Analysis Overview
SHA256
f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054
Threat Level: Known bad
The file MalwareBazaar.1 was found to be: Known bad.
Malicious Activity Summary
Remcos
Detected Nirsoft tools
NirSoft WebBrowserPassView
NirSoft MailPassView
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Accesses Microsoft Outlook accounts
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Modifies registry class
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-23 11:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-23 11:01
Reported
2024-07-23 11:04
Platform
win7-20240708-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Remcos
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{08ACD031-48E3-11EF-B9F0-E28DDE128E91} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd000000000200000000001066000000010000200000005b466747073e7ea3dcd0912e89058e0a95baebe0de1b0b516120edd7ace2ca84000000000e8000000002000020000000e038bc572660857782d7bffe4f26772e8da90ac386e296f3935ccd1e93524c7f2000000028de13586aaa083584c728791a96b0001065332a7d305b0651d303781e08627a40000000fb03f5facba3a411d47ec4dfce40dcf27ff19db1d4dca3efca3a428efa19248aefb7369c0c6bcbd335b1d57b0210c57225537981dd9234d5f94cecd923adb4ea | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1062d8cfefdcda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd00000000020000000000106600000001000020000000391a03092577613d8f5e3d68b6f831d5dae15fcde2fc0450577105658872bb22000000000e800000000200002000000022101735cad8c94f5eb125d8fc758cc6f1c14c0fa7cb11cf7837a633b27ec6b990000000aa102b59c95c036cf330a1bd4635d27e5fe3bcd2354325f3d1bfe2ca13f939d4885ff2ad10b68c74f61d7907cbb8aa3b65be7f267e83a742af3855c1a5a3eb6d6afbd027256ffd3249d103e5fae3d2eb3e9c8f9fcc8535b8b1be1083322e89d85c98150e1a596b060457af7ff921a2eb23e0f7038755d9919872314e1159421abe4b1b3f5835c682c812e34fb36eda6e40000000657e32527b3a863ca72d89a8e5d0ff36aa9163ed0bd7a902baedef2d27f99636c85c5c2e30dff727a250f1ea43fc85392482af7b3ab211793d604a30eb3d4f3c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427894408" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AZjibU.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD94F.tmp"
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AZjibU.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5DA.tmp"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\xsdyojlk"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\xsdyojlk"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\xsdyojlk"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\xsdyojlk"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\xsdyojlk"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\xsdyojlk"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\xsdyojlk"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\xsdyojlk"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\xsdyojlk"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\amjqobwlnhm"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\koobpuhfbqejplc"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:472075 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:2438160 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:2110489 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:2110519 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:2044987 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:2110544 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:2045018 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 107.173.4.16:2404 | tcp | |
| US | 107.173.4.16:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
Files
memory/2168-0-0x00000000742AE000-0x00000000742AF000-memory.dmp
memory/2168-1-0x0000000000D10000-0x0000000000DF4000-memory.dmp
memory/2168-2-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/2168-3-0x00000000003C0000-0x00000000003D0000-memory.dmp
memory/2168-4-0x00000000003D0000-0x00000000003DE000-memory.dmp
memory/2168-5-0x0000000005B60000-0x0000000005C20000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 1cc100e418a4b3b7d44b2750ab5c8ab1 |
| SHA1 | 1abec39a8116bd356ba503c48e3eac58686c7db7 |
| SHA256 | 59d2f8c047e779800db2cea970c10dc0c94fc87634f167836ceaf0b9321eb83f |
| SHA512 | befde461816ab3411b48b1db6ff5858083f2c7f259cfc9fcbcee263c52550093cc0e4c0b6428d6722eee5f735e2d38084a46e4c25ff27462e8717f7f7ae39535 |
C:\Users\Admin\AppData\Local\Temp\tmpD94F.tmp
| MD5 | 8183448ee33e63b3225bae0a171696d0 |
| SHA1 | a6c7ce6ac37c62f429e6d29b69829f7a3e27eba6 |
| SHA256 | ae20c7e4f578f9f9d8bc19cf2719289d5552ae6c7fc4dce02a4b756f9f5d4f68 |
| SHA512 | 27bfe1b2ef4bb89db1dff4a035c0ab2092b716962805156cb204478083952386b2f3bebd4fde6652cc5c5a13ac195bf3cb5e2a8324b3fafcd7fc703a52c90f64 |
memory/2676-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2676-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2676-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2676-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2676-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2676-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2676-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2676-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2676-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2676-23-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
| MD5 | e34683e560b0c2a5cddcffe98956ea62 |
| SHA1 | 89a3dc3e4b06a8c4bd94bffc48adac82e620d910 |
| SHA256 | f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054 |
| SHA512 | 4bf4a8fef3b740ba3e6a04bedaaa90970a60b72fc950d53de6e2bf597d89d5d399f9258f9f8088f0ea6304bfa219c5537271c9df59c463893d9589370a27ebff |
memory/2676-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2168-39-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/2512-46-0x0000000000060000-0x0000000000144000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 5b5d272532a1e122257cf23d71876e31 |
| SHA1 | 1986a056a23a6049ad4b5ce100cada7f7c248402 |
| SHA256 | 34849067b1191118f73e448a54c4573bba7a42c143454abd74c18fb79e4e5f65 |
| SHA512 | da066f4636831b11d071ac9cba3626f92eb71d04c981967d3eb75a633f2e273c7275bd123dff6582c613319a0dff2a3076f61043f672e74620d572fffb6e6b33 |
