Malware Analysis Report

2024-12-07 22:15

Sample ID 240809-3ly21aveln
Target 8400ac59c05641bb26fd40e2236a20df_JaffaCakes118
SHA256 d0dde0ce53f187ed39096c8f44d89ad1afabe101156e03ce4a92f0021e74007a
Tags
remcos remotehost discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0dde0ce53f187ed39096c8f44d89ad1afabe101156e03ce4a92f0021e74007a

Threat Level: Known bad

The file 8400ac59c05641bb26fd40e2236a20df_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery persistence rat

Remcos

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 23:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 23:36

Reported

2024-08-09 23:39

Platform

win7-20240704-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\"" C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\"" C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1976 set thread context of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 2888 set thread context of 1112 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 1112 set thread context of 1212 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 set thread context of 1580 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 set thread context of 2748 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 set thread context of 1516 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 set thread context of 1796 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 set thread context of 2104 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 set thread context of 848 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 set thread context of 2696 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 set thread context of 1800 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000af28e48800bbe421eaccb087d4382b4f7b136674269ee09d7855a63d5c91faec000000000e800000000200002000000047c9e68bac980a489cb75ce47ab46aea979fe9012bfab9b2faa453cc8b9f9cb920000000ab2631b5b81420c830938d5e75cb74869bb6eafe19900e00a26f41d302ca890d4000000048a3548a0a6e0c66df92234d2a69afbb738f1f830dba121c6211668973809dc0906f7d1ffee9283ec0d67dab9abac63ab9608c4174e0e28b9168e85984872049 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429408539" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000615e5087f706e29889c00d4618cac71fda41d797a008129044d6d0b55f74c53d000000000e8000000002000020000000ffe0b062fb240cc891491d7c34ad9045f706fd2f259c554a90537f7f9b1043379000000022ac4ba3676d87bb1c35ef1e4da0d26cd8d0052e72513dd486b6a8566fae8b1cb26f97de116d8037682d1f5a45b014caf58ad26031216b80ad8e88aee05e14944b8c2aa389642718bffb472df6b2202283b78fea0caf9c2b01406cb44d12d71e1b9887735622de2985ad0e4ccc9650ee62d8bebdc1ac7270a49d4fd69ecefac6e8d1ee4da1267d5294d5ed15ad493d294000000066e2e5c16e38a8d1483b48bc64d9a60efcd8a2f8436e1e758a4e2f0803fa23a93c6bb484c0e04bd7e746b98d54d2c0c089c52643fda6c08ff095caa4502fb48b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{64BBC341-56A8-11EF-8E00-526249468C57} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 904de92fb5eada01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 1976 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 1976 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 1976 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 1976 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 1976 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 1976 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 1976 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 1976 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 1976 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 1976 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 1976 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 1976 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 1976 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 1976 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 2760 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2760 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2760 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2760 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3000 wrote to memory of 2636 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2636 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2636 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2636 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 2636 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 2636 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 2636 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 2888 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 2888 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 2888 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 2888 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 2888 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 2888 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 2888 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 2888 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 2888 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 2888 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 2888 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 1112 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1212 wrote to memory of 1244 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1212 wrote to memory of 1244 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1212 wrote to memory of 1244 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1212 wrote to memory of 1244 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1112 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1112 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1244 wrote to memory of 2132 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1244 wrote to memory of 2132 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1244 wrote to memory of 2132 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1244 wrote to memory of 2132 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe

"{path}"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe"

C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe

C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe

C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe

"{path}"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:275471 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:275493 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:406567 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:799767 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:1258523 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 sandshoe.myfirewall.org udp
HR 93.159.74.80:2404 sandshoe.myfirewall.org tcp
US 8.8.8.8:53 learn.microsoft.com udp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
HR 93.159.74.80:2404 sandshoe.myfirewall.org tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
HR 93.159.74.80:2404 sandshoe.myfirewall.org tcp
US 8.8.8.8:53 learn.microsoft.com udp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
HR 93.159.74.80:2404 sandshoe.myfirewall.org tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
US 8.8.8.8:53 sandshoe.myfirewall.org udp
HR 93.159.74.80:2404 sandshoe.myfirewall.org tcp
US 8.8.8.8:53 learn.microsoft.com udp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
HR 93.159.74.80:2404 sandshoe.myfirewall.org tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
HR 93.159.74.80:2404 sandshoe.myfirewall.org tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp

