Malware Analysis Report

2025-01-02 03:02

Sample ID 240813-xz1j4a1gnc
Target 9463baf89c0816593479fce4912fdbf9_JaffaCakes118
SHA256 08c85e93e63fba43e25a3e7bf4e3d9b47783a8acf74a75be9eceffdc68d46cf4
Tags
remcos remotehost discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08c85e93e63fba43e25a3e7bf4e3d9b47783a8acf74a75be9eceffdc68d46cf4

Threat Level: Known bad

The file 9463baf89c0816593479fce4912fdbf9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery persistence rat

Remcos

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry class

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 19:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 19:18

Reported

2024-08-13 19:20

Platform

win7-20240708-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F6C729C1-59A8-11EF-BCCD-5E235017FF15} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd00000000020000000000106600000001000020000000a88f07d9d93125a529a371452d8f53a6f747ac0c23230f00114ecadf19447eb6000000000e8000000002000020000000a372196abf6dafab7c8eb9becbbf36256e460b8283c69df8f5cd8998c1154c0420000000731bf9b3c3261964e2cdcfed7e0aca037aed73855d6a97cb8223a804418a9435400000007a6f24fbf4d049363e120e816423a636d8c0fa11aece9f5a00b2225c3610d98554464bb4ca659b36067a1864ff88a043830213aa3b09097c61f30367bb3bc55e C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429738637" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6073e4bdb5edda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd000000000200000000001066000000010000200000005738ded8fe9d160d1aed97d263c2d151f19cd825adeb109bffbd0f761076dd66000000000e800000000200002000000000b21d5f75b721cf57b6b7289bc45213f9b2da736736726432aca433660bf5429000000084d3bf4e368240fbbec1f6772d2a0aace169273a4cb66e9e5cdff8a1626f4a4f7acba71da5e6a65263ff4881bddb7430a778dc799b2b68be7b595ee8d58138494ac59ec113f8a3472c4224fe1168730d64061e113a2bb6dc99907754ca6783cc1501276be27677f471be4382675b31f5a1f731ccd542b71bf5655cadff0ba67e52f3b8854b9b4ead678cedc1f123e83340000000038fb303664fea5b80ca05c071c8fcf7066b2412ec81aaf0eb0ad7d822e8b4b0478c2d9df752712239f2678c0d8d3f2ab45610cb61eb23b7b37576b66d20d515 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2472 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2472 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2472 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2472 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2472 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2472 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2472 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2472 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2472 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2472 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2472 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2472 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2856 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2780 wrote to memory of 2680 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2680 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2680 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2680 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2680 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2680 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2680 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3036 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3036 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3036 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3036 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3036 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3036 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3036 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3036 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3036 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3036 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3036 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3036 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3036 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1252 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1952 wrote to memory of 2260 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1952 wrote to memory of 2260 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1952 wrote to memory of 2260 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1952 wrote to memory of 2260 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1252 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2260 wrote to memory of 448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2260 wrote to memory of 448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2260 wrote to memory of 448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2260 wrote to memory of 448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe

"{path}"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

"{path}"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:472075 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:668688 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:209962 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fgtrert.duckdns.org udp
DE 79.134.225.79:8494 fgtrert.duckdns.org tcp
US 8.8.8.8:53 fgtrert.duckdns.orgqweerreww.duckdns.org udp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
US 8.8.8.8:53 learn.microsoft.com udp
GB 23.46.73.240:443 learn.microsoft.com tcp
GB 23.46.73.240:443 learn.microsoft.com tcp
GB 23.46.73.240:443 learn.microsoft.com tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
GB 23.46.73.240:443 learn.microsoft.com tcp
GB 23.46.73.240:443 learn.microsoft.com tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
US 8.8.8.8:53 learn.microsoft.com udp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
GB 23.46.73.240:443 learn.microsoft.com tcp
GB 23.46.73.240:443 learn.microsoft.com tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
US 8.8.8.8:53 learn.microsoft.com udp
GB 23.46.73.240:443 learn.microsoft.com tcp
GB 23.46.73.240:443 learn.microsoft.com tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
GB 23.46.73.240:443 learn.microsoft.com tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
GB 23.46.73.240:443 learn.microsoft.com tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2472-0-0x000000007404E000-0x000000007404F000-memory.dmp

memory/2472-1-0x0000000000C70000-0x0000000000D16000-memory.dmp

memory/2472-2-0x0000000074040000-0x000000007472E000-memory.dmp

memory/2472-3-0x0000000000290000-0x0000000000298000-memory.dmp

memory/2472-4-0x000000007404E000-0x000000007404F000-memory.dmp

memory/2472-5-0x0000000074040000-0x000000007472E000-memory.dmp

memory/2472-6-0x0000000005C20000-0x0000000005CBC000-memory.dmp

memory/2856-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2856-20-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2856-17-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2856-22-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2856-16-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2856-23-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2472-26-0x0000000074040000-0x000000007472E000-memory.dmp