memory/1628-79-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1628-82-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1628-78-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1628-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2472-84-0x00000000000D0000-0x00000000001B4000-memory.dmp
memory/2472-86-0x00000000000D0000-0x00000000001B4000-memory.dmp
memory/2472-85-0x00000000000D0000-0x00000000001B4000-memory.dmp
memory/2472-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1628-87-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1628-88-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1628-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1628-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1628-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1764-102-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1764-104-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1916-111-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1764-105-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1916-107-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1528-114-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1528-113-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1528-110-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1916-115-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1532-116-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xsdyojlk
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\Cab204F.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar20AF.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c6fc0a4d0cfb978e7bd5d27531c71d6e |
| SHA1 | 1b7caaf9fb3a6c714ef4f411190dca32d5cd6902 |
| SHA256 | 6e4a036fe6aea2ff771cfe3877ffb5778aa9164167b7b8291d523433e1acefb7 |
| SHA512 | 1edc6bce7614a29da344d44edaf8aca22e8edd456dc6340caba2a2b3ce71ba016147f27550e74a8ceebb77bca4cc07dff819c85f8bc4f3f61fb51e882b719a58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9f513495d25210cf4ab45d733452e2a8 |
| SHA1 | bff93b3380298927a4d8026d8e56764a6408ce47 |
| SHA256 | 1d0d917b8701a19c1b1b31f61686baf75ee6a386ae88917e2fc29d5fce3db314 |
| SHA512 | a8d7c8ca7bbf626079c37c5bd8aa453fa4c94e1fdd66e368606f7e97b3d6a477eb628ccfe7eac328b88dbe37496d79ec801c178f6545f07c419e800efe525288 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 215550f7a491b7bdcdf73b8af2173743 |
| SHA1 | 88562f8a2e5dd42643f591b8a38e79d46a4dcca6 |
| SHA256 | 19ac7b4b1ec1d9fb506eb225f2cb739833111e5f5b69d5f3253d030ee41c5e51 |
| SHA512 | f4fd0ed8ad63569276457ff927f82e98a33cd6fc2172f708c47df2d1c575230145f38e2478403b9709416581d31e7037a3a2285407ab99df3ed6072e812c8ac0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f4616555dc953768c6d7b4f192eeee5c |
| SHA1 | f57b7f679aadd124038284ca78002d3230ad1dcd |
| SHA256 | bf450bad4564b8ec4034dba9c706a0a67ecc066f6fba2fa8bdb38cd17c504a12 |
| SHA512 | 96eb4fcf14eb921037c0fdcbf084bb846c4ea8b7b5b87a1f5900a6a06817d90f9e09d3f48a1b1b780686ac0c095e817b5575887dbb2a7e3f03fba587d831018d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e1e5fdf3f3e222796073abf3ed249aed |
| SHA1 | 36df79f27d1d06601680c696bad679e7ce1ea7da |
| SHA256 | 2b9abb8b99678928705242a531a56ae87237c4b4a1471b4fdbc007a5cdb3b58c |
| SHA512 | f9b329b87428e5ee64e91fa6ce34a6b8dda1fab153c67eb3aef07482bf0a1883a5feec2978dab032973ecf75dd0e879721d01d54022d603c0c895a2a6b39d3b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d00de01d4797b9c1eccadd56c5021e99 |
| SHA1 | e5a536d8260d240fe14799034576d6135537ff67 |
| SHA256 | 04388d89fa6b191b68be939b41983ae3d1d3728aedc4e3e30b7bfef0e4cdc8ad |
| SHA512 | 50d886e886046bf8d9f72b90a5a65bcce2ac47a37fb990b74b99ed924633bc7e1504b0d2ba37bc0d1f863001e37a3e649bb5ec4b359c9388dc3d79f1ed090147 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
| MD5 | 78fdcd2c2116e1470a6cc7f64566af5b |
| SHA1 | 5e86daf13b7bfa2bbe008827ca2fd95d3b51f3b1 |
| SHA256 | 75282629e3613769e3efde9adf875d5e398d840828a59386fcf22c1e99eb2354 |
| SHA512 | 9db2c52785691e4d9b0d018f42e721b3ee14f1a321ed6860a083c92533abc78cfedc8c02873474f8adec0bacdc3631791e7536b458a0c67ef39a3641670e5129 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C
| MD5 | f55da450a5fb287e1e0f0dcc965756ca |
| SHA1 | 7e04de896a3e666d00e687d33ffad93be83d349e |
| SHA256 | 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0 |
| SHA512 | 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d82619d119bc4ce9cc36f8bc93868746 |
| SHA1 | f806f5027a9186bc14e6af5c9368663dceeba4ff |
| SHA256 | 87540d9f0e48c60501dfb510d8f267f1de5c863e912196b61377241de73a32b4 |
| SHA512 | 96311c4af29787404e8c87dcdc5783db84a13d36e0182b1530a81af19b65f5f81a16a329877ca631eb988b973a8c8952712d5dd952270893b90980ef887f26eb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 80780aebad29db758ad56a10a66f0525 |
| SHA1 | f86d0f77716dbbd445d9534c0b7af87ea91faac3 |
| SHA256 | 7a10b71bfbfb36dc5c4edefc3eb840cf216bcd275985d2dd262a2eb601669fc1 |
| SHA512 | f0166771090b7be93b825b3d3a9f8d47db0db70c18193955ca433eff53106004f4035fa9fcb35ef5a8b12d05be574acf1967fbdfad45f5a71fae5ec3d44fe442 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0c1427a8ec09eba9307c3da29ab6eed2 |
| SHA1 | 04e3d2ae59afefe11cd924498bbf503d9b1694ae |
| SHA256 | 45acd13edce329dfdd2860d10d43d09ac953dd46c2cbef1700a11dafa94ef3bd |
| SHA512 | f97e34339e831b0a6b7acd4837ddd3e2d7bb44c7336cc4905019a841d37ded63d707f942ff694487161782877f0e39e08e33936e9fa5a5b4e7ab2c986dbf299c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7003daf00628dc66442dc0111fac5705 |
| SHA1 | b710583967e0ba69d125c6c23c32c8c917fa3483 |
| SHA256 | b4bd014885ee333149fb34275e7265de398f8fb47269f02bac89862e6251b0ea |
| SHA512 | 2a27eb9be5db3d85a2703129dbbbe8ba171c7b6018646ecfaee822942f88ec68e378c83baa758cb8190ea2514c83b88a3a3ddb8075ab0b5c917c4f4c0ca11a25 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4deceb8ed892b0c76239c54b4619c6e3 |
| SHA1 | 5d597c85d4a2fb3d49aac99fb81e26f5cc3a8e88 |
| SHA256 | f3f034553d6a9334d221bb89e32f65c565ebf6d47a459ae36cb3da0da14c25d1 |