Files

memory/1976-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

memory/1976-1-0x0000000000030000-0x00000000000D0000-memory.dmp

memory/1976-2-0x0000000074CA0000-0x000000007538E000-memory.dmp

memory/1976-3-0x0000000000320000-0x0000000000332000-memory.dmp

memory/1976-4-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

memory/1976-5-0x0000000074CA0000-0x000000007538E000-memory.dmp

memory/1976-6-0x00000000046B0000-0x00000000046FA000-memory.dmp

memory/2760-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2760-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2760-15-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2760-11-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2760-10-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2760-9-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2760-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2760-8-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2760-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2760-21-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1976-20-0x0000000074CA0000-0x000000007538E000-memory.dmp

memory/2760-24-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 19a866a859bf53960e0838991626b634
SHA1 068d247b78fcef6c5fdcd06a69479c1852d72b66
SHA256 4f19248011c8de17ee236772e367532e2fc946c209e3a777da4925eb86fdeab7
SHA512 9ff83f6ee2f8bba5effc9e596961a263c0397a0f286b2f54ad430486b607260f8e531e7e10617352fada3a4572a370e80522cdb136b56f480a95de42d4210520

C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe

MD5 8400ac59c05641bb26fd40e2236a20df
SHA1 8540cb6c0edd6f63d177e06e67f14a5e89cc8aba
SHA256 d0dde0ce53f187ed39096c8f44d89ad1afabe101156e03ce4a92f0021e74007a
SHA512 b0b7dbb7282ea12793293d5790c26ada1c0225df524fe7b7f168890f35f82cbef06126cb38f064ecb70f440cb7e2838a284bd3ec4817ba7baeb99aff2bdf47f6

memory/2888-29-0x0000000000E10000-0x0000000000EB0000-memory.dmp

memory/2888-30-0x0000000000960000-0x0000000000972000-memory.dmp

memory/1112-50-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1112-47-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1112-46-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1112-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1212-63-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1212-64-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1212-62-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1212-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1212-59-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1212-57-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1212-55-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1212-53-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1580-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1580-76-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1580-75-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB888.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB927.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8c97ab31e82df1af84096dd0d4a535f
SHA1 fbe10aa5cab11744da8445920cd8abdbd09a67fe
SHA256 b46303590e1114ec6d9d9ce41f662bef13b34aeb41223d9ff1a34fb3986245d4
SHA512 bb490ccb3cdfe86ad5966fc479c72c1413768b3ff623361ae050e553280300ebd56bf44a0e6f2490fefee6520373c6304e55af87b2e4303aa4b4ebfc2df20a4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0897539d0759bcaae53516ddab7cbe60
SHA1 242dc2dcd8949623b95be29ae946c1c8974f0d07
SHA256 0ab4fe26d2d04d775f28ba3abab7da84969a9bdc4401a875d14bfad09530735d
SHA512 1ade3743ab3b01c65ea91727890b6763de9a1de5054061f5102adb90a5f93c3b32d03d0641ce20305850222ae2e0a3cbd122ee1334801f48d8fac15a55d8a840

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 0cd46e684f398b36053b4179425f278e
SHA1 f2c8212db2189c3ea2e4e36335cc7f5474b982fa
SHA256 06652a452ad9a033b46a5207aa98db72762ebb9db52809e2a9519a28e9987ed2
SHA512 067ab342094680c90f52356aabca882ea0c08e0a8ca5164170adafd7718a66b64d545bcb2493ac3ca3af0bba54d9c0d78b30e109599c74b387a11b3e3679a801

memory/2748-541-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00ef14ddddc704c6e3dd1eae51117be5
SHA1 6d6e4b9da2de5bec947b53c6899c5adab5bf0102
SHA256 0dc77cfaed9e86fea9540b96fb780b8d2d79a79f833b13390eacbc2710c5ae75
SHA512 210a16e37e09c49f85a27ed2386d714ddc44265025c08b88be397b7458e317ca9e5ea71ee786e200a7cc40ec45e2bf3cd001481630bcce7aba9ff032e17d6cb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcecb062426104cf0be5b624695cbc7d
SHA1 34440277504bb5b07208bf34b185781fbdb74d71
SHA256 04fbaad53639652954c5e1f700489fadb138d1719039ffd6e393029e1cc2b538
SHA512 eff7a71a535c18b9fe3be0053afdc4518aee94ef3626338329847a6b4f92c006875c8efdb43d1b60d0ae35fca2021529f903cdc2071d25b2c686baca28a950ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88ded0009c32ddc24414a51da69970f2
SHA1 dfed6ebfd5b26d697316df14495f2c0d5ea87ff0
SHA256 6f4c16547668bc4018570fbc125eef5981f87d96cbe5013528c6a8d472584063
SHA512 83d8014d783e3fd922b15ff5d7e158200e833e99c14fdb37ffd091134692b0c0da1517b5b08ddc5128ed2c2d1c69b1299d31f94fab60587ce480ce66e495289f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ad9086722afe3cea0f7f9de5c56a98d
SHA1 a98eced6e739e255ab5e515049ec5629bc28c15e
SHA256 61be478567dfe955247f47afbe204fa700e1d7e6ecaac8e84e00d3d74a198104
SHA512 5b6cc3b6b208fceb0b2c62fed8d01af4568e0f2f0ed705b9197b4551e88cb3c98dd03898e4f76037e1ab700682c2aaa3621a3a1f67bb0dcdc61aaa576268e265