memory/2856-15-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2856-14-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2856-29-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2856-13-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2856-11-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2856-9-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2856-7-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 b92d64fe5b1d1f59df4b738262aea8df
SHA1 c8fb1981759c2d9bb2ec91b705985fba5fc7af63
SHA256 fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a
SHA512 2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5 9463baf89c0816593479fce4912fdbf9
SHA1 c09e70e1ee8f38e3ac3d795d1cf2b1a6adbe84fb
SHA256 08c85e93e63fba43e25a3e7bf4e3d9b47783a8acf74a75be9eceffdc68d46cf4
SHA512 9a0feb8ce55812fff31d4f8409205ea7cf5fa70933cb9610c906771f4a64a5ebf64d9002096781cd336dbd6a79131d8b574550edd40598a266a3a2134884e782

memory/3036-34-0x0000000001230000-0x00000000012D6000-memory.dmp

memory/1252-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1252-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-55-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-54-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1952-72-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1952-71-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1952-70-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1952-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1952-67-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1952-65-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1952-63-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1952-61-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2200-83-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2200-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabE7F1.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE832.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 086edc72dfa58474aa46681c0df2b572
SHA1 e5216bd3d55fbf8db76ddeb99c396c85072e1ee9
SHA256 42955fb2dfc75e50de3f61d95da3f0a893f97283456704bdb16ca32dfc18cef9
SHA512 c3e77ef7e73925f17a04bb2eb30d03ac0f71bed321dd11c5cd6f3d5e800ab268948306a5b2cad6713014bfabc5b9984d2009e2807f0ea567e11223b509c52afc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3794de132fe82f8bc1c42ab55a9c289
SHA1 ccd37f380479b1e70260795c037862529236576b
SHA256 2310300cd22d9ecda981f26a2184b5d5ba6d4168d404038f5e536e3419f9fbb7
SHA512 795b9b1470080115d89c16d520080bc39d1ff60e6ddaaed15973cea223e94fd3e19c323da7a18162cf6063c1fa7b618f1107c64f28c71ea4f7c731ec77615804

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05abb34a3ba743b049ef4c15211aa37b
SHA1 b5a2c9e437cd8098042d11002793ceb853b856a8
SHA256 bcc2b4787b247487aa154c5f9b418cafaa6d366d48832bce87c0b7a756059dca
SHA512 4d756664369684e4a99d1c5fb9eb68b5e7d8c3be6c5e8c17c44e257911c58990c822b5b797d68bbf60c8c015c8ff89b02dc2ab4be577f2a19670dbb1b2964873

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acd4c72afc510bd7a782325ea2f5d72c
SHA1 37d4dc72091633c74df6d2db960cf02e09661da3
SHA256 a80c0e3663e5b84b971945c247c9e2da43e339e2109743bc51906a28f01804ed
SHA512 c55018e49897c780e1947c1dd2af75f6852b5b8639522dc0b7e06a08d32404aecaef7ff7ab78a7453a1de8870ab83a6540f5c0167853cca027ab29f1d5d57658

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c057aec76d95ac52542805b12a973244
SHA1 c0d501423973970e5f447aeef084ebed19a034ef
SHA256 14476a8bf583a7be823d7db76240840069bb55398be6b74c93464afb8ca64299
SHA512 cb57fde41c5418d10abcb38ff6b7f2cb1bfeff553d6b8240ff43a6364a477f3aee9848e5e554eab88f40aaf0b6d78093d31834a5dc059855a7ebbf9085615cd9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d0a6c3caab659400b19fd0b7e73c338
SHA1 8914de18943ee0477a67fb546856b5de41a10ddc
SHA256 8a4cedd9c318caddf745f4991c3b66afc168cc17dbdded486197768a0cc13cac
SHA512 9ccff9a923673126b585d1fade7354f8168492700b701bff31e2141829c66bf2ec7b29dc45943298a43b1b78a9d941396011f163b2a6de3f9ffb38dccfae5e7b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 b45ab7f65087b28c4a3565e101df9574
SHA1 474421f0bb86d9ec666ccffd042296418cac0494
SHA256 2003c7d8681871b779bbf955efbac6027e1fc2702e5257e887d68113500d8949
SHA512 aae722933cf51e9cf5c96d2d6d5b9fe678513ea01e7a11d82fe4d1df30866d86f04b975538bcbd40ec3f227eeae500aca70e068bfc69b7308adb7ffb248ec360

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73e138baf24bc3367b2898e82603fc8d
SHA1 5aa95e961268df1b3e6ca59eaa693a44d89cea0b
SHA256 b52c6b601910ac2ccf921d4c26a33cb72cf26ea364d3c11c62f3737dad0a764f
SHA512 bd5ce57b289e2f24688951e9984a77d12400e93892d195159b9adb6c4bbc672b4a0703124113e08a9219933af6df6520c1770617afc2c8b414770fb249915866