| SHA512 | 556c25fb5e5894fa1a5bbfcfb8da57b899ca9ac5d67f0f71971154801aa125e351459252efa78971c2e61ae2b86a7ffc94e0964a067b72f5f82f53bd6946432f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4a13ea276b21169469a5e5f14a489e9 |
| SHA1 | 206488aa16862246ba4d21a185995ef02fca34dc |
| SHA256 | b5ba90b89bd9eb7409f722ba93883dc315293768186e710f711130c1632af980 |
| SHA512 | 7c11789cfd715d412dd3cdc7291a8726d477421465c15b5661f5c5120c2198cd0b6af6a35dc4a4585070862c528902672c2b5ee96c0ae5fab5b241f0324a63aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0788300ae5295d6d2e43a19eab21a7ec |
| SHA1 | 9d3c88a58ac4be6935adc79c68f375fba8eb3a5c |
| SHA256 | 8d5b516248471b811952caf6c0923729eae9b38c206fc6c3f81c3bc7795879fb |
| SHA512 | dbed0acfb9ec4355a6c42ad1f4d6a92ca957597f5a5693f734c2ecc4bff1baff39354f59c9b359d9d41b9ac97c396d7adb54cd9b93527dcc9acea8d62fa216f8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 679f21e813622d16f337c0b63eb40bf0 |
| SHA1 | aefe23b0b43acef961301a8a17a1b0bcf6317c6c |
| SHA256 | 184105c8e0132d30108d4b746b66f7f2faf09eb91a1d90faf3b2bcfa97d08739 |
| SHA512 | 22ff1d80dfd5312ac890dafb1051e72d4117ad1c474f187d7273ab5f33d869f721a68c651149ab9f4e50e357c17d5298e035e951f6553c97d3b5f9590804670a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de46fea35dd3cbc8cee540e4a25f54e7 |
| SHA1 | 6a51327c1ec5a1768e01067ca87390d998bc660f |
| SHA256 | 2f6edf5b48563e6e0167e95893fe8f2871f09f37d8089375bd0cc1084e8a1600 |
| SHA512 | e1245a316e7b9fa7a4f9dbc5f50d81b173a2261b205722c5d1e83c92d3964efdfcb05dc745a56431fe62958cd995de0d572ab1961a82fbeaf856e41821ab3cf4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f9a5879dcc39af294265839842dc385a |
| SHA1 | 4dc384009060a1587f913cfc4eb5b644dab20d11 |
| SHA256 | 9fa889f6cb069dffac4eed309ea44f201908ba1bddb00148cd3e8ecfae10e1ff |
| SHA512 | ea1da5283243d57b4491b22637eb4bb76571ba02018130c7b381f847bd74e9574b9a8ecb06d18640b25278fb806cb2cea1e7dd2778ab77182b71085113022139 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6e58f1d7eb1d1a55e4eff095745e736 |
| SHA1 | c2581a361661fb86ce4dbe31c482fb4e42389dd9 |
| SHA256 | 4d82d057e8695781aa7afa3812c9a5ef92bcf31bcf30c6c94c7461f83d34c0ed |
| SHA512 | 0b279f89cc5420c8f08a6965d793dec849a8b24c32ea82fc4a886c84cca4e1abb3b05bcada44378a8f420e65c336464c0e0f4c9ee582d2bb308475c746926681 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 93b09f0cfa3694708d5f040beb4f2358 |
| SHA1 | 0654c95ac290e15a6df21d033641f5fd86295165 |
| SHA256 | 491fb998deee6f4e9c6edd43470d49318dfb10a6129fbbbb96f429a6da1f8316 |
| SHA512 | 3df768210c1cbbd51c00a9ef4a78417c8be03b6f643448cef9dd4b8bca0f58f3ad0e6df0854a671fd5f3142575f936883c94d55b5cc67772c8b6bee0aaf63192 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e95a74517b24002ccd6f77ae5ae2d4a7 |
| SHA1 | 4f6fd054117d1a4948cd26d2bbae71a0007f5769 |
| SHA256 | 161cc22589e5f9be095728046b1ebf925d5d532e44fbee449ef89534a63b3ce5 |
| SHA512 | 6733a2693645504e39b8dc37461d96c9f26b7d0bd50e6d4411a7bdfdf6daf9ef2e1a9a1fc899aa4a11ea07cd133f720463fbfadcb17171309a068efa32c185c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aab0790f74442f2f838fb8b7539e3fe7 |
| SHA1 | 5262000d04e4345db545c0a33164999278b78d67 |
| SHA256 | ccbf73dfacc680b8bc3294902079360be84e13492b30195742f8209ab7e0453e |
| SHA512 | 34bf4156195e6a0507ff52ae44feb33fd903bb550cf199793c4437d7def678fd4f8eb9f53ecdf95989fb9ac21763de88ffa9e6cd807abcd23b529556242a2f82 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 984c8079f0d95376139eb70ad834531d |
| SHA1 | 4f21d84ff68585e29d4ad457761309d2f23acf7a |
| SHA256 | b8788d6be5af818da6cd36dd62e6b7a897c2efffa1a8d5ddc65b189f0f5d2c19 |
| SHA512 | 180010747ae8ee967103894d8dd77798188cb6e5a9d2a23403adf7a490d39dcd823b38905a74c2ebc125d386d9dd4c1dd9744c2b608bf819d9868ec72bbdd758 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 44d3594143c83791de8beac4072cdc42 |
| SHA1 | f763bea23d9ea153b309731eb92dcc364a8a1103 |
| SHA256 | 863f5100b8ffe159a524e4a9be2d46a02c34587faf513c303c3fa808be654ede |
| SHA512 | a463fb2e1a09a3f4749b35aec58b6e59051e8139ae87c4450202353d74ecf999baa52fe9354a09ed105ddf35c86d7ba66ea556a76f96b4c87e101d34f6d6a64d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XY2E4O3P\invalidcert[1]
| MD5 | a5d6ba8403d720f2085365c16cebebef |
| SHA1 | 487dcb1af9d7be778032159f5c0bc0d25a1bf683 |
| SHA256 | 59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7 |
| SHA512 | 6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUF3ZB4A\ErrorPageTemplate[1]
| MD5 | f4fe1cb77e758e1ba56b8a8ec20417c5 |
| SHA1 | f4eda06901edb98633a686b11d02f4925f827bf0 |
| SHA256 | 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f |
| SHA512 | 62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\errorPageStrings[1]
| MD5 | e3e4a98353f119b80b323302f26b78fa |
| SHA1 | 20ee35a370cdd3a8a7d04b506410300fd0a6a864 |
| SHA256 | 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66 |
| SHA512 | d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\invalidcert[1]
| MD5 | 8ce0833cca8957bda3ad7e4fe051e1dc |
| SHA1 | e5b9df3b327f52a9ed2d3821851e9fdd05a4b558 |
| SHA256 | f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3 |
| SHA512 | 283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CWSOWPAF\httpErrorPagesScripts[1]
| MD5 | 3f57b781cb3ef114dd0b665151571b7b |
| SHA1 | ce6a63f996df3a1cccb81720e21204b825e0238c |
| SHA256 | 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad |
| SHA512 | 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CWSOWPAF\red_shield_48[1]
| MD5 | 7c588d6bb88d85c7040c6ffef8d753ec |
| SHA1 | 7fdd217323d2dcc4a25b024eafd09ae34da3bfef |
| SHA256 | 5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0 |
| SHA512 | 0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XY2E4O3P\green_shield[1]
| MD5 | c6452b941907e0f0865ca7cf9e59b97d |
| SHA1 | f9a2c03d1be04b53f2301d3d984d73bf27985081 |
| SHA256 | 1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439 |
| SHA512 | beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUF3ZB4A\red_shield[1]
| MD5 | 006def2acbd0d2487dffc287b27654d6 |
| SHA1 | c95647a113afc5241bdb313f911bf338b9aeffdc |
| SHA256 | 4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e |