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd0dc1efa72ab81516536fd8d3dfc4de
SHA1 c85fa6d0e6471cfe3b1b316bcf1e9ddfd678f31e
SHA256 35403e9581c10274b4583b88fe0c76fa07971a7b5d3c6473e3238ec3682ba1bb
SHA512 653bf7ef7ec2f6e1ba1c872908c17049a204e4b90a34a40b9fc08b022112b12cc4a0a1cceae90e1e84a32fb232296a124d10a51cecc4c0e337165014641a0cec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b1014839095d67a0d901e593f127ae3
SHA1 d11df3b475c2d940371f7f2f0a5181df8ba470e3
SHA256 9b6eed3336ce1bd03232ccee642dd8b8785d3f1b72a0563d99510bc1b6b8501d
SHA512 a13c78c9e8bfc2ef50bffb9e68be431a0ed3526ac95b94dc72e28d6d727b46b67005c6f522eb58dcfdf56a8aa85ec1e70717bca5e4338d67840d066f7f334047

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a334767d01ae94971c40dc1d22b2989c
SHA1 701da127a7d3453780b13cff5fcd858db3ea07a8
SHA256 9f3437cf132178690cbb25ae7d71030b091e52736e4f6e2f1096a698359eb2b3
SHA512 f3a3feb8e9449f8a0517e94752b5026bd8c1b4928b93314ef1eec5641a5cf2c8cb78e740843b147efe6fd70a5214e2ee64ef192d897280997fee7ac0c371b37c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6de48951994697005e386a86c202ecc
SHA1 6f20a56c5794130120f0f9b84e3758a2562ec9d5
SHA256 2e0597821669336dea5f76d812c44b167e4ba0663369cc0db6f86e2efed58272
SHA512 4cf4891678dcf617b599747afbfc60241cbe8a62af3cb30e192cad95268d2bce890a8cc2e36f12bee743f783d532812de0f22fff8def1508ace7d95fcc568184

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4180895929d426c5ec8cf52014f0ffcc
SHA1 9c42246167230459ee1cb9046e3fe62b03088644
SHA256 9c87a8a4169fb25ed0e67c4b992e1010109cd025dcda6f91013a0e9561cc4852
SHA512 00d679546c8996ab19c34037e5cb2e399e2ef65c6d1fcc6f6fa6d0adb183cfe06185e8abdac3469e8a7249a037eb539b5e639fdd7e55e3559c1dd9ad09efec58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a6710e9e0faab7e48a930b9540b423c
SHA1 8041804780e6d3ff6b049718057a5bea29bf9c66
SHA256 7dff4d90b23236d17665e0607541f5a1850967da99d22acf0939e23279fe2ec4
SHA512 402a2c2e065337377c280e9eaace7c8c006c8d3d73bf54388a2bbfde4a366c51669f72e5a68e523639e9433a9c7886f71b0c506f935228e530317e4dd8066d90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3ceab11dc8ff52d264c4397afe77189
SHA1 4f7cec5e4a14d9bf921b6bd9621cbc05c10b7758
SHA256 a568c6a78e3ed3065c47f5eb9e0a1961b32f148d2a836010e7086252ad6ccc83
SHA512 74802f5b1854eea5d16cf6b92a5d5155281b1ee64699a0574430000f15122602a584997c74f115d506024d5eda99d7aceb2f20cdbb7c346e7128ea66f15f4f71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5693502bfe9a9588e885504332003ef
SHA1 90e250845c043fa9b7e27138f146d66bff2b8eb4
SHA256 a8e788c24307ab9f4c62f84c6f748006fdd2bc981c5913e39c4118b2c194bebd
SHA512 22b0262dfab628433520ab883a9beb84b29c0ffd6e44b0dcb47e6c4e23307a1757a1c73ba033c4f3003928d3e64983a913faff6443daf1f3a4fc61c058531dd9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 125aed24d5c78dd656fd058f9e2009e1
SHA1 05a95960466023ad80587139654d2a4773ad2237
SHA256 9a58c60ec99b984ff59b384cc8a32350f13f1e840c89a68e716479c8816b5041
SHA512 42a0be1bc2d162be485ee0c38a94bef6b3c85e496eb348a7ef84ec844501b722884e386de1ec89e5ee1c95c45165a06949ea38f8b10742fc90637a1163814da6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12230d7a2b1ad7c0f6f2c12506064321
SHA1 8e0ecdb3a5ef58b8a5ee771bfedf3adb3d59dd68
SHA256 f79f5a3fcc806c283b2704b19f23db3ca38971272d8a6e493a3879fcdc78c9d1
SHA512 b228819c1df9bca22aa13f2fd135d40067721b66911ad312ac4f8f6b7f9b1725a353939fa10f51ea3eb16fd9a64e680f70f47ff23fe52b1b8710f073825f850d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55c56fecf5c13fa104d4db8c35386953
SHA1 9c970d1f9b826eb1f1c7fa52f5ef01a774e62ed4
SHA256 36797aaf6a06e64567f2e4e4f5d0ff9c18b17b4cc205c19db26b99aac98deb8a
SHA512 d59d64ec3dbe6969b6a65a6e356acce47d8a25b1f8d90a6e58b5368483a17560feb7ad3b32004ad6ea007b0397786a314f84603d0b1c1551b1a1043d9ff4fda8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd7c271e86a6d5bd9be45af02177ae0d
SHA1 e7ea281284ee79c78608b4be3bedebd46cb2f3c4
SHA256 306c70ff87dc0950edfa20430ae0c626f7b4df50dcc1ec219a36d9d96bbe4830
SHA512 77b9afd041e945b24e983e37b49a0906b7b894ad24d589dd24e3de5a1c60cbeba51975f7622e89234878d658f98e6c626f5ed8d9dd56563a9c9286e8b9401dc6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b10bfd4fda9a64421fef61194cba347b
SHA1 2aa129a8020ae05154f296e032b012c96974e75d
SHA256 c44c6143f53213cfecc160cec46d0849ca0d267307a81d570db20ffbbbc4d1fc
SHA512 5072be7e8e46392be29822f2685775ea2d767b0045dd08a0eba73783fede561cfd169a1ef6d2b58c1a937338edce15138c66329df0b5ad1ac5016b940aaec349

