Malware Analysis Report

2025-01-02 03:23

Sample ID 240723-kw9mdayckl
Target f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054
SHA256 f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054
Tags
remcos 2404 collection execution persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054

Threat Level: Known bad

The file f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054 was found to be: Known bad.

Malicious Activity Summary

remcos 2404 collection execution persistence rat spyware stealer

Remcos

NirSoft MailPassView

NirSoft WebBrowserPassView

Detected Nirsoft tools

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 08:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 08:58

Reported

2024-07-23 09:00

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe"

Signatures

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3660 set thread context of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 1984 set thread context of 952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 set thread context of 3396 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 952 set thread context of 4884 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 set thread context of 2428 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 set thread context of 3592 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 set thread context of 5292 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 952 set thread context of 3860 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 952 set thread context of 6112 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 952 set thread context of 5788 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 952 set thread context of 5860 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 952 set thread context of 1508 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\schtasks.exe
PID 3660 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\schtasks.exe
PID 3660 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\schtasks.exe
PID 3660 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 3660 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 3660 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 3660 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 3660 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 3660 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 3660 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 3660 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 3660 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 3660 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 3660 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 3660 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 1580 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1580 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1580 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1984 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 1984 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 1984 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 1984 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1984 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1984 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1984 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1984 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1984 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1984 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1984 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1984 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1984 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1984 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1984 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 952 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 952 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 952 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 952 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 952 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe

"C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AZjibU.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF0D8.tmp"

C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe

"C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AZjibU.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2788.tmp"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\nrqjskmqhlrgzbt"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\ylwctdxkvtjtkhpcpn"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\anbutvimjbbymvdggyesy"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\anbutvimjbbymvdggyesy"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xbc,0x110,0x7ffa09a546f8,0x7ffa09a54708,0x7ffa09a54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa09a546f8,0x7ffa09a54708,0x7ffa09a54718

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffa09a546f8,0x7ffa09a54708,0x7ffa09a54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa09a546f8,0x7ffa09a54708,0x7ffa09a54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa09a546f8,0x7ffa09a54708,0x7ffa09a54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa09a546f8,0x7ffa09a54708,0x7ffa09a54718

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa09a546f8,0x7ffa09a54708,0x7ffa09a54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa09a546f8,0x7ffa09a54708,0x7ffa09a54718

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffa09a546f8,0x7ffa09a54708,0x7ffa09a54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffa09a546f8,0x7ffa09a54708,0x7ffa09a54718

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa09a546f8,0x7ffa09a54708,0x7ffa09a54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa09a546f8,0x7ffa09a54708,0x7ffa09a54718

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa09a546f8,0x7ffa09a54708,0x7ffa09a54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9217435343960451226,18344653490934688632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 107.173.4.16:2404 tcp
US 8.8.8.8:53 16.4.173.107.in-addr.arpa udp
US 107.173.4.16:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
GB 95.100.246.21:443 learn.microsoft.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.246.100.95.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 13.89.178.27:443 browser.events.data.microsoft.com tcp
US 13.89.178.27:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 learn.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/3660-0-0x000000007440E000-0x000000007440F000-memory.dmp

memory/3660-1-0x00000000007E0000-0x00000000008C4000-memory.dmp

memory/3660-2-0x0000000005820000-0x0000000005DC4000-memory.dmp

memory/3660-3-0x0000000005310000-0x00000000053A2000-memory.dmp

memory/3660-4-0x00000000052D0000-0x00000000052DA000-memory.dmp

memory/3660-5-0x00000000055C0000-0x000000000565C000-memory.dmp

memory/3660-6-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/3660-7-0x0000000005660000-0x0000000005670000-memory.dmp

memory/3660-8-0x00000000056B0000-0x00000000056BE000-memory.dmp

memory/3660-9-0x0000000006790000-0x0000000006850000-memory.dmp

memory/2616-14-0x0000000002AB0000-0x0000000002AE6000-memory.dmp

memory/2616-16-0x0000000005680000-0x0000000005CA8000-memory.dmp

memory/2616-15-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/2616-17-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/2616-18-0x0000000005320000-0x0000000005342000-memory.dmp

memory/2616-19-0x00000000054C0000-0x0000000005526000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF0D8.tmp

MD5 df4f9cd770035811ec78f9e2b1805e21
SHA1 47d9d6fd1355db19cf0fd3a35d6726ed9d70a594
SHA256 412e07f4b09a0c7d3399f3d773d423802b64346a974b104985b830d9ec225052
SHA512 14cb8fde5dfee5bb1e2b574e4143b23f716c7964de22a9164c769c93274bace2644575cbb3d3631cb2b0f9cf1c343695f76222af89fa267318d6a69824e538dd

memory/800-21-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/2616-20-0x0000000005530000-0x0000000005596000-memory.dmp

memory/2616-24-0x0000000005DB0000-0x0000000006104000-memory.dmp

memory/800-26-0x0000000074400000-0x0000000074BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a5urmue2.kbi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2616-25-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/1580-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1580-46-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5 e34683e560b0c2a5cddcffe98956ea62
SHA1 89a3dc3e4b06a8c4bd94bffc48adac82e620d910
SHA256 f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054
SHA512 4bf4a8fef3b740ba3e6a04bedaaa90970a60b72fc950d53de6e2bf597d89d5d399f9258f9f8088f0ea6304bfa219c5537271c9df59c463893d9589370a27ebff

memory/800-23-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/3660-50-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/800-99-0x0000000006320000-0x000000000633E000-memory.dmp

memory/800-100-0x00000000068C0000-0x000000000690C000-memory.dmp

memory/800-111-0x0000000007320000-0x0000000007352000-memory.dmp

memory/2616-113-0x00000000706B0000-0x00000000706FC000-memory.dmp

memory/800-112-0x00000000706B0000-0x00000000706FC000-memory.dmp

memory/800-132-0x0000000006880000-0x000000000689E000-memory.dmp

memory/800-133-0x0000000007560000-0x0000000007603000-memory.dmp

memory/2616-135-0x00000000076F0000-0x000000000770A000-memory.dmp

memory/2616-134-0x0000000007D40000-0x00000000083BA000-memory.dmp

memory/800-136-0x00000000076B0000-0x00000000076BA000-memory.dmp

memory/800-137-0x00000000078C0000-0x0000000007956000-memory.dmp

memory/800-138-0x0000000007840000-0x0000000007851000-memory.dmp

memory/800-139-0x0000000007870000-0x000000000787E000-memory.dmp

memory/2616-140-0x0000000007950000-0x0000000007964000-memory.dmp

memory/800-141-0x0000000007980000-0x000000000799A000-memory.dmp

memory/800-142-0x0000000007960000-0x0000000007968000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 402425678d22e6d1e86bd8135516f27b
SHA1 c496a2b93779e40ebd7c2500a68201d302509447
SHA256 77a2f281bcfa04771bbbbebd799c090f016913b3a6dbfe9a179becce24fa92d9
SHA512 83d2d580264bd8d87301990a3d4eaa4c72ceca52cf07d996ebf3c9ff640009368a3f8099d891960690e14c8b427dceddbaddcc403816414be8eb8b405ff593df