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f14a06cefcaf0b94deced0cc43ea085
SHA1 c1e0e9701aae91bbaa1668d317f947f7950bbfd1
SHA256 f153f03e9806132828781667933a5695dd90381c0c7143d946d22398b46982f1
SHA512 bc4cb6a7c754f46a1a876e8c1186791837c7cf1ad614f7612990e987b0d3a1c89713e6640657c493accc780227ff770d2352beedc16111d1def4ef9aeb4022e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88f52e5e1d54ad6e263f54082674ab29
SHA1 c729d8b747dade0a82829785691bd4211e5d3970
SHA256 b3a01d3f250ee2ca2f3947440488c1f7f105e88c166ddd3e53cdb3417822d86a
SHA512 814eb6d76aa336c915b91b5da351afe084b180241631e2f021e6328ad0d044a6f1812723846ce683d64d9647d62b43e34acb3ef5b6841e88817371756372cc17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b93e6186ff0105cb3037f187c5554d38
SHA1 40c6a303b02d6024db7359e09f613768be55b790
SHA256 f954920c23e850207ca5fb94fa2218e24c125eed5c5798d0c215957989dc303d
SHA512 2eb2d57d94880caee6f32518f7ff9cff1372a5be14f3a863b000c48f7d84f47aa4b771251c35ac77da51129b77b9bae3251c7ff71553de5a27839545d52163fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30296839c1bd6320659ab3cb74f7ebf5
SHA1 516c01e22bd22715f9dc6c2fafd9b26e35ad1603
SHA256 df0da5a0b7072883cb831e630281cb287548d578f46cf4ecdc729f42ebf253b2
SHA512 891d9e2bd0d41652a869167356b4a02f2b76bd5cb42b068cd71c188d0cfd8c76ecf929bfc99e38d95081d6191d0e672283981127e94965f804b89cf038530fbb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b3da5f02309eb2b98bd363318cdd1cf
SHA1 d9657d6c524cf87a88396bb5a316a2605393b397
SHA256 671261090d7c7c26b311d0c4634ef44b98c0f69803cb1cf9ccbcb4bf8d69388d
SHA512 88f26bdf956c767ac53b39a939898512f408acaf22098003d12796ba41ff3589521d6f73f1ece674f6d63eaaa130d4e337cfaeee1bc366c30d15e7d7214235e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0b242efe862a5d64ab3678ac4c97f82
SHA1 abaf45ddf862ab38c6ded88d27d6e9f5de62aa7a
SHA256 5b77f6cbb26e569dea7926a8ef10da9fa7cfbe486c8ff282f8302695ef0b509b
SHA512 e96db1136f6b09064feea38524a5aeae0bb24aa05e35b4c61067f2945a0784f0bdb562d01e5942db22b96b3663e644a9fd4d6f15f3548cade223714d80ebe1c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adcd611a388a614d78a34ef8e0712af4
SHA1 c9f64dcfcb838ed7a45dda52a70fbe17d0d98fe6
SHA256 51c23d8089bfcfbe07436d3199988a1f6d59ab23fc7088bbf1f9babe05d1025f
SHA512 b3de987989b1199d3b5fa436858c3713ddfe8763c1246f811c5b8f2068cd4e313c18527af7e04837eb3b806fec91594dd2933fb5b5345fae323b956dd1ef38df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66aca0ebff44278d8528d6968ba4f676
SHA1 e1dac2ac8066a7fcb7d0b4cbd310ffdaff173783
SHA256 316d6ea75726c1ece6fd0a5ecb4272ffe600067ef3af60dddf87ad1220d3049f
SHA512 aeb26855a77b7d520def690e6536e03750ed74a4651c0f1ee197e7aa1ac914ca110741f52dc60f020330b7dfc5a48e4447befa7a7e0bb7448d80e08182f7a56b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3ea849ec5a3194e1edf0420bf62d59c
SHA1 2d5f50c855b31288b432e8fe03dd6a41cbda9aa0
SHA256 f901b550ed01f2f542d2fdcac43e0a9a4413b0e4f786486cc1098a9accb2546a
SHA512 1e39345f2185a3e669e300da879aafd4c582d19a1c3c0bbb97344b39cb6a70e7bc8f2967a5762e6434498a859409a3795af71509f3ea87e88143e956c823330e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d628053ae0d4f66b89b6cceca79e61cd
SHA1 fa9d72c753860fa9583626b8883567b511296589
SHA256 f7ff5c61bfdb63fc348438b13b7fa024dcb5ab36c6ceccfa699cd3655fb547d8
SHA512 30fc36561c1a4bbcf866d93d99ccea4a5a561a5bb77580f56ec7a7ab339aa0abea316eec88ff0dd759160afe711d67841d53af69651642fca3500e872912bb02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0775f0ea7a67fb7869a1badbcf8a0cc
SHA1 5212e7b6a4410739e0f340a15b11be9ce22e33f6
SHA256 b9b0e1c0a01fb0684b45877e4b3f9824f4dbb6e320d7e11a9654db20af2bca9d
SHA512 d3607d29a1050536c73c336d15d2fe635947a3c591673d0bb53a4ded17155676bbdc8e74e717b0ab7a08730643e5fdffd223b44dc3a8012b880d562ba56cd90c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3c5cc4c303a38b27daf3f18ac5c0ba9
SHA1 6c8f69943888ef370fcdb3e3ca105b67df0485e2
SHA256 066653ba2385fe45cfd14f98041cb6e10405a813e33818f428a19ebf34c065b6
SHA512 023e78f8ffe3a58ae86ab6cc5c4f2073745d9325fcecf5d29a8ef2039b4ff229e887229aa858855f4106c316a8cdd90b2ce00a2c19f491a8979b5e8d62f0a5d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1977f5e28fe5b8ab7362eb4f7655b969
SHA1 828a3e5f2a2942bc0b06df46a535ada1b997c014
SHA256 3355f64070940f2461c4bf57d13ccf0a6d8f2c5c3356af11cbb19733d6f0908f
SHA512 354fde736bb178ce2f3c6b63070f13936d4e236d3ae95a8315d363b07da8cfc123d2cfa85c370279babe15989896ba776942a1b37d371fc696957f628ed975a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 993c1a700d6d8d2ffcb1dfd5576d7bb6
SHA1 f824bbcd2fe59103e615cb5f9cb4bdd13656bc24
SHA256 325dd9fbabe05bcb572a23c3b890541f125862c23253f819bb93a8502ea32a25
SHA512 7103d50e96e92540fb5bab85e603ce73cc77c4eab8a05e14d847cc51d66614cc300fa8d8d9b713fe11933e29498fb8b1fb630a933e1faca4b8ffb6383ac76724

