remcos | ac03de9eb86c038c61523da3b2e8e8d6748f6f45762e44564547f96df37acbe4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe
Size

480KB
MD5

e12fd7343aae44cf9ba75d87754a51ad
SHA1

0d4aa92ae887175f42095a578337457875736536
SHA256

ac03de9eb86c038c61523da3b2e8e8d6748f6f45762e44564547f96df37acbe4
SHA512

b9325b2052f886a1b7de67d7819961a53542b7cbaabbd6edd872184230849d46f78be63b68aa9d89117795b10194bb07014fbaf7d31e803687a37cfc73b83b8b
SSDEEP

12288:lPSbGTS0a3ESKPCjIZq8ratAKuv+/PopVuEV2mvV:lPk0a3CCUAAKuIPopVuO

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

RemoteHost

sandshoe.myfirewall.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
svchosts.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-DOPZNX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4360	svchosts.exe
1180	svchosts.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchosts.exe\""	svchosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchosts.exe\""	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2800 set thread context of 680	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	94
PID 4360 set thread context of 1180	4360	svchosts.exe	101
PID 1180 set thread context of 1956	1180	svchosts.exe	102
PID 1180 set thread context of 384	1180	svchosts.exe	125
PID 1180 set thread context of 2416	1180	svchosts.exe	135
PID 1180 set thread context of 3664	1180	svchosts.exe	145
PID 1180 set thread context of 5460	1180	svchosts.exe	154
PID 1180 set thread context of 5648	1180	svchosts.exe	163

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe
2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe
2560	msedge.exe
2560	msedge.exe
4216	msedge.exe
4216	msedge.exe
1748	identity_helper.exe
1748	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1180	svchosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2488	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	93
PID 2800 wrote to memory of 2488	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	93
PID 2800 wrote to memory of 2488	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	93
PID 2800 wrote to memory of 680	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	94
PID 2800 wrote to memory of 680	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	94
PID 2800 wrote to memory of 680	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	94
PID 2800 wrote to memory of 680	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	94
PID 2800 wrote to memory of 680	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	94
PID 2800 wrote to memory of 680	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	94
PID 2800 wrote to memory of 680	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	94
PID 2800 wrote to memory of 680	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	94
PID 2800 wrote to memory of 680	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	94
PID 2800 wrote to memory of 680	2800	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	94
PID 680 wrote to memory of 908	680	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	95
PID 680 wrote to memory of 908	680	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	95
PID 680 wrote to memory of 908	680	e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe	95
PID 908 wrote to memory of 448	908	WScript.exe	97
PID 908 wrote to memory of 448	908	WScript.exe	97
PID 908 wrote to memory of 448	908	WScript.exe	97
PID 448 wrote to memory of 4360	448	cmd.exe	99
PID 448 wrote to memory of 4360	448	cmd.exe	99
PID 448 wrote to memory of 4360	448	cmd.exe	99
PID 4360 wrote to memory of 1180	4360	svchosts.exe	101
PID 4360 wrote to memory of 1180	4360	svchosts.exe	101
PID 4360 wrote to memory of 1180	4360	svchosts.exe	101
PID 4360 wrote to memory of 1180	4360	svchosts.exe	101
PID 4360 wrote to memory of 1180	4360	svchosts.exe	101
PID 4360 wrote to memory of 1180	4360	svchosts.exe	101
PID 4360 wrote to memory of 1180	4360	svchosts.exe	101
PID 4360 wrote to memory of 1180	4360	svchosts.exe	101
PID 4360 wrote to memory of 1180	4360	svchosts.exe	101
PID 4360 wrote to memory of 1180	4360	svchosts.exe	101
PID 1180 wrote to memory of 1956	1180	svchosts.exe	102
PID 1180 wrote to memory of 1956	1180	svchosts.exe	102
PID 1180 wrote to memory of 1956	1180	svchosts.exe	102
PID 1180 wrote to memory of 1956	1180	svchosts.exe	102
PID 1180 wrote to memory of 1956	1180	svchosts.exe	102
PID 1180 wrote to memory of 1956	1180	svchosts.exe	102
PID 1180 wrote to memory of 1956	1180	svchosts.exe	102
PID 1180 wrote to memory of 1956	1180	svchosts.exe	102
PID 1956 wrote to memory of 4216	1956	svchost.exe	103
PID 1956 wrote to memory of 4216	1956	svchost.exe	103
PID 4216 wrote to memory of 2736	4216	msedge.exe	104
PID 4216 wrote to memory of 2736	4216	msedge.exe	104
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105
PID 4216 wrote to memory of 3324	4216	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe
  "{path}"
  2⤵
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\e12fd7343aae44cf9ba75d87754a51ad_JaffaCakes118.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\svchosts.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:448
    - - C:\Users\Admin\AppData\Roaming\Remcos\svchosts.exe
        
