3be2d7ce8935c5991482f6c62d81c80e58ae3afd195978900e29c894c905e9a9ca161d7b1c8aa8675b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bd49bf2f941a358f_0
| MD5 | 71b93d17a70ce922444f580f9d9184ef |
| SHA1 | a3069fe10f89a6feb8f0b733711c115f985150c6 |
| SHA256 | c0189cfd61065043290da015cb6c7bc3c10d92e2a58f9ab2b2f96283a2053910 |
| SHA512 | f27b7d790b8e8435a042f73cc251e9b859fd6aa2562596a2bd66cde35a6a2ffa6de4bd53ad368e5a3935f1bd84438f0abd785fcb0d5704df5dcd195eb253ff87 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3c9b01bf1d0b6db5_0
| MD5 | 7166cae40954d1601514a4f2396a8faa |
| SHA1 | 696c507454875c236450ba1a4599ec09f8e0e0c7 |
| SHA256 | 6e0485c32d94241fbc3c62152ecd05d0f9be32d1d30815018cd5a09c2b893233 |
| SHA512 | bbe557874570d1188efe46e48474a598d6540db40c95af543228b3dd06818ddf1369cc50b6282c47182985c60b1441f44d6750459b5b406f38fb4b1d94f04ccd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f96d151948ab94fb_0
| MD5 | fc572b2f90910ea8b5e3253a22bc5335 |
| SHA1 | d6e2d89d2c2851047458d4129046ce8753fabaae |
| SHA256 | dc01e4dc02602093fed8d3dd5b9cc1109071e5bdf129152c28edece5242838db |
| SHA512 | bb7b0f56cdc961baceec24068a38ee635c2b86aa2b8d524957d3beff4700776f158eb6614abd43426fdf001907d132d2c4de0c6c4237f4967183dac6daa938fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0
| MD5 | c504cf9d2d3c44e150a370c42260f8ed |
| SHA1 | 4ba0affbde340aa7ff84d5369ed34622ee384de0 |
| SHA256 | 0c9fba81ebad70e0f52e1bd9b469c93526856b07df57f213cb456cd98d545b67 |
| SHA512 | ee36b50c1ab86ac76d00c29081218e329af76232e5aba80b75244952e2ccaa76488a6b1c2e00629b2e3f86f2f413d2f282274f03434ee3afe5389f495a8dc06a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0
| MD5 | 11aff70f81aa13036f69c572dadb9930 |
| SHA1 | 8482b0460de77eef07befb219d5e72052767684c |
| SHA256 | 5c5d744e770f54cbc3ea94ba64a61cbbf21dc64bb9c84e96f667edf3f1ef5276 |
| SHA512 | 6246ffebbce123a62d3b098ed84b73878cd8128767bb07aa4e19801b2f8474cffe529b2c07b5da60bb8a19a813d2acf169b46f085c2ee1a897b4d684bc1b4d0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\45458c64351fb328_0
| MD5 | 44a49450f1e2e4a0ad41e4533d3aa836 |
| SHA1 | 65a0ce04f695e12a029c6d2ac36ba237fc283fca |
| SHA256 | 72d8d14358701f822b7e5d1a48f6f5236192b2a918b903f21151a410d88608c2 |
| SHA512 | fb824ceed4e0a6915e984fce6d619a4063ce4ebcef392c1a55350d92fdd87dd08386542451e1454ba8b9ac64557debf42a90876760312767b68cf5a69a1eef27 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0
| MD5 | 801e3fbc1d91bd3e713128797106b58e |
| SHA1 | 655ab034794b7726b30836516ab1e41fc2de2fa5 |
| SHA256 | 28f13bd3f7bb19b824ce3c77c52af007276d873fae854a8f19d9f89767713fa7 |
| SHA512 | 497076b52c97b7ab0132e5cf5c954396b14e83ecade71cba3b1b40ad9483ccfa877f705e067ca9d9a02d2e0789a2a4786569e4e064466cc7729f93e8a02478f9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1525f0435bb0888802162b33d3f9db51 |
| SHA1 | ddfc5b4ac09ef30999c13001b960ffbf9a6b0ea0 |
| SHA256 | b4b3b9695ee8950c9d998a435effece3d247a419b0afa0456825639cab2fb6b1 |
| SHA512 | 0d710c8059c5a3ce94637ffefc1bdf2c0abe2d2f8cafd67fef358add8132ba66fe0341a818ada8b335afaefb47e3c0db440beef8cd02bb5b688f8974a1b7074f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | e40bb936012b3de8bd6bfdd0caa1e585 |