| SHA512 | 9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\down[1]
| MD5 | c4f558c4c8b56858f15c09037cd6625a |
| SHA1 | ee497cc061d6a7a59bb66defea65f9a8145ba240 |
| SHA256 | 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781 |
| SHA512 | d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CWSOWPAF\background_gradient_red[1]
| MD5 | 337038e78cf3c521402fc7352bdd5ea6 |
| SHA1 | 017eaf48983c31ae36b5de5de4db36bf953b3136 |
| SHA256 | fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61 |
| SHA512 | 0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f161d32d325fed823b8124df66b05248 |
| SHA1 | 7c16e663e06a2292fb3e9cd1fe63f0a84911adc1 |
| SHA256 | 2d02cf4f1b08aedc3ce7368c4d6c6dbd05167617c3d5af560a5eed5556c109eb |
| SHA512 | 7e9ac551c867c0e6b31ea32c052d0aba7eb72c18f1a25a222529aca00dc02a54a10545766bd2b45e7989e5b08de3a2f001ae4b1aba2ce5922ffc1c3086085afd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d7ac52afdedb00d2ac73a0214ea8548e |
| SHA1 | 531de40d49fa5094308770be991797c05a939682 |
| SHA256 | d883dd156c73c1185e61b0c6dcae2ee1a633bd22e9813ac874e792bd9181e01b |
| SHA512 | 3d93c406f74e3afa670ed2a868070d9f45d3ba89824c4ede95763985fb2d1c9391c65bca5a59f30efdce397d99fff9bfee520077eec9c2a7e99e52fa7bd035eb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 29340a66cfe946c5fa3387e51bb70be2 |
| SHA1 | d6bbf9d1a501e91bdf27523f73e11c345af4025b |
| SHA256 | 44987ad9da449f9e817f743f6a41736eec84cc9fb871b0bb0aba225478817fbe |
| SHA512 | 363064ba33983f035623ce140aea8e7f903056c9c69ba88d7772007e186f8e0faa810b4091b22f81d886dace29599051c63247e520887eeb2200ebe5c881a78a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f1133197ab9c9393beddb85df6dc6991 |
| SHA1 | f778298a34b4bfde1b3f077b80b0d20b189b3f94 |
| SHA256 | 0d9ad164b8454810fc54f4a13496045122150e5a6e807360e7e30084a525f036 |
| SHA512 | d28d19f03d08e1877c873625e09d4aebf5613a8fe27419b7a7eb780a0b8f9da69511533d412eb49f7dfe89832f6b8fd303ee84a9568700e986a213e1a45ec575 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3863eb63fcefe975d009899c8394b0b8 |
| SHA1 | 4362fdb120dbeb8551cf700747f637e6da2c74b1 |
| SHA256 | 8529c12845c2fb39b446ebfb06db9f288e92643b1772f39514a4bc57058e78b7 |
| SHA512 | 79a195f3d671482e852f98a11ce2e5d4af1550644baa5d7fad4db261696253be9707ee0827616e3909d677f7c743b8ab5c234f35feb75797420bda07109296cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a4ed9ac3fa86b3281cd423c9184584e6 |
| SHA1 | 700b3b47d55a95e5a6afc88daff4eddadfca3f79 |
| SHA256 | e968ee8344fe391a3f906716d0cc95c346a5173180b7b37a98c1736f59c8cfe8 |
| SHA512 | 38c83e416f0053450bd916b2d661c16d0f0fc0efce6fc4fc08224588f2bf6d6a2650a12ad9b307b90162f6c9e0c51d7719cd984ba7ce4a298fe1ce2994cc2496 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 05b5cc091075078093eb6c93ea3dae4f |
| SHA1 | 946c591f0a780c0cf309d9ae70c23de20516edb9 |
| SHA256 | edeabd36ba7ef0814f172398f62b85213517cfc02b92db1e2372b3fb5d20af38 |
| SHA512 | 9ee189db651d2b250c925803cffac52fe4b3662563accde4750dabf146b113afb877d296abcacfef27233676e1edc830c059dd6b2ed47eaac43855c3507e09cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 19ad07bb34cc3badb9ba6d23c54502ee |
| SHA1 | 79f735fe36b3ba121376359038037b06a6360873 |
| SHA256 | 2540502cba0ac39ceb3359bbe238a3770d589829de24799a30d2dd8106104661 |
| SHA512 | fb0355d381c3749f29519eabed9e3c00e347c26e026cbc7b8472e3141e09cf03278323968837fcbd11988c355dc1b3940f1791fca021b6913db4d5f55f150911 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2a6e202878ce645e7f167ddc0f50af72 |
| SHA1 | 0a497ff16faf1539bcc4a572ad47b0e471ff0d7b |
| SHA256 | cf1cbc108bcdc732d94a46a5699f530c6037a8d1528a0162793b8e0b0e56798d |
| SHA512 | 8df5c3077fabc4ac2f9286a7c8c10dbc6ca4060e1253506b56b2dd09aa9c239e24a0505ecdeec6fe74b27796b7e39718aebcc941464c1521c51820a0f2dd7324 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 199f3b33ece53e7d40f217abacfea043 |
| SHA1 | 7166f780e7f4532732c0458067f6e9674e41d9cd |
| SHA256 | 6a1e159433a54e32077b26f60e724d8e584f89e3e34a28c019d6958d5f866564 |
| SHA512 | 57d5a919f75374162a044dceb2415004b5ee057c548a139ef791d417efef8ce86997e0fdfe52bbd1f2f2d42350eb004ac162063597765c0cabc366f3318296c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3d7e0dda749274027faf5d0878f16d60 |
| SHA1 | 70984c69ceb63fdfd5a7f667c2c7ccbcd2ac01f1 |
| SHA256 | 3f815f616628330f557565b22d92266571856ed5d2c31a01738a53678c22d4fc |
| SHA512 | 2b601baa8108f4c2cfa2b08d4c981458eb6f881bf8377f87b88d7641809f1289feb009abf7e671408b4c066f55defb4185e8c5f34819c4cfd67c1b8c5760975a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 49b25fbd8d2538dc313cd4fae100d00e |
| SHA1 | 4f851633de296e911bc102e3d7a73abdf0edf5d5 |
| SHA256 | 2239248c00d5938c49b1e0f3b7993fd5abd77a8107e27b1a223dd813721a508a |
| SHA512 | 2c1227b2814f7764e2f814b856e82aeb76ba59ff3cba80cc2b932d44f721c4749ace52249bca22d1ae883ea8c3f55a22831217ef4a526098c7b5cfbcca844567 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3dba19360dbf91018d34b1db584b56a9 |
| SHA1 | f2d010ed2321bf7d6c98d784f501a81044e2ffa7 |
| SHA256 | 3b090cc157ce10c89303969b80a5ef3dff9e07a5432fc69c29374b76fe42a075 |
| SHA512 | 91f47fc9f264cc2f57e5070080c1c97b5370e2d2c02c00f784c93cb0646074ff972673f82984ed3c1515a2994b4129c68b7ef617a7f8ce219ecea2216401ab3b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eea0ce879ec661abe0851077196755e2 |
| SHA1 | bbce516ba283466320620a8e7a1c5ddc7e3eb965 |
| SHA256 | e776c5339fc393660c2b6186a0472ccf0a34f418713b51b1eb6439afe6b76b36 |
| SHA512 | a7d1ee8e2ba060a5df5eb4a7d963e7c210941523e5630572f2a153628ca156a5149415764a1e4d37729e1f86b1540e1296a9ebbe324d6394505ba75ae76ee5a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6a5e4ab9991d048e56638f337e0d10c4 |
| SHA1 | f7bdd71bd11e064d0870effa589501bad35305d3 |
| SHA256 | f312c31eeaa2d1c607bfc6cf295419cfc6f924e0c11439cdfc93fa115c9feba5 |
| SHA512 | 66e3fa443e128a77ad0af420cac337c467569cd376a5039cf140426a9ab2c78c160683d1fc359aac9beda35cf1ada55b33935b0139ba824d941e76948b59e500 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9d28e800f8a314390ee8d64c635f7aee |
| SHA1 | d060e0eb128ba20821713c4bd702c964ac0f7e92 |