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6355950dcf67a209dbff884ac436661b
SHA1 f99689d048772d24b44aa035e8a5bc8240a1d151
SHA256 81b8976a8dc2d1109d50815dee8c02850dccb226a292fd08846632db10e8d1ea
SHA512 7a549d20e418ee3e4f993fcc6d065aa6a531c8c4255b065709eae6c472a482bdcd814cd1fb9d41cef644f660b2cc5c7a0ce92414cb4dc70c90950be8d0f7c8b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f16a254c5f10cf6321841513da342591
SHA1 a504d2c58ba37b5c080cd65d65bdfab5028188f0
SHA256 df0cc5b358f20c92bc916e1769755f74c6f95abddad548b86038d01fb1a43dfd
SHA512 48854075145e5f1058eb6be95c660aa3315bb0f1b3bef3773ef8508cb05c8b044b57897b63c5f6fc582a22f06a1108db5e4f4421801dace5678660b8eda7ea31

C:\Users\Admin\AppData\Roaming\Remcos\logs.dat

MD5 3ab36b07e268f3eaa604403d4e6de582
SHA1 4ebadd90d85a41582fa01e58eea1d43658a6af49
SHA256 db0ae1ae3bbe22b1af0a16e1a7d7a79f4795533409587f9d86ff148f607bfd59
SHA512 a97154202b12b5c7c22fd6ffffbca94e3c38afc3dfe515b2bf353cf3f1db03251a52b828b308b5c5d8391ba17bc0c960cd4baf529511e143554fcac622b6bb70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f9dfe0c0b401a149897d91bcbeab7b6
SHA1 6d60e1da35dd5691c94e48dbfbd39e69215ab164
SHA256 6c08b49dc8ba721f820c5f7c9c79398679f5c1964b18ba3af341553b05a5b9bd
SHA512 a39e1f8aeff827ee016c571e9dbe27c7c8a618ca38fdcce579aab90a3ac5c6a5327227512b90ae626a89b6896204abd1f40578a0e477cb99252806b3411f0a9d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a17ddba6c9a21619c6a8a114afda7ce0
SHA1 5877ceb0d6d6571ff566010531b7b16a2dc91c9d
SHA256 d754168da9b462012dbbc5945667d2f4443b9994466ba671cee538f080f7dbbc
SHA512 4e4ccfbd0397f4ee06ce38694d6c2bd5d89cdf29da45f81886bf82e94e3fcd12bfd5255c46d52424f2d2993920a0f0c69af87203e8c217c45672e986267d068d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\69P6875H\invalidcert[1]

MD5 a5d6ba8403d720f2085365c16cebebef
SHA1 487dcb1af9d7be778032159f5c0bc0d25a1bf683
SHA256 59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7
SHA512 6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4UQ4J2DQ\ErrorPageTemplate[1]