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c8250cec40b288e2c9bc29ca6e4f223
SHA1 7ef43f13ac87b50f059616a4c5f2a6917d56ad7c
SHA256 bd36c01eb7149f3a53f4a0451f448ed597eb5d123ef9e8a1dedbd0e078403f33
SHA512 44f1527ea3af05db9d3f89c896892229f4ec7883950cb3d91251936d6d67dd31219af918f4c67d992718e1e0f326681644b41641fb7a467e4a56e98124e2d9ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 effd38f5840f03944bd7b5525e012c3d
SHA1 4e7fdce84831b51f7b89a2633a29e02cc483f829
SHA256 db4c29f2c7bc8c75044bd3305d1614bde8351a74a96e146ac757afe4251f73d4
SHA512 3b3e19f83d635fa1c9ffa8e8b69ce5dee575d919707c36da0a490c38a124f370532d4712e8529a631acb04879533d6c430daf4efb1ae960dfe7da4ceafbdd6ae

C:\Users\Admin\AppData\Roaming\Remcos\logs.dat

MD5 8ddd777d11ebd572c3436002bee74134
SHA1 c0b5a11d8e90ddb3e2e8f6d17691ab222905b31e
SHA256 fe47c77df0dcc38da102315b0140dbcfd79ff0a903f61c2bd8710fc8a4fda71a
SHA512 d45690c1a167538b1d8f1f73b155b9ddeac287e92739c6bd1be60847b34792c58fb60ab4f3c8ca6e175a9914e7fad162359c7f2cd9784b0a508f66b9a6ecbe19

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\invalidcert[1]

MD5 a5d6ba8403d720f2085365c16cebebef
SHA1 487dcb1af9d7be778032159f5c0bc0d25a1bf683
SHA256 59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7
SHA512 6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CWSOWPAF\ErrorPageTemplate[1]

MD5 f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1 f4eda06901edb98633a686b11d02f4925f827bf0
SHA256 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
SHA512 62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XY2E4O3P\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUF3ZB4A\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XY2E4O3P\invalidcert[1]

MD5 8ce0833cca8957bda3ad7e4fe051e1dc
SHA1 e5b9df3b327f52a9ed2d3821851e9fdd05a4b558
SHA256 f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3
SHA512 283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUF3ZB4A\red_shield_48[1]

MD5 7c588d6bb88d85c7040c6ffef8d753ec
SHA1 7fdd217323d2dcc4a25b024eafd09ae34da3bfef
SHA256 5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0
SHA512 0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\green_shield[1]

MD5 c6452b941907e0f0865ca7cf9e59b97d
SHA1 f9a2c03d1be04b53f2301d3d984d73bf27985081
SHA256 1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439
SHA512 beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CWSOWPAF\red_shield[1]