| SHA256 | a7e2f7e49252f5c9b0951acc91fe421f134ea119538365c2e8a089586d70c89c |
| SHA512 | 127fd71197bb5d99973d5360f36bea2d7c4627b50e814a55a4d2f90ba6c3fae56dbe7cda8a9a5cfb2331fb087cba624fcfc91a46329bc5e4d028a7f81cdcc528 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-23 11:01
Reported
2024-07-23 11:04
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Remcos
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AZjibU.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDEF6.tmp"
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AZjibU.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp15C5.tmp"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\usvxqvboevbfdsdktjqrreiktkkyashlg"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\fmapr"
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\hpgisgwjg"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd848b46f8,0x7ffd848b4708,0x7ffd848b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd848b46f8,0x7ffd848b4708,0x7ffd848b4718
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd848b46f8,0x7ffd848b4708,0x7ffd848b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd848b46f8,0x7ffd848b4708,0x7ffd848b4718
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd848b46f8,0x7ffd848b4708,0x7ffd848b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd848b46f8,0x7ffd848b4708,0x7ffd848b4718
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd848b46f8,0x7ffd848b4708,0x7ffd848b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd848b46f8,0x7ffd848b4708,0x7ffd848b4718
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7ffd848b46f8,0x7ffd848b4708,0x7ffd848b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd848b46f8,0x7ffd848b4708,0x7ffd848b4718
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffd848b46f8,0x7ffd848b4708,0x7ffd848b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd848b46f8,0x7ffd848b4708,0x7ffd848b4718
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7508 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xfc,0x108,0x7ffd848b46f8,0x7ffd848b4708,0x7ffd848b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13845156052386022624,5773484009339152336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7624 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 107.173.4.16:2404 | tcp | |
| US | 8.8.8.8:53 | 16.4.173.107.in-addr.arpa | udp |
| US | 107.173.4.16:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| GB | 95.100.246.21:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.246.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 13.107.246.64:443 | js.monitor.azure.com | tcp |
| US | 13.107.246.64:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mdec.nelreports.net | udp |
| GB | 92.123.140.33:443 | mdec.nelreports.net | tcp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 20.189.173.9:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 33.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 20.189.173.9:443 | browser.events.data.microsoft.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 13.107.253.64:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.64:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | 64.253.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2124-0-0x000000007465E000-0x000000007465F000-memory.dmp
memory/2124-1-0x0000000000B40000-0x0000000000C24000-memory.dmp
memory/2124-2-0x0000000005B50000-0x00000000060F4000-memory.dmp
memory/2124-3-0x0000000005640000-0x00000000056D2000-memory.dmp
memory/2124-4-0x00000000057D0000-0x00000000057DA000-memory.dmp
memory/2124-5-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/2124-6-0x0000000005920000-0x00000000059BC000-memory.dmp
memory/2124-7-0x0000000005AC0000-0x0000000005AD0000-memory.dmp
memory/2124-8-0x0000000005B20000-0x0000000005B2E000-memory.dmp
memory/2124-9-0x0000000006930000-0x00000000069F0000-memory.dmp
memory/1404-14-0x0000000002CC0000-0x0000000002CF6000-memory.dmp
memory/1404-15-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/2108-16-0x0000000005390000-0x00000000059B8000-memory.dmp
memory/1404-17-0x0000000074650000-0x0000000074E00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDEF6.tmp
| MD5 | 354bd03bf64139213abb9cd90b3a2127 |
| SHA1 | 15065f33d706dbca80d6145a623ba82899e935c5 |
| SHA256 | f5af97202eaa73c27ff3eab03cfc61c1bcb96a1caeb6530d736261c58f5b0547 |
| SHA512 | 401787f0a8b9299f7714647e23017476414bc6dbc5591a0739be77371260bb5c95fbb684277b0a8f80d83d56ec3db3bac06d9b267f2ac57223fa48124f8eb1e5 |
memory/1404-19-0x0000000005620000-0x0000000005642000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kosq3xpz.and.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2108-31-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/2108-30-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/1404-29-0x0000000006110000-0x0000000006464000-memory.dmp
memory/1404-44-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/4120-46-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
| MD5 | e34683e560b0c2a5cddcffe98956ea62 |
| SHA1 | 89a3dc3e4b06a8c4bd94bffc48adac82e620d910 |
| SHA256 | f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054 |
| SHA512 | 4bf4a8fef3b740ba3e6a04bedaaa90970a60b72fc950d53de6e2bf597d89d5d399f9258f9f8088f0ea6304bfa219c5537271c9df59c463893d9589370a27ebff |
memory/4120-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2108-22-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/1404-21-0x0000000005FA0000-0x0000000006006000-memory.dmp
memory/1404-20-0x0000000005E80000-0x0000000005EE6000-memory.dmp
memory/2108-80-0x0000000006270000-0x000000000628E000-memory.dmp
memory/2108-100-0x0000000006300000-0x000000000634C000-memory.dmp
memory/2124-99-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/2108-122-0x0000000007460000-0x000000000747E000-memory.dmp
memory/2108-123-0x0000000007480000-0x0000000007523000-memory.dmp
memory/2108-112-0x000000006EC50000-0x000000006EC9C000-memory.dmp
memory/2108-111-0x0000000007420000-0x0000000007452000-memory.dmp
memory/2108-124-0x0000000007C00000-0x000000000827A000-memory.dmp