memory/2616-149-0x0000000074400000-0x0000000074BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/800-148-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/3388-152-0x0000000005A80000-0x0000000005DD4000-memory.dmp

memory/952-165-0x0000000000400000-0x0000000000482000-memory.dmp

memory/952-164-0x0000000000400000-0x0000000000482000-memory.dmp

memory/952-168-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3396-179-0x0000000000CC0000-0x0000000000DA4000-memory.dmp

memory/3388-181-0x00000000066F0000-0x000000000673C000-memory.dmp

memory/952-183-0x0000000000400000-0x0000000000482000-memory.dmp

memory/952-182-0x0000000000400000-0x0000000000482000-memory.dmp

memory/952-185-0x0000000000400000-0x0000000000482000-memory.dmp

memory/952-184-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3388-186-0x00000000708E0000-0x000000007092C000-memory.dmp

memory/3388-197-0x0000000007370000-0x0000000007413000-memory.dmp

memory/4504-196-0x00000000708E0000-0x000000007092C000-memory.dmp

memory/952-208-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4504-209-0x00000000075D0000-0x00000000075E1000-memory.dmp

memory/3388-210-0x00000000076A0000-0x00000000076B4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34199e2098b6e85fc77857cdbcbc37bb
SHA1 2fe9fa075c3ab6c40de0170126385aa5c327f20a
SHA256 4ed3c58a84b6a9e2e58e9675c2793bfed648359fb32815ea3c7ef19f9c29ef56
SHA512 f2495972cf29a0f1c4bbb7ffdfc0a973657dd887a2ce78d49d814be03792cd6399121d354b4d9a10a35773cd79e635a09ccc7cd959480cc9a8f0757866e1d05a

memory/3592-225-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2428-229-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3592-224-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3592-222-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4884-220-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4884-217-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2428-219-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2428-216-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4884-214-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nrqjskmqhlrgzbt

MD5 883af97f5f6dddc6f8cb495b841ec9ae
SHA1 225c3118ce7f9c747b891548fc637f41975bc8d0
SHA256 fcb197376fc607f9493ea0460ecac86ca5ae8973120894c6f8353b67e28995d9
SHA512 8ae27cb74d4d3641a3ac7dca2bbf9f8d4b89a012fb723ced33db319d24bde80e90293c0f10d2713fd024ce800f57bafd3e6d1feb4cde973eea56f4c581052b23

memory/952-232-0x0000000010000000-0x0000000010019000-memory.dmp

memory/952-235-0x0000000010000000-0x0000000010019000-memory.dmp

memory/952-236-0x0000000010000000-0x0000000010019000-memory.dmp

memory/952-237-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 10fa19df148444a77ceec60cabd2ce21
SHA1 685b599c497668166ede4945d8885d204fd8d70f
SHA256 c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b
SHA512 3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

\??\pipe\LOCAL\crashpad_1632_DKJNIJCUMZFMAZQK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/952-255-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 75c9f57baeefeecd6c184627de951c1e
SHA1 52e0468e13cbfc9f15fc62cc27ce14367a996cff
SHA256 648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f
SHA512 c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

memory/952-256-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9c73013457c449a054d5fb0de9a93847
SHA1 9b99cb6d623f49177845815bb061770c6dbef7aa
SHA256 6bbb25af9d1d41617fc779cdc3c645dde50046d7d62dd9a1ec6034fe4cb283b3
SHA512 6e006904854286f510d725be002a59eee9b49341a25af796a092144d31c8c7a777fe2f8503ca39c7a19dfdc8a6e8464e7bf3c88c96416396ced7fa5430a437e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9c131ff52e80f1851eec7a807221d320
SHA1 5912277af99c4dd645ebfad8735a61c6a7e99e1e
SHA256 b5771fcf60652fe483ba6ea265db73ccd40e412b410b226f909bf6716f8431e0
SHA512 c6c6f6d9ade86b5e45d80a7164528d395871c87d3f3eee66cbe5d7bed85f8421e1ff0d9541a1506eeb1b2f2143f0facda53cf79913a7121c1fc8547476d5bab3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b40365fbcb7e767096151dfe56545ff6
SHA1 fa2285dbee4c3bb8a3c3478fd3ec118832087e58
SHA256 cc85306732505432b75d4ebb941ed7c5fb2140629d9f379e5e5428d785af6501
SHA512 bda489760a368446d35f3bf540594d87f935b68e572b2ddd3854531c41845c2728a6dec79af6fa0a5291f91f97283ca74a1089b9a06254fe31f253ce42e3779c

memory/5292-327-0x0000000000C90000-0x0000000000D74000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d7806dcdb670e0d4c3894367154491b0
SHA1 42656715d4e4b67ac1ac6af42035e4fdbb6387f4
SHA256 8a744972f25cf6c3cd2e53a9baefa316ea52b22f3fa8404150e824f8486f6548
SHA512 f6328b6f833e5fd98aa943a10287f897a32afd0be06ffc5699facb2908b341c4a24dddfb1eadee7a28e1babac741485d0979fb5bca77085033ce324fa1fbfaf4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d82604e6b99fa9ae8b07b5babc4fedb7
SHA1 6e95a1d6a3229ae282adc48a4a4bd4a5cf589b32
SHA256 98f9a5f2e3af8267e0e95290731812ba7be48413389b4d93f0207ce12b7b0dbd
SHA512 d63d4a60ca272db900034c8e30148c48812881d55850bff372f302da5c8251a81d75c7accc6fdfb6b9da2131bda931d7e40f1cb6b80453f2ff22b676d7842d42

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589054.TMP

MD5 5d196776a2291e61ae0eb8bcd3ce0ba5
SHA1 2fb60ecf7a4fd18d8f423863e1fc17c25c919189
SHA256 a974773b9129b38ff2229cc8a1db172209275821b32108bcebd537e671580ca0
SHA512 e2631543b7fea8a4b15a9b9fec564bd68ffdfcd6c4254eefa0675466091eb9f8ea36e5f9827ffad070a381112478aa1bb095cc1fcd698627995a2ba913b0e947

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 f57bd672fe614986d4123ee65ef4f1df
SHA1 2cc726dbf325b3a303602098110a3a0906c03ba1
SHA256 6b26decf834976a09886a7af692ab99d01936cb8e9367803053f29eddf13ab3d
SHA512 a1df656360c2f18b3043e48be62c3fbee2c55b66cbd8c2b29e42065071549a1a52ea6a26d55581d7088b075bed2aedaf2d3a0d7985ebf59f488394854c907495