        C:\Users\Admin\AppData\Roaming\Remcos\svchosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Users\Admin\AppData\Roaming\Remcos\svchosts.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffecf546f8,0x7fffecf54708,0x7fffecf54718
        9⤵
        
        PID:2736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
        9⤵
        
        PID:3324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
        9⤵
        
        PID:3132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
        9⤵
        
        PID:3460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        9⤵
        
        PID:2424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
        9⤵
        
        PID:4420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 /prefetch:8
        9⤵
        
        PID:4896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 /prefetch:8
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
        9⤵
        
        PID:1712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
        9⤵
        
        PID:4232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
        9⤵
        
        PID:3732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
        9⤵
        
        PID:680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
        9⤵
        
        PID:1176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
        9⤵
        
        PID:4444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
        9⤵
        
        PID:2544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
        9⤵
        
        PID:2584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
        9⤵
        
        PID:3472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
        9⤵
        
        PID:3116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
        9⤵
        
        PID:2020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
        9⤵
        
        PID:3568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
        9⤵
        
        PID:4900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
        9⤵
        
        PID:2528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
        9⤵
        
        PID:3988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
        9⤵
        
        PID:5136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
        9⤵
        
        PID:5536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
        9⤵
        
        PID:5636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
        9⤵
        
        PID:5164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
        9⤵
        
        PID:4596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
        9⤵
        
        PID:5704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1633355497668264837,1238383637472343358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1
        9⤵
        
        PID:5788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:2908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffecf546f8,0x7fffecf54708,0x7fffecf54718
        9⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:5088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7fffecf546f8,0x7fffecf54708,0x7fffecf54718
        9⤵
        
        PID:2296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:3172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffecf546f8,0x7fffecf54708,0x7fffecf54718
        9⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:4028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffecf546f8,0x7fffecf54708,0x7fffecf54718
        9⤵
        
        PID:624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:1624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffecf546f8,0x7fffecf54708,0x7fffecf54718
        9⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:4588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffecf546f8,0x7fffecf54708,0x7fffecf54718
        9⤵
        
        PID:3400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:5440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffecf546f8,0x7fffecf54708,0x7fffecf54718
        9⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:6080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffecf546f8,0x7fffecf54708,0x7fffecf54718
        9⤵
        
        PID:6092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:5516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffecf546f8,0x7fffecf54708,0x7fffecf54718
        9⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
66KB

MD5
c49d5dacb882c6d228118bfa39e1fa2a

SHA1
7c832aea225148c0cc618a1d88ee49942fa9e088

SHA256
c4d060ea1e1a3f7451a02775caf09898c1a8c35d981cc2928e4ba29ddd3fda06

SHA512
57b6760c5ca2ed8598a064e59d496db7c3b346112e81494bcd138583e14df1d437bb7861859ea0a56f0e6743ddc288dc91fe917cbefb7e56c6c2e78645606e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
465KB

MD5
536febd0cba8e48caff2300c631496a0

SHA1
ee0a538a7d3fc0c087b74fb74dd30a14fbfa948d

SHA256
b70bd5167c387ce53cf3c0aa5945922ceff8192790d5cff40336f3655c25404f

SHA512
aabe28bfbcb17581c07b788bbbb088d620f50bc96f8d135da919931e9c237308a82178834e56bce8045905fd5273c74e951d1ad3eb28a98ef55c8c69a497485a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
88KB

MD5
cb2c28a95bf3f86bef5d89f340621dd3

SHA1
9e94b41219f2eb674154e5468a8349d22241335e

SHA256
531a2f4f81564e638bc23cc740879d49a63f1888560d188e5464c12bd0e26a52

SHA512
97a71e95747b24ead50f1f6bb3ac8bbf6da97ee19b7a5b37d0e0e656b0fdf1ac9e3ddbbba6789123f47861907c8a45ccce744b4018a4e5629462d060df3cdac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
18KB

MD5
74f49bcdbd13777670657d78944e97f8

SHA1
862256addfc55950fa4b4da43e5619c24722bd31

SHA256
1f4aa7693f801ea02e189c3b85101e1a5c24ffd6c335d54d1b212f9981ea3f05

SHA512
c699383350446f3f665418edaf74e4e235532963801ce3c9fd57f49526aeb9b8fb6cb28fd9bb0a3e65a0521029b4d1821eade0e8a5d56eeafdca244650dd9f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
32KB