MD5 006def2acbd0d2487dffc287b27654d6
SHA1 c95647a113afc5241bdb313f911bf338b9aeffdc
SHA256 4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e
SHA512 9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUF3ZB4A\background_gradient_red[1]

MD5 337038e78cf3c521402fc7352bdd5ea6
SHA1 017eaf48983c31ae36b5de5de4db36bf953b3136
SHA256 fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61
SHA512 0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XY2E4O3P\down[1]

MD5 c4f558c4c8b56858f15c09037cd6625a
SHA1 ee497cc061d6a7a59bb66defea65f9a8145ba240
SHA256 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
SHA512 d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 19:18

Reported

2024-08-13 19:20

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2292 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2292 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2292 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2292 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2292 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2292 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2292 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2292 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2292 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2292 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 2292 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe
PID 972 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 972 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 972 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2228 wrote to memory of 5040 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 5040 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 5040 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 5040 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 5040 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 4180 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 4180 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 4180 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 4180 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 4180 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 4180 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 4180 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 4180 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 4724 wrote to memory of 4996 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4724 wrote to memory of 4996 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\9463baf89c0816593479fce4912fdbf9_JaffaCakes118.exe

"{path}"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

"{path}"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fb0746f8,0x7ff9fb074708,0x7ff9fb074718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9fb0746f8,0x7ff9fb074708,0x7ff9fb074718

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fb0746f8,0x7ff9fb074708,0x7ff9fb074718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fb0746f8,0x7ff9fb074708,0x7ff9fb074718

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fb0746f8,0x7ff9fb074708,0x7ff9fb074718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff9fb0746f8,0x7ff9fb074708,0x7ff9fb074718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x40,0x7ff9fb0746f8,0x7ff9fb074708,0x7ff9fb074718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fb0746f8,0x7ff9fb074708,0x7ff9fb074718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2269954697595730164,11953048632555566466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 fgtrert.duckdns.org udp
DE 79.134.225.79:8494 fgtrert.duckdns.org tcp
US 8.8.8.8:53 fgtrert.duckdns.orgqweerreww.duckdns.org udp
US 8.8.8.8:53 learn.microsoft.com udp
GB 23.46.73.240:443 learn.microsoft.com tcp
GB 23.46.73.240:443 learn.microsoft.com tcp
US 8.8.8.8:53 57.234.16.2.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 8.8.8.8:53 240.73.46.23.in-addr.arpa udp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 mdec.nelreports.net udp
GB 92.123.140.33:443 mdec.nelreports.net tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.189.173.17:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 33.140.123.92.in-addr.arpa udp
US 20.189.173.17:443 browser.events.data.microsoft.com tcp
N/A 224.0.0.251:5353 udp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
US 8.8.8.8:53 fgtrert.duckdns.org udp
DE 79.134.225.79:8494 fgtrert.duckdns.org tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 learn.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 fgtrert.duckdns.orgqweerreww.duckdns.org udp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp
DE 79.134.225.79:8494 fgtrert.duckdns.orgqweerreww.duckdns.org tcp

Files

memory/2292-0-0x000000007537E000-0x000000007537F000-memory.dmp

memory/2292-1-0x0000000000DF0000-0x0000000000E96000-memory.dmp

memory/2292-2-0x0000000005F70000-0x0000000006514000-memory.dmp

memory/2292-3-0x00000000058B0000-0x0000000005942000-memory.dmp

memory/2292-4-0x0000000005840000-0x000000000584A000-memory.dmp

memory/2292-5-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/2292-7-0x00000000081B0000-0x000000000824C000-memory.dmp

memory/2292-6-0x0000000005B60000-0x0000000005B68000-memory.dmp

memory/2292-8-0x000000007537E000-0x000000007537F000-memory.dmp

memory/2292-9-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/2292-10-0x0000000008110000-0x00000000081AC000-memory.dmp

memory/972-11-0x0000000000400000-0x0000000000478000-memory.dmp

memory/972-12-0x0000000000400000-0x0000000000478000-memory.dmp

memory/972-14-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2292-17-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/972-18-0x0000000000400000-0x0000000000478000-memory.dmp

memory/972-21-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 b92d64fe5b1d1f59df4b738262aea8df
SHA1 c8fb1981759c2d9bb2ec91b705985fba5fc7af63
SHA256 fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a
SHA512 2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5 9463baf89c0816593479fce4912fdbf9
SHA1 c09e70e1ee8f38e3ac3d795d1cf2b1a6adbe84fb
SHA256 08c85e93e63fba43e25a3e7bf4e3d9b47783a8acf74a75be9eceffdc68d46cf4
SHA512 9a0feb8ce55812fff31d4f8409205ea7cf5fa70933cb9610c906771f4a64a5ebf64d9002096781cd336dbd6a79131d8b574550edd40598a266a3a2134884e782

memory/4180-29-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4180-30-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4180-33-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e765f3d75e6b0e4a7119c8b14d47d8da
SHA1 cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256 986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512 a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