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 e51f388b62281af5b4a9193cce419941
SHA1 364f3d737462b7fd063107fe2c580fdb9781a45a
SHA256 348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c
SHA512 1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 c74489f38af9c35da06e303efdd81bf8
SHA1 0b6fe1b83b0e67e9494854ed3340b9f2048ce868
SHA256 82de249fcefe94d3c9ef4ea1c7e79964db15c77da30f06fbdf838ede96d01342
SHA512 b187cdae13496a6a727ae9387f95dba488cd9e9a2c370913c5d58630c9c46e13483c4f943d13710288b02e5a27a4c81faf6014be77c36606f2c522f675551c94

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 63c35f2b03afd6f49ce397af057d8b62
SHA1 a774cb5bb994665701c05a95387c14816a98ecc3
SHA256 ab87b1b3dddef062db66a5775b95d1d796bc7f1ba502aa06513c372ac5ba6f00
SHA512 f030f522de2d6e431c9a8c1ee05e8f81dc10357ab0f3336ca618b2a7655ec7d86ce3ab38f3d4152c8727ca7f854f635b7b3ef669874f1bc6651dcf2764d98b7b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 34504ed4414852e907ecc19528c2a9f0
SHA1 0694ca8841b146adcaf21c84dedc1b14e0a70646
SHA256 c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810
SHA512 173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 522037f008e03c9448ae0aaaf09e93cb
SHA1 8a32997eab79246beed5a37db0c92fbfb006bef2
SHA256 983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7
SHA512 643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 240c4cc15d9fd65405bb642ab81be615
SHA1 5a66783fe5dd932082f40811ae0769526874bfd3
SHA256 030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07
SHA512 267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 870b357c3bae1178740236d64790e444
SHA1 5fa06435d0ecf28cbd005773f8c335c44d7df522
SHA256 0227bd6a0408946e9b4df6f1a340e3713759a42a7677bdb8cb34698e4edf541e
SHA512 7fc902e787b1f51b86d967354c0f2987ea9fd582fef2959831ea6dbc5e7bf998a8f24ba906f0ee99ae8493aeb0c53af06bee106d60b448ac50b827c63b1ed169

memory/952-422-0x0000000000400000-0x0000000000482000-memory.dmp

memory/952-423-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3860-424-0x0000000000600000-0x00000000006E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3df8acad2a0620788b36510a251a51b5
SHA1 17ac9113c46d02b3f99ea1d4e1df7002209cde7c
SHA256 5f58f099f2a4267d09ceb9145e31f2ee3f3f1a0316ac36c3d9e8bd9dd9cfd4ff
SHA512 954720bef49312c6fefe6b0a92c1122ab188546fdb7b79d2d496b66b85790ed7efbf0a8184f5ef96e47bc3849a99872fce1a405321e19313e32dffeef178a7ae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9596a962b27c9b1d28d5d038405e17d8
SHA1 b43bd8d595dbd812f2c54dc52804bf48291ae36a
SHA256 d84c6538eb26c88ddc8e8422fbb1f328460ac947e145cfe28f7736f1ebb3cabc
SHA512 f7a200906e239cec86c7bcfff6d2ac89201ce8e0ed6bf2ddf1b3396af16a7347d47aacf863aadc6b5d52d8310abefc55de78d2848dfa018c33223321a7266dda

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\298f9fbeff1adc5e_0

MD5 24fa119c446b0a92b8aa700c57c40b71
SHA1 1b4294d23e07d04ef3ebdc39bb7b2386096805d0
SHA256 c8550d91dd4fd2d821f228e9c1b9dd160400cc05ae9e37c7765086ac5e8865d9
SHA512 8447a507c3e1590cd6ab150e620ecd3138a102919a597b35064f57c831f44571e49eb3f8ca6c17166c81094cdb3a237f628198d56c1d14027aad88e243f6a567

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6fed1a1199331f15_0

MD5 c50bac1902d13a84fa5cb626ba80ea20
SHA1 bb79da70ff9332aea7907dcbe55640771f422b7f
SHA256 a36b07bd575e3139cd6c918cdf8e185aa9107018566b898c91f5f58e835ead57
SHA512 97bb0c10e54c7023c800db5ba0367cdce2e23e7e11278675699e9379f49532fa93366a05fc6e7524d1b57211b00a6db5148949308ca95e4f84109e962c378784

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b677dd40e200a484_0

MD5 9eab4e547bed9b71ddf63dfe635d0c2f
SHA1 1896b19c1f95434cb5e1af2a09d2e75798912d08
SHA256 c0bf563daa655182ac7ff40e35810323b28ba7e2fd922f4a94a99eaabcadc539
SHA512 ba9e1b6d25ecad28861ef6f1f466a07444650be4349577b7017dd4ac9dbba0c71300732e3db3ed895eb3138954c779fed4a0ae74edc038da790273cfba89d7ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3c9b01bf1d0b6db5_0

MD5 81e2115683e7b39b12157d955c2469df
SHA1 afdbd85a4346c9de080223502b77468553e22ead
SHA256 8ff3bbd7f8de1b703141b032430e7a57f33e682ab6fa3a8c88ef6821167d838b
SHA512 354d17c95cb26af63e7fc06e811540a3e0028b56f90d003b18bf4c7a992bfce030aa90b93c7fde205b7e9c6a7a7023068bb39e4935b47a10618906a1a23ac7d7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f433402ef42482f0_0

MD5 42d0d8e55607c37b034c83c555465edf
SHA1 b978a425d4d5ddd79496e70dfaec57b3b9960ef8
SHA256 e674627a0ffe7468847d1009ea321579e965e6637df7702870ff05d2d42c707e
SHA512 ce10f3df11c2f0ab29af4be9a8eec088dd44c83742ecb490f8517a981210ba0bd771016ddadbac4ae60f3985668bb5256fd0a83e06ef69acbaeee3bca881ade2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

MD5 d297e3ed695efe17e6c617bd9de0d358
SHA1 5ba6d59d6a9d8ae980b6d2eee615316d71304a64
SHA256 16f634d2e8b86bac16e51e1c2492ad91e1d9049489dd67abaf05264213a56245
SHA512 d687f6dd4436ecd8378b3d5ca3bc10c437b7636064162c8ed56019115a76a5ceba976b6fd8ff12a5569d86591defb25fe72fc7c27573674f581dadb677614cc9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