MD5 f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1 f4eda06901edb98633a686b11d02f4925f827bf0
SHA256 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
SHA512 62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4MP1SLKR\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4MP1SLKR\invalidcert[1]

MD5 8ce0833cca8957bda3ad7e4fe051e1dc
SHA1 e5b9df3b327f52a9ed2d3821851e9fdd05a4b558
SHA256 f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3
SHA512 283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\red_shield_48[1]

MD5 7c588d6bb88d85c7040c6ffef8d753ec
SHA1 7fdd217323d2dcc4a25b024eafd09ae34da3bfef
SHA256 5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0
SHA512 0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\69P6875H\green_shield[1]

MD5 c6452b941907e0f0865ca7cf9e59b97d
SHA1 f9a2c03d1be04b53f2301d3d984d73bf27985081
SHA256 1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439
SHA512 beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4UQ4J2DQ\red_shield[1]

MD5 006def2acbd0d2487dffc287b27654d6
SHA1 c95647a113afc5241bdb313f911bf338b9aeffdc
SHA256 4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e
SHA512 9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4MP1SLKR\down[1]

MD5 c4f558c4c8b56858f15c09037cd6625a
SHA1 ee497cc061d6a7a59bb66defea65f9a8145ba240
SHA256 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
SHA512 d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\background_gradient_red[1]

MD5 337038e78cf3c521402fc7352bdd5ea6
SHA1 017eaf48983c31ae36b5de5de4db36bf953b3136
SHA256 fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61
SHA512 0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7559e0f2ecc585fbd8a47f747462fdd2
SHA1 0c46002a7dab9de478356b8bd08109d13d55aca5
SHA256 fb813bcf063e18623010176b219cd1f68eaa5d59e3dbc25da313256740a62be9
SHA512 1d6868e4f1178f8b794218b3f4a48eb4a68db2914d7e76e97232905a07ac2c1c6307aa7d2bc560b0bfdf4d12fdaea320cd25f7ac44a8434b5125e059852f7d09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b8499c4fb8ffc85338434edd8fd4cb5
SHA1 6dfda55dec55ff49761caec9b68dee333036d5a8
SHA256 25202ec1bdc14f8372dc26233f3abf7aab2adb5bc56d91b7a213669cbd4dc02f
SHA512 c626a92144ce9323bca5371bbf84584e0ac6525052285ca4ff7cc7d030ee916bc0585bb667b28c0fb21b0ccfa9c23b31756996a1a5b620f1eacd893c774b6aee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c41ef29ebea8cda2e811f2133bd102bf
SHA1 f62e4b5b6c90cd10c550c932fd9ead6bf8a94694
SHA256 2367b3b3178cbcbf14768db9cfb4dfd5855539488a74a77c329ce65023fd1ab5
SHA512 38c190628aef451cdf70225393d322502e411ab22b2d58d06078e2042b49c356126147ba396ee27a0d8fcd2fd3a853adbc6606957fb2b0b48887654f60049490

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d476876aca28527028d7047ada79b80d
SHA1 b07428df29b01f9fc0d48e9084184179c9f014b3
SHA256 3efeabcd0ac95a68e12dd7c96b763933f9d254ef0b552e734656ab55a388adb1
SHA512 4ea980ae6056cba1ee2e8f3484c07e680eaa4d524c78c08a34523bcfe91dc5d83b2f6bfd92733f5769b16d4b4b069b6e063e7dd2a4321cf75027b342dd7b44f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fc55ed750c691f7164489c57a76c8c9
SHA1 88171edc74410515f3798589e2702f020e752367
SHA256 02d7919bbdae823490be7b02cd8839bf994024aaac4598eb7e43c49fd200b854
SHA512 898a00901b1fdad8aa42c7d57d01e8aa1b8304cd8f9b357ec01729a2b133fe09a3144001ebb7d68527765e04e6588afae929c91e6654ba480796a57b7379ce6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb1366521d446526bdfd77a31b2471df
SHA1 a4fcd60542b40351a7d98e285592b877b2ad27f5
SHA256 7708672576c65cce327d15cb964c429f130b1a9eac47a8753fb8d041a834b7b4
SHA512 ea549e58acf45436d0a555c55b1b354392f805409d3ab0dd304c84a29b6888abdc7e4ce0b5ae745eb18762a50185a5bb8e4ee054719c5dfd69b0f7149d799320