memory/2108-135-0x00000000075B0000-0x00000000075CA000-memory.dmp
memory/1404-125-0x000000006EC50000-0x000000006EC9C000-memory.dmp
memory/2108-136-0x0000000007630000-0x000000000763A000-memory.dmp
memory/1404-137-0x0000000007B80000-0x0000000007C16000-memory.dmp
memory/1404-138-0x0000000007B00000-0x0000000007B11000-memory.dmp
memory/1404-139-0x0000000007B30000-0x0000000007B3E000-memory.dmp
memory/1404-140-0x0000000007B40000-0x0000000007B54000-memory.dmp
memory/1404-141-0x0000000007C40000-0x0000000007C5A000-memory.dmp
memory/2108-142-0x00000000078D0000-0x00000000078D8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/1404-149-0x0000000074650000-0x0000000074E00000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1404ebeca245cf540173ad18500b8dbd |
| SHA1 | d9d9086611fdd2453fe9ff6f6cdfc1d40f5550e3 |
| SHA256 | c77405c1baf28023164ace4f090002c815ee1c3be35ba7f96dbf072435776ef1 |
| SHA512 | 043e0d023c60d578bee63a372989a05c1881bee2e8eaa6007ea5902bf479fbfd20f03a4e80a17874a50366b661216eab75bad4408432b2363c7f33cc93ea9254 |
memory/2108-148-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/5076-167-0x0000000005E50000-0x00000000061A4000-memory.dmp
memory/556-176-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4500-180-0x0000000000250000-0x0000000000334000-memory.dmp
memory/556-179-0x0000000000400000-0x0000000000482000-memory.dmp
memory/556-175-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5076-183-0x0000000006570000-0x00000000065BC000-memory.dmp
memory/556-184-0x0000000000400000-0x0000000000482000-memory.dmp
memory/556-185-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1348-188-0x0000000074F00000-0x0000000074F4C000-memory.dmp
memory/556-198-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1348-208-0x0000000007050000-0x00000000070F3000-memory.dmp
memory/5076-187-0x0000000074F00000-0x0000000074F4C000-memory.dmp
memory/556-186-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5076-209-0x0000000007A40000-0x0000000007A51000-memory.dmp
memory/556-211-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5076-212-0x0000000007A80000-0x0000000007A94000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1c711d8839f7944e76c933d2a8f55a2f |
| SHA1 | f24e295f85a8ed6904bd0fa4b843296a8f41ac68 |
| SHA256 | fea90a208f502f29669d56a3f94adb1ba48e8e23347ebbd9975896947f56e3ae |
| SHA512 | c300b6d40dfb2b3dc7486ca415feb06cbf32b3fe013d30f4618f53f23d478eaf5b40ab84a2e440a5e78d1f8f931e34ac87123c48e5ec14f2a87262a5afa9cd72 |
memory/4736-216-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4044-221-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4044-224-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3904-226-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4736-227-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3904-225-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3904-222-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4736-220-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4044-218-0x0000000000400000-0x0000000000462000-memory.dmp
memory/556-237-0x0000000010000000-0x0000000010019000-memory.dmp
memory/556-238-0x0000000010000000-0x0000000010019000-memory.dmp
memory/556-234-0x0000000010000000-0x0000000010019000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\usvxqvboevbfdsdktjqrreiktkkyashlg
| MD5 | 71e3611290752b1a114e303d84e3987f |
| SHA1 | 210794023f369235615743c802fce5055961ee6e |
| SHA256 | 5163d0e849d5d39f1e8beb9d13beea8240d532dff6f28433522148628007af06 |
| SHA512 | d0235dd58f9038009e44c4847535f2bb652f093418fdfd890c01b4b9d8981df3a31e4a89f9099c226becbfe8541015d60f6b852165241d08cb8795d93dd2eb09 |
memory/556-239-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7f37f119665df6beaa925337bbff0e84 |
| SHA1 | c2601d11f8aa77e12ab3508479cbf20c27cbd865 |
| SHA256 | 1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027 |
| SHA512 | 8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817 |
\??\pipe\LOCAL\crashpad_4312_BTIFFHIJGMLXFASM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d406f3135e11b0a0829109c1090a41dc |
| SHA1 | 810f00e803c17274f9af074fc6c47849ad6e873e |
| SHA256 | 91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4 |
| SHA512 | 2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 69ee627e2f087d929ce0c3b485ff2ba4 |
| SHA1 | 60070cec6ad0281b1c119fe2df1d8450ca85c8e6 |
| SHA256 | 7510ac92d95d733ef56d069d1aee20f0b28d28d56c2ea49b396e8a7f3eddabf4 |
| SHA512 | 1bc13fc508a93e86ce9a49c381653566ad9841d71fbf7a88f79f53bbc710cc939a8433554c4a0092f5b3de0b3f0a697122e9b42db2135511190d9524970b9e02 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
memory/556-310-0x0000000000400000-0x0000000000482000-memory.dmp
memory/556-311-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b0d698de50af3582d7879672b412a56f |
| SHA1 | 6724c4441f35578decafa2a996c4b95b776b19bb |
| SHA256 | 7b472714d25733a8599773b2829a221cf0d11f9d645fdc673cd52efabda19a4e |
| SHA512 | 633d214ae550c7904376791f23f6b6f6037c17853847b275e5322d0fcd9f4137cad18af15249534c2667e119e78efe28550290ebc5abff2d2da29ba65b337a7a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fa4392185214e417a70c09c9b61a5ed5 |
| SHA1 | 423172566f9e10b586cc573caf8600c96cbd6ba4 |
| SHA256 | 661686cbc54b5e9a5500fe348bacd08848de5040e9ed26146d93ea9c7dfd9d20 |
| SHA512 | 4c58301dc8632b0f4d064c34bd6aa7748658ac538f0253407b4010f1f481674a8d29519965248bafedcfb5b941bd458bb745ccba3d73f25ebe7b3519007224fb |
memory/4532-328-0x0000000000C70000-0x0000000000D54000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 709cf93cedff980c9190c67f7bc7677f |
| SHA1 | 27106a9fe6bc33fecb8d87437a904a5067082b08 |
| SHA256 | 3d25ae7d318d2a93520163e83f6fd03adbb205dbd560877d6a8b22ad0fe2cf54 |
| SHA512 | d3600e4ab69d4de2f37ae06abaad937e2da98bf82b4c3dea8b47e1295a6736a30c993578fc692dfaf129a5edf0d96c3c25b684f86c87087761bf9b129f81fd6b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587b65.TMP
| MD5 | 7f9fbc278cae3cb6f895a40ffe24e5b8 |
| SHA1 | 75a29bed42dca491a973ee52d463709d8e58993d |
| SHA256 | 568693127c877532f3686bf0021b5a6b6c493f5be5c2c2f9e172811732165f86 |