MD5 69fddc9ac8d533b43a0834c80ded0d23
SHA1 f62d3ac322b74164c8d59ddbf3b283863713718a
SHA256 daba4f0b40968e9972a57f5a508b025e66de463fc331be3712d46219792ac886
SHA512 5d2a7acb814f4888187e975f2d5db2c4838005e779b904042ea8a54082acda7cd6b856a82f2864aeaeadd6dabf6c4235164a23caf2de98e0002c1a7bc0b12a25

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bd90f31ea43c3a3b_0

MD5 fe1e4498384e9da0dc6f43f26497303f
SHA1 a5e168b1f303d6928e8fe128506cced48ca13eef
SHA256 ddb56f5310008fe209d2d64b73f9b90f98691c89647022aa9179e091d3d51a5c
SHA512 b9b43fc4a1f61644120a056b4a792d7e7823c4e9d4e83e90951564cd427319e15430cd67b5c64d7c90f52d50360f1507470e360ea8a180b3a17cf9d390599789

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

MD5 c73dc1a1ac3b4e7106d88409c5b2c263
SHA1 8f5b931e52c02b74f16d8f49d2d2c50f7d74cea2
SHA256 f44b8fdecaefa647742d193e8c82e3962918764af99f124e566bf4d850607ee4
SHA512 48e6f078112605a72820d5255c1092bcd4ab65ba31cb3deabd4d07997fb0e3155e574555c508e498df505a6446034bdd81aa751d8df906c76a642323e5d11c49

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 17e0e84a9046c5d1169fb68f60630af6
SHA1 3010a498f6cb64f27ed7b5331258b0a305ac4217
SHA256 19e2cb465a170c8b96eb56e8cdffb6eeef41242cc7b8ccc0203d644a9aac08ef
SHA512 6de5cb82cb092c45822f2965dbe6c3313e9cc9699c79524191766a40c9370d6f5b5ca32d8f6091561f67d573398e07931d1647402b7ad6b12769966164e9a14d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a3cf7f18bb6b0b9089ae60c0e54e2e50
SHA1 ba75aaa9db0277d0d8baeb11b4b642027508043d
SHA256 043722e2c56ae6d069a30a99969346e07186872657a5b0de4c175a72bbdf4969
SHA512 d0dee56f2791fcc989ac282bad6d4ff3440f97e93c6e1800d07bd0899c799f19a4faa662196a44a1ae008f50b33a7c4178e4ea51b30ef586b46af0f95e1d08e8

memory/952-581-0x0000000000400000-0x0000000000482000-memory.dmp

memory/952-582-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5788-614-0x0000000000620000-0x0000000000704000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 52395e8d4bcfc9825c03ba8ef538be01
SHA1 a4a04d7e9cbddc0414ece756b348fc471780eec6
SHA256 a95c6143b1304cca1beff099b24008599a6ae336a310d5eb5524ed6a9d7d032c
SHA512 6124f21487f7f0226f1486b3f6784d5449aa35f7460e79d0407d3740c4e9cc8aa211b2d2677943c8c1be8dd17dc8926110c7383bbdad2ba2d9f1144d1be999e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 05592d6b429a6209d372dba7629ce97c
SHA1 b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA256 3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512 caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 18bb4bd470060dac6c6d0bbaa2ec13d0
SHA1 d962b2a09e2069ad1bdbc8827891c526ca77b720
SHA256 50e7dcd9f9755bbca4d63f2851fa7f834046cab2a4794c080d0cd6738c404856
SHA512 7d454a4a4cd2b3dd1fc56e69dae59d264aac1697b5da2bf812db93e77e99332bce6398c39b910288ec2a702028fb4487dca3b9d6f4834a1d65637a247d7dfb7d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 81becda07b2d381bc6b5334b8758819a
SHA1 2ce962710c95b21c74720734ed60459a9fd10f42
SHA256 1b5fa0fd6d228fafb047e8113acb306b268d8364d7ee77582cb114047a630c7b
SHA512 9fe0a5f2baf325421b26df7b8a54db18d7aaa99a0a27b8c8d90b1253062c506bc5d46556918af2b35fa703b962b6f631402ee06654b0362a7b8af172b59c8b16

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 eee8fe5d338daedcdc675096e3cbb585
SHA1 6f85cf6b0b3c840f7b6bd926c816d46609f347aa
SHA256 ab623e7680aeb2b0693b6e84f02b95e8eff568f2f63dfb1394d3ee05fa2fe4b6
SHA512 3e87c77100b8f970f454fde204fa14fb1994338f45ac9cfdc3ce6dc5c9a1c6673ae8eed079d637617cd6a6d3b6784deac3f9562544dbcc90e3721887dc0b4263

memory/5860-737-0x0000000000800000-0x00000000008E4000-memory.dmp

memory/952-768-0x0000000000400000-0x0000000000482000-memory.dmp

memory/952-769-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 721b3f4d9a651fc046a90b79b21f6980
SHA1 6ecc81617fe61b8136053856fd773ae8419dce42
SHA256 98455ce93304d3ba8c5c1719c85148d0f493ee5472827228880fa1e1fba93333
SHA512 963c454130c521cf5f0c5aa9e6153c7811d88c321daee3cbc99938300253bae0728a3c4e579ffc7a837309d3e201fa13fef9fc7d0dd7e22e3cfc2631a67fd98e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9e427af884829179a3a3e945904bb4bf
SHA1 b77fc83639aee64cea07a59e3fe6848ac57316e8
SHA256 96505f92f82781d75e622eb1d0a4c91aea2aec50aeb88777613f86545903d1da
SHA512 c567374b9f4692a9605180e1a2a01cdf03c2312fe2c2c33468584e70c8a73dccf76e524597375bc071526b31f6c2f496a8c60e9376136b20fd8779dbf2682440

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5d5819e3db8c92dae33aeb4e3cdec073
SHA1 251fc05a5d77b25236a5ce271bf4d90a37f46518
SHA256 3745e2777af779ceb57383979f19b47546b6b7ebbb9ea0b3f65300823ba846ee
SHA512 307e25bf7392676f3c229377d2e1eca30e11361b759a3fd134f80aa2e3542330e52bf323d30b4aba22d07725113bb9a03d7e96ed8b4bbe3784ade1364ca88b0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a04320ab472262bf905d897acc25c463
SHA1 a6c6c5e3dcb8e8235c1a53804bea794e3b72ede2
SHA256 1b047852671e8d15dfe042db459720a401df7dede713f37c3c728be579c95be4
SHA512 f634918e7a228546985c6b6df6047931bf68db0a99f9f38a809f6694cdeda2ba4cca65835714ac4bfa88df9066cab7c9c50f559f9721f63d5ab58b7a56369fa6

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 08:58

Reported

2024-07-23 09:00

Platform

win11-20240709-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe"