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15add0b5957e990cecb37a52bedcc530
SHA1 0dae3ee5e04d5b3f461f58ca3f6e29d87d563aa7
SHA256 401fdb24f37f35afad0cf1327974b81ef8a2bbc89a2a04346e6204584a1dc56e
SHA512 5e6721789640b2ba34527494109093bff27fed7f8d416dbaece27d3fd5c569106a45cbaa47e6160801e0c518655121846eb0329ecb2477dcc8b467b8b6e7f59f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2138762275e3ada889e4e466c004af90
SHA1 556656745308e78a19c8765ae00b89b7f18f43c2
SHA256 6ae7c4863ccb04cbddceaa705dcf76705ad0608fa56b3e1ff8c6bc1c48b1bd08
SHA512 ca35fe929fbc42fa41041f9d2600eea06440e858d2107f9abb0fea5b373a09dce31caa3302bf61e1b480c7d570c861cc220d3f89ce812a549ce15f60520767b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f26f53f5bcf9826e154978fc668c915
SHA1 8d54f490d54737e3c766290375169432a4ad2d51
SHA256 be25103cf368a34f6ed3075f2db3f9c1d160d882bf54c8311ad419ffa4dff43a
SHA512 23c273e4784c3035bdec0983005c9a8c08d1d91175343345aad3f707c0f5d49ed527ff00d93a6453e6dddc468f50e027b8ee2ffd63192199dd8a6c0f0ba26429

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58e913f0e6a7db1a520fd98e86eeaff5
SHA1 b85cf98a8c361c1e30475075e0774f8d6957a0a6
SHA256 5a45d8b33c6e48bd7aee5b5915ad89ea869ef9ddc55936daac285ba9e84edecd
SHA512 0d8ca87ab550f48f9f2bd81f47e6299de139742eb52c9017024d5819c190797c468095ba7d8d72a262d583737ec92a9dae4cd6780898a46f360f425fbf3dda5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1df12fe632eb612902cf4e10167657aa
SHA1 99eaed57abcf4a1da791da773f80ded11dec0f2e
SHA256 ad2b4f2e6885fc3c0e3872fff61ebbd14336363c79e6b5dd67d586e2c434284b
SHA512 2b80dd8702504979710f08a0154c7839711ad31679df67eeb4b236e578e60d0d84eb23e52816a38a4f6f2a1c406599f1e78b856362cf26910acd6ffd590c4d6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd0ea29fa03be4ed38c53fb9efae9449
SHA1 086ec0cb6e55b04aa2c30bdf13affdd88518907e
SHA256 21c18546ffa186d2fedf83d5a8ae1d3e352b2f8f9ac2031f3c491d986ca4c608
SHA512 cd409b2ec093870c3884e3f282829c651acda159c50191952e03611108c2302e6e310a311938fad0ed989c460ddb7a8c606937f1b44aeef2c0505c5dad89a34e

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-09 23:36

Reported

2024-08-09 23:39

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\"" C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\"" C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4336 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 4336 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 4336 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 4336 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 4336 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 4336 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 4336 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 4336 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 4336 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 4336 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 4336 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 4336 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 4336 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe
PID 3584 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3584 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3584 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4920 wrote to memory of 3832 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 3832 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 3832 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3832 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 3832 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 3832 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 4280 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 4280 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 4280 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 4280 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 4280 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 4280 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 4280 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 4280 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 4280 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 4280 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
PID 4304 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 4304 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 4304 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 4304 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 4304 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 4304 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 4304 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 4304 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 4488 wrote to memory of 3068 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3068 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3068 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\8400ac59c05641bb26fd40e2236a20df_JaffaCakes118.exe

"{path}"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe"

C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe

C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe

C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe

"{path}"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8faa346f8,0x7ff8faa34708,0x7ff8faa34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8faa346f8,0x7ff8faa34708,0x7ff8faa34718

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8faa346f8,0x7ff8faa34708,0x7ff8faa34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8faa346f8,0x7ff8faa34708,0x7ff8faa34718

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8faa346f8,0x7ff8faa34708,0x7ff8faa34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8faa346f8,0x7ff8faa34708,0x7ff8faa34718

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8faa346f8,0x7ff8faa34708,0x7ff8faa34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8faa346f8,0x7ff8faa34708,0x7ff8faa34718

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xc0,0x108,0x7ff8faa346f8,0x7ff8faa34708,0x7ff8faa34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8462784734209636270,1517029762234347468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8faa346f8,0x7ff8faa34708,0x7ff8faa34718

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 sandshoe.myfirewall.org udp
HR 93.159.74.80:2404 sandshoe.myfirewall.org tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
GB 95.100.246.21:443 learn.microsoft.com tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.246.100.95.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.42.73.30:443 browser.events.data.microsoft.com tcp
US 20.42.73.30:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
HR 93.159.74.80:2404 sandshoe.myfirewall.org tcp
HR 93.159.74.80:2404 sandshoe.myfirewall.org tcp
HR 93.159.74.80:2404 sandshoe.myfirewall.org tcp
US 8.8.8.8:53 learn.microsoft.com udp
US 8.8.8.8:53 sandshoe.myfirewall.org udp
HR 93.159.74.80:2404 sandshoe.myfirewall.org tcp