| SHA512 | 357cacf0e6b1c48c477015418a7df77b7bbb3286bef1f066d2df2d02686e9029b2e9fea5388536f971ab0fbbfd711064189000d20b71805f839066c35dfc795e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8fbbed0a17711ba12d6a020879b9f55e |
| SHA1 | d77b361025b25337f2216c2ed8f28349f085da7f |
| SHA256 | 2a8ad3d15945617bb8ea7ac35c0cd23596e0a5854606daaf8e6b90ee30de0157 |
| SHA512 | 7b328d6dfa6b5fa294144edba0779353f0b8970cf3918b5f7589bf4c4a5c4d63cbd973d7a71cb8584af16e790a93ce6ff11ad64f42acce9d4c4b19a4f8a28732 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
| MD5 | e51f388b62281af5b4a9193cce419941 |
| SHA1 | 364f3d737462b7fd063107fe2c580fdb9781a45a |
| SHA256 | 348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c |
| SHA512 | 1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | f57bd672fe614986d4123ee65ef4f1df |
| SHA1 | 2cc726dbf325b3a303602098110a3a0906c03ba1 |
| SHA256 | 6b26decf834976a09886a7af692ab99d01936cb8e9367803053f29eddf13ab3d |
| SHA512 | a1df656360c2f18b3043e48be62c3fbee2c55b66cbd8c2b29e42065071549a1a52ea6a26d55581d7088b075bed2aedaf2d3a0d7985ebf59f488394854c907495 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
| MD5 | c74489f38af9c35da06e303efdd81bf8 |
| SHA1 | 0b6fe1b83b0e67e9494854ed3340b9f2048ce868 |
| SHA256 | 82de249fcefe94d3c9ef4ea1c7e79964db15c77da30f06fbdf838ede96d01342 |
| SHA512 | b187cdae13496a6a727ae9387f95dba488cd9e9a2c370913c5d58630c9c46e13483c4f943d13710288b02e5a27a4c81faf6014be77c36606f2c522f675551c94 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | 63c35f2b03afd6f49ce397af057d8b62 |
| SHA1 | a774cb5bb994665701c05a95387c14816a98ecc3 |
| SHA256 | ab87b1b3dddef062db66a5775b95d1d796bc7f1ba502aa06513c372ac5ba6f00 |
| SHA512 | f030f522de2d6e431c9a8c1ee05e8f81dc10357ab0f3336ca618b2a7655ec7d86ce3ab38f3d4152c8727ca7f854f635b7b3ef669874f1bc6651dcf2764d98b7b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | 522037f008e03c9448ae0aaaf09e93cb |
| SHA1 | 8a32997eab79246beed5a37db0c92fbfb006bef2 |
| SHA256 | 983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7 |
| SHA512 | 643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | 34504ed4414852e907ecc19528c2a9f0 |
| SHA1 | 0694ca8841b146adcaf21c84dedc1b14e0a70646 |
| SHA256 | c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810 |
| SHA512 | 173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
| MD5 | 240c4cc15d9fd65405bb642ab81be615 |
| SHA1 | 5a66783fe5dd932082f40811ae0769526874bfd3 |
| SHA256 | 030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07 |
| SHA512 | 267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
| MD5 | 870b357c3bae1178740236d64790e444 |
| SHA1 | 5fa06435d0ecf28cbd005773f8c335c44d7df522 |
| SHA256 | 0227bd6a0408946e9b4df6f1a340e3713759a42a7677bdb8cb34698e4edf541e |
| SHA512 | 7fc902e787b1f51b86d967354c0f2987ea9fd582fef2959831ea6dbc5e7bf998a8f24ba906f0ee99ae8493aeb0c53af06bee106d60b448ac50b827c63b1ed169 |
memory/5836-423-0x0000000000270000-0x0000000000354000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 29f0b8f2c2ebb69d6a78ea721962ba63 |
| SHA1 | b49709c5e2ca3a1c6f4ed98bdae0344853e7c0c5 |
| SHA256 | 730279026fd61f03f547939db8efa0b22bbac8ee221ab8d122838e69251ea35b |
| SHA512 | cadce84052db714ba652a609dae7246c4944708135418970f6c8b21a6a4b6d740b399adb17598744c866174676c7a760ae6e0f309f58eb8fc25d90c33818c405 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 630f113af3e8b9726a315d4f151fb4d7 |
| SHA1 | 7ae9b4fcc38d39b14f2b5d7f4aa96807240c90f8 |
| SHA256 | 10a07bac441a5c0b92ead7f7469cf319e2dce3c572934600be984335ac1edf4a |
| SHA512 | 8aa4e6ae6055fcae64bbe0c34c79ce4d009dcc44a7220e3f8b9f407ceef499b122570aafd08db1d340155a5048c29baa2d133f15137132561bc61a2e443f5579 |
memory/556-482-0x0000000000400000-0x0000000000482000-memory.dmp
memory/556-483-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5672-516-0x0000000000AA0000-0x0000000000B84000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3c9b01bf1d0b6db5_0
| MD5 | 97797c68179f3b9f80e118f864ad5498 |
| SHA1 | dba53d55f7d57140ac3353f9cd0374e9ba036379 |
| SHA256 | 7273627fd89c3523abe92bb57b1cf04d5ad5c77b9a6d7b171f50da69d5ef14fb |
| SHA512 | 05fe07c9f4c454ea0399d1c56533177512109cec99286e0e1e08df1050650b61b67eea8648b3877758696ef203478f45111202da4d97df9e8754e6b61c3a29d5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e0f9943d7863cf59_0
| MD5 | 7a97652ead288ddff49209c0f4bafdab |
| SHA1 | 171e59d9ae437bc9fd8895bb017d8abe988d02f3 |
| SHA256 | fa7f18566d1359f006d6a8e9406868867fa0a3827bd0c6810961ea50d16279f5 |
| SHA512 | 081a4bb868c6ef736a8a8a35d950ccbc375b2a1eb21cd8d345b3acf710fce03886a04932ccfb3996ffd6a457272102a2cb74b48a66266ae9c88fc73a713e4bcb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6fed1a1199331f15_0
| MD5 | 7de03aa1657c3c160fff6a13a38bc34c |
| SHA1 | ab4bb8e651b7e1c9018a1c83672ca7e5fabf6ec1 |
| SHA256 | da11bb6d33fd25a04d2b0f170daa6eff245313f8496678c848e13802cdfaf9ea |
| SHA512 | bf0d40b186213b57b8fe42ef0f3397291c917c021c984bad5e157bd7eede39d5c3c8b46f80edee30ccd6e0bc8a5ddf7f389d5db695e8229517f02b7afca88839 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f144b8109a4c08cf_0
| MD5 | a76c5870e8604f64f5900c1b1e6b3c79 |
| SHA1 | 6d8ae7619435508474be3e42e463aec783325f7f |
| SHA256 | c2fbf6847e10b5511715d658d99af6de22caa14aea3becb78df9affe8d3f25f6 |
| SHA512 | 2bb461ee9b121570c0b6ac902d74ae66601d845c73f9c5ce178604b993157fe8a6482203f4db93541dfb684d3daf619a5fbd04f8cca194daffa78991147b74eb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0
| MD5 | b3a8e82cc5fb947c9ee6738346dfaa56 |
| SHA1 | 7af568b9cf675b9ac75fe72d0f964664124cf803 |
| SHA256 | b2221cbfb850fad7f800c551a8050d1df8bc1e7f6608cffad8e9020478dc0edd |
| SHA512 | ce44195473045b53bebf28821d30ba176309196f28f2b65cad312b304ad0369c2c608d31df69262c79c7723541c679a817315e9173ab374c483783dbe5081b60 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\51ade59614febef1_0
| MD5 | 0a236b07d5ec40a685b4b04701dc58c4 |
| SHA1 | 84b898383627b110a41241321ec129050d4ab556 |
| SHA256 | 684db17e5c1640522d987aa35a404684f34bba071cf8ea86d2586f2a669edf2a |
| SHA512 | 802af076d4831888fb7e66aa5bdb9f67721735277e23920f7fd6457c258761e245c7d60177aa473947946f419dd01fd7ef37a7975599c2b31bce02fd3245895e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0