\??\pipe\LOCAL\crashpad_4996_XTHLRWWCYIOOWEAF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 53bc70ecb115bdbabe67620c416fe9b3
SHA1 af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256 b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512 cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9d519da210fa8cacd858373de0904740
SHA1 a4639aa5b97cebf549d38f096eafc5f03ec11335
SHA256 6c53bdafb41f214bb1c54de0a1ad5a958282b9e7e65032a70a1b8a0a94b3ef3d
SHA512 5f6c82611f71211ec163b94bc17fb478ffec8a8f2f3fc7ad7664a80d53704aacd0f6c9a8b55a225f9c9ff8612aa0fe9609b5ef61ef74738484185b5a4a9bb358

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 12d885234c5ec1a20a6bf30bc6b81f4f
SHA1 3670e7b8ac39ac267ec2e45f6d1f9dc08bd1f101
SHA256 1275e48c91f57ed0ff5db37827123ffe15d1ba2e8f8f1aedea7af636a923c0df
SHA512 e449817bd581976cbbd0c9f04126e01cf145519aeb0990ec21e2f5f623d88f63350be83dfd2e25d189518060f0e3a0df5784aa7e3b7244da4b95f77a1df9f134

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1bf15f360ebffbf34e21c3d6ad0b03a0
SHA1 79f4dd362594b09c9cce6468c6c2562f274f7090
SHA256 e1ef15726c3073c3718082cad0de7e92c8cff1d0acb7df24c38a29b516f4ce07
SHA512 8cbc8c6c37a83583cd97ab54611ff0390122a180efe64368b55303de57e3bd2ba89bf102f7a9b70997dfcec9ccd3356a1e28949065982fc1faa4bd38117ae54d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c5fceb4af0979c14cd38fc5876dab88d
SHA1 8cb552254586c591fc4d7684f6d2edb305c61209
SHA256 fe610e214d09bcba1a40e9464b5151eee504532a9b8e72b4f4277f4e87c0bba6
SHA512 2927bd7e0e391e375103105fd0f506635729c1258c6ae0ad74b4bce0206a6b6a0f90b18fffc75659bd31a3862c9d44b01148922373164c47b2c4ab33d65ddc27

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c8c5d9d6ccb3494be583217f9184136b
SHA1 9b3a4f878d4b56b570fe209c9fa68a7bf90b38d6
SHA256 429a35d065c8cd9c20f899a5455d07acf1ef2651c07b916f06b4a4da3f5f70f4
SHA512 e71b232c086a4cce8eb8a03ab46c7d8081d8e2f91be7e830d675f096421855eb3283553f1c30f1a9d9d1764e2c2b06ddfcaca25c3ce8f998ec736f81cc9857fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593ca2.TMP

MD5 e77e74a896f34de8ae4088d5e42edfb7
SHA1 fc6ed7e4c3fc41d6bcaeb679698585cd5cf773b9
SHA256 4184b26c80e739b5c78980fd3d099a6d2b5c243837be013023cfc4cc8d7defeb
SHA512 a9fe95c56c7aed380442e67e58ea819d66bf24f9c3ca1b19c60aa0f837f17f966a7c3f637f35e0c256a7b695e98ccd9186ed19d7ecf70d86b9157cc124173958

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 f57bd672fe614986d4123ee65ef4f1df
SHA1 2cc726dbf325b3a303602098110a3a0906c03ba1
SHA256 6b26decf834976a09886a7af692ab99d01936cb8e9367803053f29eddf13ab3d
SHA512 a1df656360c2f18b3043e48be62c3fbee2c55b66cbd8c2b29e42065071549a1a52ea6a26d55581d7088b075bed2aedaf2d3a0d7985ebf59f488394854c907495