MD5
6e78ee324e008296108bfcdecd77e318

SHA1
f7c39ee02c65bceb2c66ad2d7f45523feb5ad156

SHA256
eb7a4ff0f8ed4c8a95b2183968b5a59f4058b177f580ae2d2bef4595b6f6e092

SHA512
bcfff936bcc46ab4120690cff3af93491080e13084ea2bcd8bce1a2470ea86eb007d695aef23b73e0b84cb3c7fbf351d025be47ec5d232ab613a420074f8a448

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0c749c22cce1f1be_0

Filesize
1.1MB

MD5
cea74d057eeb6aa153c7e14cbb44b909

SHA1
0fb9a92b99f667dc9ba8f7604ab3ef6fcd123230

SHA256
059659bd6d19d17a8d02ee6c6bb2aa4a066f6c79c77030f278802c5bd850ae35

SHA512
1932c55b8d751b847ac5b5ddfd8af8bfc13178242fcff44643dc44bc82aad32f32b1f60c7208a0c0fa031159f4aa71468c70974ced7aa1492777e4b0fcd8c092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\31ff13b1f93772b0_0

Filesize
1KB

MD5
42a782445a7353f8d9a37ebd52f79de4

SHA1
0e227d0ce819930b275a146a6ea9b980c50c6bd6

SHA256
5c6738cadd867411466052d2b9f43000bcd458bb67b60b3f49b383b574e21356

SHA512
d1b96ea529dae963317aa7e38a861346db7ce0b84ccdef4af5e94e8bd0c06e9086824595485475dd4377e39f77a255750bfb86ad90c528eec643f58a50795bdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
76add4100f4e89422e666e031ff37aa5

SHA1
864e2fb962ecbe3b5576bec2f288a2dd4ee6a61b

SHA256
a2cd951c300a34b5f664a93d27e3f2e4045742669b70c8c39ff61372ef75120c

SHA512
98379ffa445b43d94c07b1c0f3a61c18679259ae6359fb1a7f79646547cb9bb8156ae7df6cdd1cdf8e5459406030e51beb5db34713264500d5bc0876e1983384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3e4388303cdcdda9_0

Filesize
295KB

MD5
6f1a33e61df4cd6bac218db802ac9e6b

SHA1
f20cd21c32191528db3c8e7416e55f6468e3dfc2

SHA256
255f2b45bff317cc879d6337740fce77e8bbbf0ba096c5d758f95f1f8c941535

SHA512
6be6504cab73a49f284f460ef8b11de19a5f5616b8ffe37aaff206b9452e81d08a9e89e6d4e3f4c849ba1874423ec3b1453fee2940a0d2fc22dd4e235e31a283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4d979cb77f33b7f6_0

Filesize
297B

MD5
90f6332dd41987d378217e274d01e599

SHA1
795b0e19d89adc9b3ac076bc6b22e1e29ce8cd04

SHA256
e8140573c2b452b6c7835d7f3e3008fa446975b655f406bc8f49f5b449819201

SHA512
bb2082dc83e8547577a9777c73582d70aa3f00dda68b78c1d09439a53b8475afa5cc75b6438b868452825a30c9853236a1e03e70de4310812a857aac1e954fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
27e432122b12f99b64b104e27c5dd077

SHA1
1f58305d320cc62c8f19725fc0deac9af3acbf7a

SHA256
e19eda105e31d9f972cc126ecbbcba9c1ec54bc5ce0f9cdfcb2ceb431c14501f

SHA512
be560c65496bd32095008398344cbd532617fc307fb361eba71877a755d852c8151c81a44615c047a8bd414228c3021b855b88f1dc82c03e7f8633a600931ddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ae8195b86925f254_0

Filesize
187KB

MD5
52244a3ec807f0b0966d959c71588d11

SHA1
5f22a759b46cb50937d7ce76fd74e1cebfaf2b65

SHA256
c1744face32cd0ecfd29eb77f3f328afe39ef5c6f0263a155e4b0258babaf6a3

SHA512
cf0004c3b2514ddf1f61d6be02dd506ba142f564613dfba8662c3aeeaa10a57427125116fb2f8ff7b7286d45618ec04b85e2b30cd06faab0622a1172ceb45856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c69616cd4f4523ce_0

Filesize
1.3MB

MD5
82c181a4d3176f1daa623f743c47413d

SHA1
4b8aebae5f2b61a759e2a02edcfc53b9d7af4f17

SHA256
4f7a55977b6afc6e51cd9a4f1d90156f4fe0933b32f32186cd15d1854c38b2e5

SHA512
50b511656088676a60349ebcfdeac901f64f8ab394eb9335648db57a53a4a7e87c06239c5a88d05fcfe716dcc03007c82ed6515249cbf2300d00fabd211f8567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
84ec585e7fb06222b129f397377931bd