| MD5 | b14f22fc28fb3863a15acf1f9401b9f1 |
| SHA1 | a641f170703f467abbbd530f4c5599852f7cd4d9 |
| SHA256 | b1394253661f136ac45df1e6a8b3b55d14f62978af2e6388a595ed5371586ad8 |
| SHA512 | dbe45deb87d0c616cca754200f1425fb82d21433c1f4147b55e8c4d6bb4800b724c772ab801e8cf2ff55d14e382533efe25e0b95a8a532aa94600dda43450c46 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\abd015d7ae735422_0
| MD5 | 7a3492f53e4a91490cd9a45555e764e2 |
| SHA1 | 9f3f90d3790e5c00eb91c0a94d74a9aa4e5bbe60 |
| SHA256 | 776678febdd16a01c6d8e929d91e74863d2491f8166fe59b9878dbb9edbaaa18 |
| SHA512 | 93db3d63dd4e51ac89f288cbff5a098359d5e67520dfcee08e987c1110963875123c0ffe7120db2efbe9dec628b21ce03132778c995cc30ebb999f14e1f14e2c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0
| MD5 | 9dafcbb796f8f4e6a920b7bd1535c6ed |
| SHA1 | 2388a8f4a31cc36faa49394585c5d3086f3936cd |
| SHA256 | 5697e295a526d42f077d208475fff86525506bca2d50337ae17cb7c4937a5240 |
| SHA512 | ea88b4900f76495b784a70e21687ac783a9d7c21537782ceb782d747052f14ffc4f1a33f5b2c0090a98917d42fd85ec0c725a8b0c81ef8ba78a3c259102c96ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | dc6aac21398010c6efa2e12798a41362 |
| SHA1 | 615d68929c409554f3267e1771022f1913d741ac |
| SHA256 | 392a78c0c63fe2519edf021363e0c08e8629375d4c7cd00336426837a485d2a8 |
| SHA512 | e93e1f65cfc9e69bf2ac7339f926315d8925e201633d9da289edf9a87454ae6569bb165ec7d6f5faf3c8402c9a7a5750769df86dd981bfbf351b5088060ea900 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d916242cad805920b630c454d23b3146 |
| SHA1 | 71b9372cca6525ced910ac33ea567469b0ea0786 |
| SHA256 | c243a5dc2818fb64aae0effcb14693e39c1d4b920b985bd2fa06c2975d9192eb |
| SHA512 | 6ab1da614bfcdb472213c896ed15ccd7db601127604a88557aab6957e8d1071183f497d2448a778816a41cb323d894356f1dfdcd427537d18568340f6c89a160 |
memory/5744-613-0x0000000000C30000-0x0000000000D14000-memory.dmp
memory/556-646-0x0000000000400000-0x0000000000482000-memory.dmp
memory/556-645-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3b18d2b69c435ba975342bef19525d5b |
| SHA1 | 6aab84aa7052958cb4b602006931b4ff179140a3 |
| SHA256 | ead74f069b82fb79ba741ede95792f974f45abff7d71290781d9ca9475492cea |
| SHA512 | 2a26a99dc87f155e248b238ecfa378489ad41a197ee56fc8eb01cba5597221b80031738462b7d155836a5aa9b1d9432afcc258e812fedbd3aec767dc9ca5da9d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 594e907eecf579b770e5503f3e4a8b2b |
| SHA1 | ce49a0e9c655fba6fd923947c8989541115b7e4e |
| SHA256 | 4927bef71d41f854c476d074b56c5a23e836010d75f13b068d459ba949223456 |
| SHA512 | 2302b02ef0313e3146aca2d13d35f4f4050578edfde9b9ee51f4c9ec0ed15bca9e7e43234816faa275670b85ebf4e59986b8c8a3bb93f16181754003d9741b19 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 05592d6b429a6209d372dba7629ce97c |
| SHA1 | b4d45e956e3ec9651d4e1e045b887c7ccbdde326 |
| SHA256 | 3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd |
| SHA512 | caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ff2da1f27123b9e8a0e22b3ad2d86d13 |
| SHA1 | 77c78d6a004ab01157340fd4f0e677ce100119f7 |
| SHA256 | f932cc17013fc4585c97498d7253724e54a3b3d459227844fb95c954c891e773 |
| SHA512 | 6f42cd179c9bf461edeeb84c157cb870ac1589e1f4879247bb67d1f889f27b9884d15a92672413dec5ce88cbd13f2ce5dab68898f6b1064e3275c128f753744a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4d6491aec458ceead7d3507e46257efa |
| SHA1 | 5a529378d45f89bbfdc1327bfbadd49101521cfb |
| SHA256 | 6ee1015ac90aed56e414f79cd3165ccf3ff6f0e73d32c9fd7b013f637829abf7 |
| SHA512 | a767d3606ac8055f96f5f721397134755e90cfca9f12a7eb25daf67332ce4de89544c13a25fe2496680150f9b1bfdca9a5dcd85cb456b0ac814d6093c56fae7e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3467049a8cadbe51701e27d6651e5279 |
| SHA1 | ac7a8b53f474937f7c8d215cd524e16f378c4912 |
| SHA256 | 77dce910fbf4c0dedc2a3b921f3fd80eef29c2bc9ecd4e4f5468c00d1022af7b |
| SHA512 | 72021f3507a51ac483f751b7a0cab39ba1ab4d984f5d92484c5aae23d7821a4a20151af51a850115317bb0abbcb388c5ffe960cb71a59795ced95ce55b6c2a86 |
memory/3196-738-0x0000000000800000-0x00000000008E4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5fca0cb75b2f4f835faee75b56762f27 |
| SHA1 | 6cc5154b9c07977af11cda19d6ccf40f9ad0b5c3 |
| SHA256 | abd9ee4e07738996dbc1a97a3874a15dedf675ef5037bb0708c68e3562668e69 |
| SHA512 | a39cf63aef3f18ab5b2efe5cbbfc4ecf5cca3cc15a16d6d373e3b8155aa20a36a314e570a557297bec8a87d2769f4798204cf9ba14a0c12f95c49afd73fee8f4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 95fee8b0dcf45ec96180676d84039ea3 |
| SHA1 | 18f913753d0944bf11d6cae99659053a286a678b |
| SHA256 | 75819d4c5e2b5e39c7df487b2307d808f074378462db228c9a9c487abe518a6c |
| SHA512 | faa239e20eba865faf069c76eae6c3c7951e364eaa6fe1e1ff0727d9c52c5ffcbe887e37c0bb4aad6ca9ca7f81fcf85c2a712fa12cfacae007e8f83bd510b9db |
memory/556-828-0x0000000000400000-0x0000000000482000-memory.dmp
memory/556-827-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5284-830-0x0000000000B00000-0x0000000000BE4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2414d20fb31ee432a14e8ec126507580 |
| SHA1 | 05e28cd3d2a0af71680621c3e52c9f2cfe946b47 |
| SHA256 | e77a5429b802459cded4965d3f3f8d77615262b4e2a05360a8cd35adfc094f1c |
| SHA512 | a6dadbd32a2a3c1f3243b06f006d08492923acf5bdd7546afc8dc96a63862cb74cc4fe1767393a23e8925ed5ba295cb5a963f3ad422b42fe59e696153ed7df62 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 208ff2cca0b5ffe88950eba1dd8ca44e |
| SHA1 | 91ed542f66e2528431ac77229e8cf0fadeb61ad1 |
| SHA256 | a5c19a013e9a9fdc59bed85d48a63c650960afde210587747e9d024973986192 |
| SHA512 | 03de528006a21affe476b3eb59f5d33074c7a2e3fa303f2d062dfcd80c656bc3b55c6f99eaa6ef5d297a396a418580c8db05f7004dfedc98f3c57b4864284613 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8f920723df05cf2e39a2bae0545aa4ba |
| SHA1 | d6e0a44037241025ff10118e1d4aa6579f246b14 |
| SHA256 | 4bc99d8e69ba155b8045273b170c06db6f4ac76beb34b636f8ef922a1926b93d |
| SHA512 | 1cc3fd362cb91324326b83fa6a49b86bbaac33d063ffe68d225c374245dbf54dd3703e783ade24e608d769c6a9028f274a243a74aa9c06d7715ad96feaf95948 |