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 e51f388b62281af5b4a9193cce419941
SHA1 364f3d737462b7fd063107fe2c580fdb9781a45a
SHA256 348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c
SHA512 1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 349e7e7f77a1d0f93abadd21b35c6617
SHA1 66843cb3a2d094c772e30e78a5170cc0210614ea
SHA256 56c19f26ecf68d2f2738a02a58596d221d3f569742c004e3b134181aed0d8f48
SHA512 0d493bdf92ca34be530ede767c8a0fdb872f479b0744036609f52912e02e2042df51ee0211e055f3a70965add0cef72442edc3e85fd4002cf5c95a1f478700ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 8381178c451aa675d4a06ab5708367cd
SHA1 cde5214c5b61493850d6edeb0e18a4c4a1fbc0d4
SHA256 37fc5b4fa4e4da9825e2ca712d2ad650110031cc8f895dbc5edc9879d49770c1
SHA512 353770cfaadc3738c0d47103710ab2bcacfe30cef081ea761a421f967f2710d38b45660c0b4196eba05d9d49d0d828725889df12f1398491a70f38bd46ad4aba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 522037f008e03c9448ae0aaaf09e93cb
SHA1 8a32997eab79246beed5a37db0c92fbfb006bef2
SHA256 983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7
SHA512 643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 240c4cc15d9fd65405bb642ab81be615
SHA1 5a66783fe5dd932082f40811ae0769526874bfd3
SHA256 030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07
SHA512 267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 870b357c3bae1178740236d64790e444
SHA1 5fa06435d0ecf28cbd005773f8c335c44d7df522
SHA256 0227bd6a0408946e9b4df6f1a340e3713759a42a7677bdb8cb34698e4edf541e
SHA512 7fc902e787b1f51b86d967354c0f2987ea9fd582fef2959831ea6dbc5e7bf998a8f24ba906f0ee99ae8493aeb0c53af06bee106d60b448ac50b827c63b1ed169

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 34504ed4414852e907ecc19528c2a9f0
SHA1 0694ca8841b146adcaf21c84dedc1b14e0a70646
SHA256 c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810
SHA512 173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7f4b128d2359dc7590fb1ebfcf2bca04
SHA1 18408eac6596c48666d23a8a88d380b026e07095
SHA256 6c02a9a95a311b6d79a6318a283ec447b3395277e9930696d8ab9d207fb1cb0a
SHA512 98c0852277b360ed15e93ba3998d2092ea8c0b0191f94ab9e225456bbeb0b3795cdfa34f4195bcdde699856075eb4cd1f491a16a9fcb6a723292b65ac638f711

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8fde047913b242eaa876599701351bc4
SHA1 f0bc3896f20d9eb07eeb8c94917c80c917c7d300
SHA256 1724846ff20409b03e22f2019ed5a6ddebcce1ed9a15df8232d1bac03d3b92f8
SHA512 ef44b056557149199c679e48dd5d90099106227360255028cb19a5d2719634356bd544e3bc4ac0b10b2318fed54169edea5225337a29fd26e2f8dd7795c22324

C:\Users\Admin\AppData\Roaming\Remcos\logs.dat

MD5 0569a0f59c4ae31ce33710bd8b1e6fdd
SHA1 98bdd45eec83cc27c1e5c079f8eb8fae65d2d9af
SHA256 5f8bd1ec3022ed2be2359ca181b89dd009f2c04e590efef74fff20bf8a9410d9
SHA512 b6cb7754113ab8f4ef4d707fe7ee5778f5b2c6689572e25759f98d5b1c353f55824bd16d676722cebc82ff9a75404e458a68b2f4bde8664897731725664bcfa5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d421de81907d98c1_0

MD5 403124025e6bb87983ced37838ff304d
SHA1 c4e48aa60bda2e34295b06e0c4cc3eb4c97d9d11
SHA256 48598ae0dc8671f67a4d84dd942986d8bfe5a37016828a147a59deb5ccbc8190
SHA512 9a21cc6a8538a87ce30e39bff20474f97dae31fcc40786e2e273b80e2d3607f9ac57e44cac31b84f76e2861ce053d6e9cbf94bb20e16466005d8dfffda2134f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\19a0b1e76a0cf0ac_0

MD5 fd18ae2dc21e19307e8b061f58b83f39
SHA1 04c045b03ca30c8d8fa85500b261358da77b87f7
SHA256 9e6497a486bb41a275fa2b040e6922c8588a71cf2c0fdfcb1e01d55902e49858
SHA512 66a0cf983e06a108bef4c978ad3ed07ed4af624d58bef0bfc9747bb897073d0d76e3c50b66523321479d4aed75ff8a0532528f75a0f6409677da9eba60d5063b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4e5217b2b9f9bb58_0

MD5 dac26fff01e339f0ba7ac76d9ee88641
SHA1 fa712847f4564fbae3e6ea56e3b2e7fdf27e052a
SHA256 b77a9b7c569fd7ec1ecc7d746c2ea9ccd9e1d310070e93c3302ef8fd2a3f041d
SHA512 3175e45708fc0d688e4053a76b8ac4b824a78a08c2c8b980ff09772f34c55677fc72d61e9aa53b9d57a807d3b43b2d218de251d2776be51179f9021d4c9091e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\61fb9f051a7ee3c0_0

MD5 c58571abfe6fa878bd7e05bb554e80dc
SHA1 66ab0de5f75c52e56b7b68f1e95295c8dba81d07
SHA256 5973766b0f1bf2b6bfb2e8cf44d4a38ec1906a8f496b2167b51154906e9f93f0
SHA512 50bf1b5f202b1325b24ddef0f88098a870066eac896d8bf12d1226377017ff2000671c93c83a2a99581841bd0c2a80b98ce8c0b13b8c8cb50d85a789dce89b67