Files

memory/4336-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

memory/4336-1-0x00000000000B0000-0x0000000000150000-memory.dmp

memory/4336-2-0x0000000005120000-0x00000000056C4000-memory.dmp

memory/4336-3-0x0000000004B70000-0x0000000004C02000-memory.dmp

memory/4336-4-0x0000000004AF0000-0x0000000004AFA000-memory.dmp

memory/4336-5-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/4336-6-0x0000000005E70000-0x0000000005F0C000-memory.dmp

memory/4336-7-0x00000000050F0000-0x0000000005102000-memory.dmp

memory/4336-8-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

memory/4336-9-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/4336-10-0x0000000005F10000-0x0000000005F5A000-memory.dmp

memory/3584-11-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3584-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3584-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4336-18-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/3584-21-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 19a866a859bf53960e0838991626b634
SHA1 068d247b78fcef6c5fdcd06a69479c1852d72b66
SHA256 4f19248011c8de17ee236772e367532e2fc946c209e3a777da4925eb86fdeab7
SHA512 9ff83f6ee2f8bba5effc9e596961a263c0397a0f286b2f54ad430486b607260f8e531e7e10617352fada3a4572a370e80522cdb136b56f480a95de42d4210520

C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe

MD5 8400ac59c05641bb26fd40e2236a20df
SHA1 8540cb6c0edd6f63d177e06e67f14a5e89cc8aba
SHA256 d0dde0ce53f187ed39096c8f44d89ad1afabe101156e03ce4a92f0021e74007a
SHA512 b0b7dbb7282ea12793293d5790c26ada1c0225df524fe7b7f168890f35f82cbef06126cb38f064ecb70f440cb7e2838a284bd3ec4817ba7baeb99aff2bdf47f6

memory/4304-33-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4304-30-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9eb20214ae533fa98dfbfdc8128e6393
SHA1 c6b5b44c9f4fff2662968c050af58957d4649b61
SHA256 b2be14a1372115d7f53c2e179b50655e0d0b06b447a9d084b13629df7eec24ab
SHA512 58648305f6a38f477d98fcc1e525b82fc0d08fb1ab7f871d20bd2977650fa7dafa3a50d9f32e07d61bd462c294e7b651dc82b6a333752ca81682329a389ae8c6

\??\pipe\LOCAL\crashpad_3068_RCTWSFCRTROKKXBO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d18f79790bd369cd4e40987ee28ebbe8
SHA1 01d68c57e72a6c7e512c56e9d45eb57cf439e6ba
SHA256 c286da52a17e50b6ae4126e15ecb9ff580939c51bf51ae1dda8cec3de503d48b
SHA512 82376b4550c0de80d3bf0bb4fd742a2f7b48eb1eae0796e0e822cb9b1c6044a0062163de56c8afa71364a298a39c2627325c5c69e310ca94e1f1346e429ff6ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 856faa1a114466ed187b4ee7f6cabbb4
SHA1 892a0c8fbbc31d5a7ab2d918e9d9aee0e45e5272
SHA256 48f4dde2c797da6860566b054ffedf28c668416426ead04fb4effbc8e9376de9
SHA512 c5ea883bb623500cc84c823671bdf762c5b31e08fd6c6bba1404126c05883427375b392a095ad6e51b4fb55a6054e7dddf9e83b8a1e1233c67500ebfc715dcba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e1998a4e42c75aae1a693ac777071bd4
SHA1 5d622714ab9babe4b72b78a2fd334ad6ec187629
SHA256 bef6990cd5f2e53f19ddbc14c94044f50b09e739951c8d398010d3c356159d2a
SHA512 4834733320ecdf6652128519cb6a1b32b62fdeee1478def2ccbdd6bd14853ea02a1ea6021fbc6ad85035ac595b384ad67012af66123afbcbe85f337128e60721