Signatures

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2408 set thread context of 1620 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 1188 set thread context of 3408 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 set thread context of 3540 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 3408 set thread context of 2648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 set thread context of 4404 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 set thread context of 1696 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 set thread context of 1940 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 3408 set thread context of 5196 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 3408 set thread context of 1084 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 3408 set thread context of 5652 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 3408 set thread context of 5728 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 3408 set thread context of 976 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 3408 set thread context of 5744 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 3408 set thread context of 3104 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 3408 set thread context of 7116 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\schtasks.exe
PID 2408 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\schtasks.exe
PID 2408 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Windows\SysWOW64\schtasks.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe
PID 1620 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1620 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1620 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1188 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 1188 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 1188 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 1188 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1188 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1188 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1188 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1188 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1188 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1188 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1188 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1188 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1188 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1188 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1188 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 3408 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 3408 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 3408 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 3408 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3408 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3540 wrote to memory of 2400 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3540 wrote to memory of 2400 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2400 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe

"C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AZjibU.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD37C.tmp"

C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe

"C:\Users\Admin\AppData\Local\Temp\f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054.exe"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AZjibU.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7FA.tmp"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\vufceq"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\ywkuxisas"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\irqnybdtgznt"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0xa0,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0xc8,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7952 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7fff8df43cb8,0x7fff8df43cc8,0x7fff8df43cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6783013406391222342,6068377861666688270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8608 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 107.173.4.16:2404 tcp
US 107.173.4.16:2404 tcp
NL 178.237.33.50:80 geoplugin.net tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 20.189.173.10:443 browser.events.data.microsoft.com tcp
US 20.189.173.10:443 browser.events.data.microsoft.com tcp
US 20.189.173.10:443 browser.events.data.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 13.107.253.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp

Files

memory/2408-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

memory/2408-1-0x00000000003A0000-0x0000000000484000-memory.dmp

memory/2408-2-0x00000000055E0000-0x0000000005B86000-memory.dmp

memory/2408-3-0x0000000004F20000-0x0000000004FB2000-memory.dmp

memory/2408-4-0x0000000004FD0000-0x0000000004FDA000-memory.dmp

memory/2408-5-0x0000000074E40000-0x00000000755F1000-memory.dmp

memory/2408-6-0x0000000005290000-0x000000000532C000-memory.dmp

memory/2408-7-0x0000000005450000-0x0000000005460000-memory.dmp

memory/2408-8-0x00000000055D0000-0x00000000055DE000-memory.dmp

memory/2408-9-0x00000000062C0000-0x0000000006380000-memory.dmp

memory/4884-14-0x0000000002710000-0x0000000002746000-memory.dmp

memory/4884-16-0x0000000074E40000-0x00000000755F1000-memory.dmp

memory/4884-15-0x0000000005120000-0x000000000574A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD37C.tmp

MD5 860c4733a83ad15d626467955774d803
SHA1 a97f27d3935240726a6d3a1f5455a19ed0501b54
SHA256 57cfdba92b6b0d44abde5b2ddca27b8a9e198dafa6beed2d573d34767d4337b7
SHA512 83bc9c759b11c9bba8e7cfa6fdfa67b6fcc7d4bb313c9616816701d7d8e616ee02ef9c6ad18970aff1371c40185d54ef1547b7f44f1a3b941ce5730866508e0b

memory/4884-17-0x0000000074E40000-0x00000000755F1000-memory.dmp

memory/1616-19-0x0000000074E40000-0x00000000755F1000-memory.dmp

memory/1616-20-0x0000000074E40000-0x00000000755F1000-memory.dmp

memory/4884-28-0x00000000059A0000-0x0000000005A06000-memory.dmp

memory/4884-26-0x0000000005790000-0x00000000057B2000-memory.dmp

memory/4884-29-0x0000000074E40000-0x00000000755F1000-memory.dmp

memory/1620-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4884-34-0x0000000005A20000-0x0000000005D77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qslfojwl.eqg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2408-33-0x0000000074E40000-0x00000000755F1000-memory.dmp

memory/1616-31-0x0000000074E40000-0x00000000755F1000-memory.dmp

memory/4884-27-0x0000000005930000-0x0000000005996000-memory.dmp

memory/1620-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-21-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5 e34683e560b0c2a5cddcffe98956ea62
SHA1 89a3dc3e4b06a8c4bd94bffc48adac82e620d910
SHA256 f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054
SHA512 4bf4a8fef3b740ba3e6a04bedaaa90970a60b72fc950d53de6e2bf597d89d5d399f9258f9f8088f0ea6304bfa219c5537271c9df59c463893d9589370a27ebff

memory/4884-99-0x0000000005F10000-0x0000000005F2E000-memory.dmp

memory/4884-100-0x0000000005F40000-0x0000000005F8C000-memory.dmp

memory/1620-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1616-112-0x00000000067E0000-0x0000000006814000-memory.dmp

memory/1616-122-0x0000000006820000-0x000000000683E000-memory.dmp

memory/1616-113-0x00000000704E0000-0x000000007052C000-memory.dmp

memory/1616-123-0x0000000007270000-0x0000000007314000-memory.dmp

memory/1616-125-0x0000000007340000-0x000000000735A000-memory.dmp

memory/1616-124-0x0000000007C40000-0x00000000082BA000-memory.dmp

memory/4884-126-0x00000000704E0000-0x000000007052C000-memory.dmp

memory/1616-135-0x00000000075D0000-0x00000000075DA000-memory.dmp

memory/1616-136-0x00000000077E0000-0x0000000007876000-memory.dmp

memory/1616-137-0x0000000007760000-0x0000000007771000-memory.dmp

memory/1616-138-0x0000000007790000-0x000000000779E000-memory.dmp

memory/1616-139-0x00000000077A0000-0x00000000077B5000-memory.dmp

memory/1616-140-0x00000000078A0000-0x00000000078BA000-memory.dmp

memory/1616-141-0x0000000007890000-0x0000000007898000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 976544b7e7eb721efa246da54e23d84d
SHA1 0c6af23c51d001906072cf7b8c1c6ea606c9208d
SHA256 9793db6240812dd81c17b25893755450dda3399398270cfc7d604e428a0b42ed
SHA512 1e701eca1774a3558e313c70632147e12ba94ffecff455b1ad2946ded7393c1ed7767bb3d01c22c9ba55204dc438d6fc59216f59e4efb9bb93191d30d91188b9

memory/1616-147-0x0000000074E40000-0x00000000755F1000-memory.dmp

memory/4884-148-0x0000000074E40000-0x00000000755F1000-memory.dmp

memory/3408-162-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3408-166-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3408-163-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-168-0x0000000000A00000-0x0000000000AE4000-memory.dmp

memory/3332-161-0x00000000063A0000-0x00000000066F7000-memory.dmp

memory/3332-178-0x0000000006EA0000-0x0000000006EEC000-memory.dmp

memory/3408-179-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3408-180-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3408-181-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3408-182-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3332-192-0x0000000007B60000-0x0000000007C04000-memory.dmp