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fc0bc688f67a8042_0

MD5 d6eb156c3ec06564e9641993152320aa
SHA1 14ddd01347791dfcb4ab8b94104cc62cdf650584
SHA256 5d954df81a93e247cf83deab2b3637078567f26f3b306bfb88e1db2d28593c86
SHA512 5fa9f460d2b43050c8058765ae47e32d4d11263270e6eeb624e10a4078e89a921a2510300b7ac1ef8f124de2b901f6cbed7edf3274b6e24a0e26edf6f795a1b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

MD5 ccb1eb935c7f2c7b105346ab958445da
SHA1 01e6d354b815126fa976acdfb77050ee6667c4f7
SHA256 b3e75ec95fd16b249d1424bc979918e30f8b4a3a008ac225d335566ce5fc73e3
SHA512 d045dd314729a7cbafd5ea8fff3b019917900b74e81c0cc871232221db178215e1651a55ad5d92e4b64c230e8de6ef009dbb63878a9c3f819cd6c8ff759cffea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

MD5 2f946477581aa19198c5bbe50324bd4d
SHA1 c412977ee2e8f1d8f2662287e2bf3a3f2bf96f68
SHA256 82b1bfc234e84d1c221e5fb187091b58cad37de6c3938dac6635606c6fd8494f
SHA512 ef43b1a984941180b8fccef46696bb7689da5d10013fb929df3303374a1f8666a89ea41a9b7e118c2e4f07eb713b1962ead22e4a93f5f09127988cff994e72be

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\55ccf1a7cc22206b_0

MD5 d1f6121141d43565725a96f672933618
SHA1 28f65fc315052496e323fb477433bd5c4e2468f9
SHA256 92c67095c461ddbc5e35fdb1794c4f58d5c78398baa3a3a9d19fcb3816c3892f
SHA512 4d9bd4c4cc400eea7f725c6b5abae1e981f7bee0c36c8d0e6c7a45daffe847d1358fde768359f55b539581e9bfccab5b4f64227c92bafaa14240a9ad151a5b89

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

MD5 c9f26d7c980a7c34021af336d1666fb4
SHA1 d7e3442c268d58751156faf59166570bc4c05c16
SHA256 eddba943548485ec7a49858026ee8f00150b27a23d003d846db0f71e64ba3956
SHA512 26fc8cc7f8edb3b73ad088f2c8d98a1b4ed2a5151ca6352c491231d81e3624eb665c6fc183bff8de84657b8b29b2b8924608889459c7c378ada719e0864c1f63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 24d1f538664e4fae09d741e5408c61a1
SHA1 d0564a3f78d7154279ff9d1bc565bb7fed43bc3b
SHA256 e5a249be317f1c18cd841a57361f962e13d9285ebe320ad72ac97910b2401d8d
SHA512 f77aec81d5b0af17c645cb2e15738c614c4efdafaa05ca63c372b7beb87965b5c01200fc77c5c474d8c86b6d9b3fed588d27c81bbd29ff6d41a41c541f412f09

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c0395ee1b394e61621d1b2e0c6ea989f
SHA1 ac65650b78f0aa909f812b4fb9b469a125669724
SHA256 0678a9f96f47ec72275afe10a6bf0b9cd5af9dc4e3bbe73e27535514fed19897
SHA512 2d3f432c9d89a0b507b6ddb6a47c54de2dbe8fce70ba806fd28a02465007ea799c7f8eab98d79b31f5d6b94de2e5499f2cb5e946caf43fd14a9dca611faeff15

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5e72391dfb012786774337646a261b77
SHA1 c07a7bbe182791da0dbd244eb4b0538c9c3701a7
SHA256 5fa5ed4268c3aa1205bc0daf0b6d3e590b65330fd95ea1984c35c44f3425f0b5
SHA512 66dcdc49374a3bd2d136ac7323a3986ada92521a66e02a48c95a4d8a5695f0d1a4baf0fc5bdd6c313efcaab9f094d4d89a3745ff6e17886d421aa3c7f199472f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 05592d6b429a6209d372dba7629ce97c
SHA1 b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA256 3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512 caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f1f4eaede6da2b6f64a96f9435ed5b09
SHA1 5fe4b7aa91f7da36898164144a0e3e429163c3ac
SHA256 7af2c06d5c3e012db453b4b3b18180b2882769cec4a59d594a1b1464ea070f25
SHA512 855b15631d2bafb9c6ac8f6d2fa50e3dc0d082e5e1d371d7b0f4a3000f54270d59d3eff52e97a640b54afdc22691b0e27d5bbdb9c2d4ae90ee7a02bc29fc6c60