| SHA1 | a3b55d7374519fcc4bd5b4e0a658c53d8315e904 |
| SHA256 | 36ca2fe276d2a65e195124ef49c44f7fee7f36cab1a12fcc3d3631f2c4e73f00 |
| SHA512 | 44f502564afede8675e3ceeab76bf7d8aa1b4bab87133603263ccede11b6c4649b80ee8791a635d5a9c88738677dec74d9f7a9bf8c78379f6d943f8230b5be30 |
memory/5768-596-0x0000000001200000-0x00000000012E4000-memory.dmp
memory/3352-628-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3352-629-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0dfd15efd4388e76b07f6fc93f65f946 |
| SHA1 | 2bc6a5d6068d71ea865a84fdd41162a18c048b79 |
| SHA256 | c7fae9d4acbcd60306914552645d3eeda1b29abeda6ae42b047938cbf0a0e8b6 |
| SHA512 | 4c76d05d49d6f7bf3fc5c531a8a2321a899647917a9cbb83973e3c3157499bd531371d0f31998da0f1aafe1b40ed2ecde7a7d244e9dc0a2ce411d4acedb54118 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 36483e6ed900a4eb02e176291580efaa |
| SHA1 | 7b94257834ff13312cf9cabe32563df46b1b8a59 |
| SHA256 | 7540b3c341a9faa194dddc0a8f245e27ce5636522985a3ddd34ed006b251bf79 |
| SHA512 | c55e6b427335f1ed3484f8dca5831a1cd67d9686b3f6a1384a0810481c6e9fce57e1feab39f44fdf46c844d9801b5faef3f4161275b1bf3d1026736530b849fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 05592d6b429a6209d372dba7629ce97c |
| SHA1 | b4d45e956e3ec9651d4e1e045b887c7ccbdde326 |
| SHA256 | 3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd |
| SHA512 | caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa |
memory/2408-693-0x0000000000C00000-0x0000000000CE4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1671a9553db2edd0ab9323f8e0ac5fcf |
| SHA1 | 258a2dee00ddd8795194dc234824f9177569934c |
| SHA256 | 9d85b73049ac9e82432c9165f2680052d9e72cb402ccca02cfb0af272fbbcc0c |
| SHA512 | d410c3acb421b257a7750fa59980f971a8573252277a2c38949e9d57c2c0a5e3e018d6dd2c02cb0c452d131ff02b511f98d143905c5c0fe2a86f37c1acf8cf7e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | fc0442b78b014e310c0ad7f872327681 |
| SHA1 | 0e87afb2144b93e3ca7606155c215833a49e7235 |
| SHA256 | ec491bc1a4702696dc31ba2acc6940c095621a2d847aabd589b88a63fc32ee3e |
| SHA512 | 2e3f35b5654322f51f5c2d99be42eb8f09a7a91a119b07f1b6409426f20f842812765657f8604079a9f168c59d0c83c640d3d67e021b74489935142cc566f9fc |
memory/3352-783-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3352-784-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5160-786-0x0000000000660000-0x0000000000744000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 085baf516b42b94c494b0b4cd37abebf |
| SHA1 | 9bf7376d43c0619574f19b5eb3e1acc731340248 |
| SHA256 | d093aed789d229ab568b6041639b3e32de08ce444d2e5343800c2ecb79ecd0db |
| SHA512 | c74e21a2610242a91b45522ef99776ec96dddf30be31c5da0ba1e3cec1f1a4bd657e4bff23e8b4e1f41e4aa5ff907558817718857612151addf585c363538db2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d9a9fda02452e1ee72ff57825ef36501 |
| SHA1 | 0a845e6df500e618023a4a568812118386b7d253 |
| SHA256 | 22c6c48a09219d5865480eb541c4e3c0791e26c1a8f6a558e86ec07490dae879 |
| SHA512 | 38b6bc36138efcd17dea947c638145cadd74cd903d310f963fe5734855db761944d4d0c422690990df012a47a562bf10ee040964093e8c81b24e484c8d4ab164 |