memory/3332-183-0x00000000756F0000-0x000000007573C000-memory.dmp

memory/1220-195-0x00000000756F0000-0x000000007573C000-memory.dmp

memory/3408-194-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3332-204-0x0000000007E60000-0x0000000007E71000-memory.dmp

memory/3332-205-0x0000000007EA0000-0x0000000007EB5000-memory.dmp

memory/2648-206-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2648-208-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4404-213-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2648-212-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1696-220-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1696-219-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1696-217-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4404-211-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4404-209-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4373244356b142888a4c45226bc56108
SHA1 d419fd98f524ea6aa7376c6ab5184a6ce3017004
SHA256 1a52fe2484624081d9f7978d9c4941c4803d612c7760202599be71d31121c9c4
SHA512 312896e1a34d930322a981d2ff3dff47be74256dc90cc64406008df4ccb4f275beec4b110b84a4e7cc5a5049972460b0bfe75a152071f02adfbc2e2c2c44b52b

memory/3408-230-0x0000000010000000-0x0000000010019000-memory.dmp

memory/3408-229-0x0000000010000000-0x0000000010019000-memory.dmp

memory/3408-231-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3408-226-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vufceq

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 562b59fd3a3527ef4e850775b15d0836
SHA1 ffd14d901f78138fc2eece97c5e258b251bc6752
SHA256 0a64863cb40f9d3b13a7b768b62e8b4707dfee1d3e86a07e999acb87bd7d3430
SHA512 ef9fd3d83ab85b18cf0e0d17e2c7d71936f783e3ae38005e5c78742560332f88be7c4c936d4dc4179e93fde0240d2882d71ef7038289c8cbddbfc4790c0603c2

\??\pipe\LOCAL\crashpad_2400_TZJETGSHOEZGYDRI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c1ff2a88b65e524450bf7c721960d7db
SHA1 382c798fcd7782c424d93262d79e625fcb5f84aa
SHA256 2d12365f3666f6e398456f0c441317bc8ad3e7b089feacc14756e2ae87379409
SHA512 f19c08edf1416435a7628064d85f89c643c248d0979ece629b882f600956f0d8cd93efbe253fa3ec61ad205233a8804807600f845e53e5ed8949290b80fe42d3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 dbf81aa0b2a9b9fe0e0ffa56fe25bf99
SHA1 44929934f4469d521c6ca7d7002f5837748f39b7
SHA256 01d25dbf84884c1747906cf73ee3c6a2cb77a10aa38ae12eed5b1160ca40f8c6
SHA512 b83587730c89f33138404e701fe73af9c3fe9ba22738207863a5af558169ef1afcb5028544e40a1553831babc76f8a47d3f924e2fe578147def53de03ec90b79

memory/3408-254-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3408-255-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1940-281-0x0000000000E40000-0x0000000000F24000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e8ebb942b593fe298f92dc177d3bd4a6
SHA1 43301a9c08eab5bb7823d185295b6ff8822d2f82
SHA256 b8f0d9c781daca89596fac874e7413731cc5d15249ec5243b44162a09161d56a
SHA512 845a153c6f1e568b669e3b92c15a68938dd6f357c184f2626afaff82e5a15905cd48df061730729674e0efd687960b17db566bb21fb4010640b726c0efa7ac48

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 378697ed146b0a138791b503541b8d9b
SHA1 b12e98089702972a599e4a665dc1bbb38f1553f5
SHA256 b9e7b775039537de61a9194d3bd4d9da5a6c72ba5269af50580c43da492ca9ef
SHA512 d1ca924809f20b885a566e5736e549b8f87c364d1de9f9ba3ad1f0479250b035b246ea3cac852820790734187444bb58ca7ca574aff7c69dfc62580f279bda64

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 c74489f38af9c35da06e303efdd81bf8
SHA1 0b6fe1b83b0e67e9494854ed3340b9f2048ce868
SHA256 82de249fcefe94d3c9ef4ea1c7e79964db15c77da30f06fbdf838ede96d01342
SHA512 b187cdae13496a6a727ae9387f95dba488cd9e9a2c370913c5d58630c9c46e13483c4f943d13710288b02e5a27a4c81faf6014be77c36606f2c522f675551c94

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 f57bd672fe614986d4123ee65ef4f1df
SHA1 2cc726dbf325b3a303602098110a3a0906c03ba1
SHA256 6b26decf834976a09886a7af692ab99d01936cb8e9367803053f29eddf13ab3d
SHA512 a1df656360c2f18b3043e48be62c3fbee2c55b66cbd8c2b29e42065071549a1a52ea6a26d55581d7088b075bed2aedaf2d3a0d7985ebf59f488394854c907495

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 e51f388b62281af5b4a9193cce419941
SHA1 364f3d737462b7fd063107fe2c580fdb9781a45a
SHA256 348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c
SHA512 1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 34504ed4414852e907ecc19528c2a9f0
SHA1 0694ca8841b146adcaf21c84dedc1b14e0a70646
SHA256 c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810
SHA512 173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 63c35f2b03afd6f49ce397af057d8b62
SHA1 a774cb5bb994665701c05a95387c14816a98ecc3
SHA256 ab87b1b3dddef062db66a5775b95d1d796bc7f1ba502aa06513c372ac5ba6f00
SHA512 f030f522de2d6e431c9a8c1ee05e8f81dc10357ab0f3336ca618b2a7655ec7d86ce3ab38f3d4152c8727ca7f854f635b7b3ef669874f1bc6651dcf2764d98b7b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 522037f008e03c9448ae0aaaf09e93cb
SHA1 8a32997eab79246beed5a37db0c92fbfb006bef2
SHA256 983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7
SHA512 643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 240c4cc15d9fd65405bb642ab81be615
SHA1 5a66783fe5dd932082f40811ae0769526874bfd3
SHA256 030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07
SHA512 267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 870b357c3bae1178740236d64790e444
SHA1 5fa06435d0ecf28cbd005773f8c335c44d7df522
SHA256 0227bd6a0408946e9b4df6f1a340e3713759a42a7677bdb8cb34698e4edf541e
SHA512 7fc902e787b1f51b86d967354c0f2987ea9fd582fef2959831ea6dbc5e7bf998a8f24ba906f0ee99ae8493aeb0c53af06bee106d60b448ac50b827c63b1ed169

memory/5196-377-0x0000000000C00000-0x0000000000CE4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2ba4e23f0db7f0ff46c9d4a02d21f1e4
SHA1 16a6d871f3eb9e716f52b23a443fb2e0785c6011
SHA256 29bb14825bc00ca0370a064ef7fc12ca490b62f6547db1726c6971fc1735fee1
SHA512 abf25308ae5d10d7f60801976b48a58aeaf16b7241e084f1f28a8f39f003727d1143d9198479090b21866716c1f31508f9ccb4a0359543559f6765c39d5491ea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 da057460d3dfda07b9d921fc6ae6de74
SHA1 4c69941a6a354e4182b5b3fdc0e79849d802fdef
SHA256 7b2fa3f25371d7871c9ca8e7d63b68f13b7635d5ff52346a3fad50ce61c46cbf
SHA512 0952408920e84c7f4f801e7753b35122fed96318838acac664e5d42a43d15a68a137243ba8413f5a0cc81bfd7ed2e6dbbb87cddce6e4b3c2894a905059e5ac30