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 37609cf7af29ddbdd0d5f18b8fb53c61
SHA1 6b5a336d062b604b8bd51b63ee22c6fe9aa961be
SHA256 973c52bc199c9fb89bdfd945f21186882956a63a4518d5bc77bdfd3be639c5aa
SHA512 4f78ca4e39c7f20d23df83d57e9c59a8aa531a1b79aa7a139e21e9305803a2d56f909cc6f79e5b1b59855c6e6fc78c618f8ab7ea26b3710d3580282cdec4618d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 6be217d826ff7c4aa81d39663a38dc10
SHA1 b32f46cf12fc4821f702880382f18ef3714eec66
SHA256 754dca9404f119306b757d135efbab8856521366fe9a3961c5373dda2a57becd
SHA512 306a06b11f079ad10db885200c0bbe37b56bd9687024e18fa84cfb95663f8fb00debebb381e030d5e6c4daca8eddcf180a37668745ec4972ef732dcb0bd4296d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1923d56e7ba63fc70d218e21098cb08a
SHA1 1828bc6858eaa0328ae8664c5710b1a0becdaab7
SHA256 e1c1fce143be2b2f297afd7f6cc58a0212546689d6c911a64eb232dc80ebd4ac
SHA512 73e2f4b6814aa4949b50503027eabc1166bc029778acb0535ffe33549657464576e2a06e81ade8e7e912f6d8dd25022a253d41cd7c5dac44ffed0fce5b054fcf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e790c0d1f89212a9a244ac6bd8784db1
SHA1 7d8b0aa2df2df86091650819b32d017a12bd4eb4
SHA256 620937ce58922bb06457eee134ed65925361ae9dfcc416a6f9a7efa5b03ea2c1
SHA512 0550fa3916523b8c79ee510db71c86300eecee09e7f5c44821a30d036f890f1990654d1cb50956ae0b08acfd218363f4b867e173e56638609cedc1470d3cd5b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 905228f02a0774f6fb75dba4affe3710
SHA1 ce10efd157094508c3d751990b1eea7cee3a4e53
SHA256 29fe334f85078acf35bb53afc3b061f82d4747f5df497f6c3fc5348bfb8fb048
SHA512 2c28fde48d179de566721104ca9e5ef61a36bc00f188b0ffea7133cbb044797df480bd08c5c8e5e9fc9fc9f5b1232be2ee2627bfc5df6feba0932ab91bbf0c9b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f047.TMP

MD5 e34e3715712b51b4f38ffb405ce18cff
SHA1 61cac5cbb1c63651594ece47d813ae3a314e9af9
SHA256 69253569066858131503c2fc751b8fea402730f0cdd27895a28bfcffa12e6a94
SHA512 7fccb2cf4626c73046664423b76964cb6e283eaa26ba2359d46204f3d6806ea38cafa14452f7222c78427b1bc607426e9f4465e40d2a446d05830c16edc937ce

C:\Users\Admin\AppData\Roaming\Remcos\logs.dat

MD5 869ce3410162c751d8f67f0052a0a66c
SHA1 45c6e7247ed0edba3815ede39f12c42b87f8a6a3
SHA256 01a1840a26f608edb854cd99d4178fe52d95c80e378e2ff5415b82a5155928fe
SHA512 57121a4fde2167c8e455e098cc3e2b3467f046669de379248db7e54bbce519f0372896c50a0f3c9538f8261e38ae658c0aa3e43858f81b87f465622bc060f349

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d809b7265af5772f41edb59a33cff57f
SHA1 d4fcbcf865d6b68ccab5cdd951f5ad0543e85416
SHA256 813b0d2021ad78a5d4c3f85a4de7416977de6c3cc63295badae00dfacc32c63c
SHA512 22548158d2637ef7e6581589ea010ca23535f20a4eb5709242798bc7a6890898e2a01dc827bcea9a190db3b84c50a996dd3a242c93a9f75ee8716eb189091c7c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 da9e12c83d358accb38990cb038dd9e6
SHA1 a1c9c5a94b8c5e40d745ddaaf06a0dc6312ca297
SHA256 9ee0286a593a2a66a7c7a703d1ca11feaa3edcb53da42681fbcde066f823fde9
SHA512 46789756d42542e157f939c9544d832d704f5e45456133ba5080b8c7603542f16567ced542be1168a7cf2baec29965e7f85ce7d5303bcd003e7a4eb54e66cc44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 19f854f133fbb12aeb856c07ccefb046
SHA1 f1fee68a0f601b70903f9d2c5dac353aca32a23d
SHA256 930067d39c71908816f5ee19af07b17c6955a6dc53b719a8e57082a912c6aaef
SHA512 990f357a777d7886fadbc8e55dd161e3406a28ab6dbb0f01f6eef7894a9acad83de821728e85aa52a684a2f72ae172ededf9fdc09f7eaa5af6fb5e163aa2f898

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8c24bb6f058d5cf645094a43895b3519
SHA1 ae088f45e2c0052a4f5479adacc553e5eefdbd31
SHA256 62fdbb648b0bc750053f78a47a244f08ea69cd10b105547fe4fac63d56d76f23
SHA512 953e1f00ac1d65fde188e50730cb496a9ab8e1fd5ab142a475dbe5cc4992778654bd92dada9d30b69496661f10d4609562e801975f681ec3e68e9fb454502399