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586b38.TMP

MD5 ef42e7362930d49a3883838598171b1d
SHA1 f189e49804b3252fff4970ae7c5ba9ffcda27664
SHA256 47cc28db5f3c5e715c5a3c9d96756b785d90bcb97d2a7a66318eda7656168112
SHA512 46b5be090a48d8ee2e3cc85aa21f66bf9f2376c8b6f0f4a305b58411306b03f1396a60e79b3e24ddb70f37c77c90c65b3de15b071ca2308e754a9119fb9d3264

memory/1084-467-0x0000000000430000-0x0000000000514000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\169cd09137c3a4a4_0

MD5 a60aa6657fd9dfdf4176628bfb025dcf
SHA1 728de0deabda319e074e3c32f10561e44e694923
SHA256 5c46d4ca5ac5425ca30c5025c1eb7a5b5cc70fe6001c12cc990c4f94f1789613
SHA512 8bf47b37255f01cdd4a56501bc555b4c6f23c9a0ed268199e53efb188e07311a5a1ae6e7e5be5d7a2f99b991f7c1f4f4fe9bdbe36f960c1481540783b46aa5b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6fed1a1199331f15_0

MD5 39e8e1cfc52cba91ec87c818baf3d5c3
SHA1 8714f8e30d6d5a219527bccdfecf75e7bbf820c0
SHA256 a659cc3cce599e315c732fada34f86325ccdd0fa062fcf2310be57563c7155ee
SHA512 40fec934cab63f057f7a754b34260fd5e0ab41011021ae6fe8a04f21aa390a228329e859b9d05280feb1db19ec8e664acbb7edce181379dd94ef65ee44deb89b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3c9b01bf1d0b6db5_0

MD5 80d1278ad91b19167581385b0e64b1e9
SHA1 d056da008a9c358efa5dc151de143437640e33e5
SHA256 d23f10f92267cefecf93f1a9ee7a87fbda15dc31e5d5bf04f8a025f5f83f60b0
SHA512 35e7f0e384825c748e4ba17fe3a3f7bf3dc06a87f6353b883e817afcdd7f55db263d26946e9ea25d6e02c21c6cd69fff9deae667f85b21bdc6a178f9cabf38f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a56b86a76c0eb692_0

MD5 d65e3a3fb424f45c3b013c376c262535
SHA1 17591da46dc477337e506b56d7e3830e14e70510
SHA256 8b2532a6f058fed9352a0fe1faeded4058f1e7eaec36182fafb34d175b9440c9
SHA512 055f42d28b16acff514974e6841568f5bd11d5105ea05f427572fe710675b193973148b930524d1bba096befb5d4fed5b048cfb3e59dc056601939de3c541387

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8c8f10070fb7a9d0_0

MD5 dd59e5dcf693aef097f96baf601dafa1
SHA1 ba97342bdc84b7f7c720312c999bd1dfe01e5a82
SHA256 21ce266c32e3377d45926acfd2bcbb703980608c2a7dc6a80297e5e31fd0b90d
SHA512 4ec822ee41e30df3f3681e64b54c44e87b71600282d8cd51e127cb9a7c23a9db8b8645444a14c9c287075d827afd08ae46baeee38b9cacfc443fceef164978da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

MD5 c20641a922c6a56931414430d190e7e5
SHA1 9097cc55534fc8d86b73398fa885e7784b013351
SHA256 f930af97752b8010894053f9de533ed98f15ea0acea5e8ec9f921275dd0e836f
SHA512 6a9904805d56f37aeb152094da28e8b38d4b3ad474b1ba307876025bc6c89373407142af8e7e9a126bd085bbc7175441f691d0559496864a0fd41af40565a667

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

MD5 aa0503100f9223f06ac2478f4e31d385
SHA1 1f14abd888fc1b65b6709219c0eb389fadef2ee1
SHA256 67f612bcb24f7d17d2bb1596e9d2de174b8482ba359f4f86da036bef352b3791
SHA512 dd559235461db4b4496c8fb4eba01051a53f67ff6fea8859d203a1c858522c457cff58e5afdf2865f6c4c4e27fed37faf98a7a25a957eda42ef9ba468c4b6a26

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

MD5 60d2183b9c5c72c344d38d39386af89c
SHA1 2b1e99dadeaa1b39caef586a37da391d7441ead3
SHA256 8e82d55454667e783b53e17875a61fa5a680fdf69399fc25f1629524f49358fa
SHA512 002cd816f88c5272efe97f766edd2e62a298da05f200f3f68a9bf2e8d130f1b0223c07e73332ba2dfb7177aa5627565eeca326d3ad4de17620f9e7e4dcd2923a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d331811ead64ae6f_0

MD5 62a43ae787c1ff3ac1e79278db4bb05a
SHA1 3c70f15d6eac8dc2a85f8179b300689d9c4710f9
SHA256 b30071a169602deb0b62ed9ad51a6fbe0356d1fcd3363cf4545763162a3698f6
SHA512 6a8eeafab91302bb36bb84d0deaf60c9a5c185ee0a1d60732d73804f2b3be27b8a070977d34e2e81ce91d16465c1560bd11bcfa7e967413500bedc03726abff4

memory/3408-500-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3408-499-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 54b8029f93b285e7dea84ee3f27d6eaa
SHA1 a36854203d6129691d9d6b1d6c7346087d9cc1f7
SHA256 d26fa14a3ec0efed022a14ea3351f6fa008fc57fa5b720f304ebc9aec206c9f5
SHA512 a097e739e2cc161eda5995d44addf40d2a8690d39843a4ad0774591d0ec94eac76219e5e573d421e5d234f65b8fc6828c614a05b7e861820d0c59c67dc300a5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 73f258fba38cf69230fc4d6a7ce8c4b4
SHA1 37b230a41599d924f5f27d42c54dc3c32e9b783c
SHA256 56f7801ca4c83d83abe4db1a3659f66da70d87776a7cca3413b80b721c1728ef
SHA512 2659d1f8991babc1c0a5e9ab2088164aabf8b1584b774b229088ec74c576480f473a60b99be7302c29d198aa8341c4030df16e2a5ee2662be9600fc3a9d3c2ac

memory/5652-560-0x0000000001200000-0x00000000012E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 42d0266b0a616ea894f57b1b5532a840
SHA1 250018053b14c4afd4c4c3c676d3a7f8ed886652
SHA256 57b9fd8fa85223e04fddd4b66cff165623aad73ea2dbd99b6925a5442ede1f81
SHA512 53b1779f97cd3e1a3bc42bdddfcf9cd8d0b65fe28c132b139f50a84920e5abb1d50892decdec358938686e166727393ca8a47d47898bce19421f86522fe5a77e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 af3a9266bb599d4f79a734e802718ed1
SHA1 6ec04ab5a19324d6e65629b652cec6ebf3047d2d
SHA256 a932f0525390a197b9ea4a01e36623e8c12e3e64bffe49a927ba8289cbd8e2de
SHA512 20247fb7b78e4196275e408f8cac93ef37ba973d76a05d863183fa062f99108f948cdc60fdd7d61614f4bb28adb52601f994d5fae0ef41523f5cae30f64abe8d

memory/5728-656-0x0000000001240000-0x0000000001324000-memory.dmp

memory/3408-681-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3408-682-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bb8ba9f2bd19fb7cd219bee8d41f2fc3
SHA1 9a2e316bf39969736beab8358987becbf17d551d
SHA256 de0dfafc2733d6734056949461b79a79fb358d1da4f426e4c771877ff6d5c422
SHA512 4aeb0b46452662f058cce7bc5b6983adf75cda4eb2fe86d2aa549b9442f7369d1b26c8deb63e8b3769841ac357053cb581d5b35e0548ec97bfa1182ae8e57904

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4aff99a6ede716c0304cecc694e41701
SHA1 026c79ca25ae48e49ccfdc56fdec63c019556080
SHA256 9794aa1e2a485e429427e3f736a0abc0f880eef234c1f8d557c89664ef305a70
SHA512 a18471275ed9d32ed0e733673ce2fdb0729a0053a1a0ee0b6a4beeebb675b68da8f28d812822e030031327d632b62f2c225d613b486ca9b54ac80975cd71dfee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 19f854f133fbb12aeb856c07ccefb046
SHA1 f1fee68a0f601b70903f9d2c5dac353aca32a23d
SHA256 930067d39c71908816f5ee19af07b17c6955a6dc53b719a8e57082a912c6aaef
SHA512 990f357a777d7886fadbc8e55dd161e3406a28ab6dbb0f01f6eef7894a9acad83de821728e85aa52a684a2f72ae172ededf9fdc09f7eaa5af6fb5e163aa2f898

memory/976-753-0x0000000000600000-0x00000000006E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8e770176f6d408ce9c2ea219fc935fde
SHA1 8ff9ade2855ba12a570af7c397814d58f88fdce4
SHA256 0a48d997c10b27d2d64c53bfc782796c7d07db7a0d4f89c401d70ece9ffca9a3
SHA512 799f4e478845d02412f4c687708e42e769d536e35aa93c8657dc5ac97453a5995c3bbe1f0795f59d1109dc3a2fbc83fa3a4463e62729ff14b56443c533359de8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 401b6a3e2e37c2fffb2b1605b6d16f7b
SHA1 ca45818856f8977fc321a394688cce2a300b3fcf
SHA256 93fc98646f55a57b04307fa61dc2f93422e22adb404444727f44287c1ea4faf2
SHA512 d67849e6b44cb4f5a7f3284e50aaa95844190e2fdb994b59c68c92728d412698b703d06b56bdcfb62fe18daba41095566077aceeba3f615c3e5e731589e53e96

memory/5744-843-0x0000000000410000-0x00000000004F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 28ed9afd69382df50584abceac27d384
SHA1 597a2b7de36b0e9dd78a02154915820c45f3e689
SHA256 334b42f61288ad9ed4698e9f8850d42fed9b8e28a702ba5672917a433b3d8cf8
SHA512 5bed39e0a22520ce26e75893d3d1097421bd8ac7e633924c242c586b920ffca94af62266e6b3744077e64c390bb24d91f9bc6fc99bd4b41035d4d6952eab18de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1ea7828b1a1e83a67904b5f3a02e9a9b
SHA1 e66589c4f6791d87714e38a20ba8d4dad3df8a0a
SHA256 96faae447596701bce631eab3444e0e79c2df86cfb282e51928fdd9aacc0f602
SHA512 b0a30e368e9e2852ce0d3cf8b86b99637a58dfc02e0a600c99d62b23378c690e007f288c6abaffd719b81e7d1298db8acbcc335bb93742aee7769ea8fb2ecccb

memory/3408-901-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3408-902-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c613f68ef07f1dc5655d6002cf168946
SHA1 9ea7ac7c9fc5907fd3a9df8dec6143a4c5c1cf6a
SHA256 03a0079dab13f1518a88ec15aadd9adada1bd0a75e053eb2b97974fc29d556d6
SHA512 40e6083815b2fb97e78850e4b458844918f3ff9aa5043929469cc673e181fa809e3d929180a184f01cfe44e6d8c3feff212ac3bd8c7189f934008417a3b9153a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 92411066946f0984fc02166e4d9dd271
SHA1 b916462b11f6523ad46b49cf8956e1e71a3d0830
SHA256 296f3d37a3c4beefa6b7a6dfdd334d348e9af46def6aaa05f3a6a28c12480774
SHA512 04b9523c169ee58765032ac11eca5e2efa087b37405bbb016206153118d8d6efc575b89590995fca93f339dff0f3afad6038724eac5cc213ee9c1cc96896b424

memory/7116-1022-0x0000000000800000-0x00000000008E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9228f44cb7fdb7f037fc7448807e1dd5
SHA1 e89a307b4b968e4e8090c4ad7deda54765d9ec51
SHA256 7d05a4efc05dcf3fe8b1a9f15189100cff244f64295304ef482828fb83192651
SHA512 074b8cdb25949c0d50ecfaa0dec0a682a16ac1109fa97a1bf421453e93f0ec89caa0010f556fe58ee8f72ab791310920736a3938de798591f4469fdebf7a4332

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 be62b948b1b7a96f72607480fc22ccb1
SHA1 1c108feab38e07e3afd3cdb480f42ce721c8e0b5
SHA256 44a4e03123add27321ce1faa5c6fba13f4f47815848f2fa5eb8c82659c3ad818
SHA512 192c4ffc58c67f7a56278566007a4ded2022170934463ec8590bf24162944ce6472f8cf14f070550b127a925e4cd49ac5a2a984f0b686eb7859f3cb4fd6d2ee3