SHA1
7283458129610c29f4fc46848e0fbb4bbaf07581

SHA256
d308021e607867e8fc08df4f33121931764e50c4f2743cbdd9e6c3a1dc54ed84

SHA512
4cce9e72c0d9601d0265b0bf1015f20f47ac3238abcc21c57f95b81b4f95c1b54d37cb906fdc54b0cf6ad9b9ae6c63b55bcc0c57b7acec49306ad702c202450f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8fb5f439cfa7524832829b4f89c86094

SHA1
c9e70b538a036a52aff0f143ef01679b0aa90166

SHA256
7896f213a0587b0b47d278514f06a401166410c49060de2fe5900998fe0bc023

SHA512
6e4c90683395c73dfd782fb6dc931aba186429835dcb4d265d22702111070b967d2461848c9dfd66d6e3d372326a288d35c1dce733fd10ad364850ec2350dd92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
607ef707167bcffd5ce2ed4ed829d4e0

SHA1
e45d23e7667560b16f1ce5f97c559705fe2d1c53

SHA256
d7e229753a3729d3fdb2cfd85d6f51fb682a566f17b2bc37b8c629d21cd1d041

SHA512
e422d7a6ea5f98f353e7b2de4f60e47b0622a56e1350972f279e3662bd551d35f8ad3c9feac0eed6db4504d33e4eab9299f05cab98d8f0ec777640b27a8dc1b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8e8d2dd844fa07cc28c0da4c96111c2

SHA1
77dfc7f3fcf4d52052ce70cdd1978d3e58f3cac4

SHA256
8a6cb545280bfbb1aa8875e83b1e3258e04ae597ed05c65b51763697bd08aeca

SHA512
2c425f80baf05e1dd10aeb7c17e1433eb170ec8d4bc56be6ccee014615fc75f43ab87e9ad78b10dfe18021c765f150f4d1c9e312bf7a16df88d70f68324c9933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
88a97c36ea53b3ad7ad71f2533186513

SHA1
0cfea09726a47e26749a20d5218cb2db48d97453

SHA256
4ab7e4b78e38c8736e9faf85a0788f32e5d57d5ca22bd51d72d8e4a43a703b42

SHA512
2b9b839c2e7acf86cd57b0f188c954f7539b723ab0aac63c24ad6c65de5712a354dda82dc3ffd291cf17b89c6a365f636e8ca844d85994b2538e579eb806d3a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b2ccafc66b60cc59753721092fff45ed

SHA1
12bf8b2784401ad5f00e0408f4825b2c699093ed

SHA256
cdb68b0c2bbbe9f9290fe3bbbe54814cb6f775979fbf320cb25b59dc52c5a532

SHA512
0f66c0b2cfa1bb64bd14e47334e9de4a485913c0234b30645579f3b4d81b2218ddeeba01f70866394db88f43be380d06eff1cf15c721d7501dca3252e192c5d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e110f78b5b75e76310eaa78c5a1e97d

SHA1
9aee71bd051fd1b4a844f02f69121fee138076df

SHA256
eed240236ca44e2fbb7305e7e77891eef69b7859d91d1b7afe658b7c11b03037

SHA512
fe7440b3cfdfef91a5cec5272c94311eb91bfaed2a7b0227171cb91e502bee9170c2756b0e428aa6743fb37851245dd934825445ea3987aabd2205ba159e0058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
a670ef474dab5bc96b99ca05f965a870

SHA1
cf3ddfd681affbd8c16030b2b1137398afa49a53

SHA256
39b57d220ea7873fb3e8bfed68e4750ea7607014112632297549ceb70722f5c8

SHA512
0b62931daca55110a95326f9cbfc6eb8a1b9e11b4e97b26589f3925bafda229be4c1e461b9d8ef4d721c577be5c76d5b4806a922cba0d6b8ec4288ae25419934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
6dcba2c2bb4e0367282db91cecc779d8

SHA1
b4d84853afa76f99c1a81d33d433a8b0c66dc604

SHA256
c58a103be160741b5acc313365c76bc32e0f86b76e5b49ae3a4e904940e227b7

SHA512
bba5c8350e816f5451b656c7685f13e3ee6cfc54dda87a24574d1a0b5c29ba722e087841f03de5b0ed9e513f2cfd47057c870f4f5aad5734887c8ba56473dd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
2b697c624e253c0c9354785a1f511ca4

SHA1
6af4c6a2cddf9313f481107833b813df7e53a8f7

SHA256
d4aae05731cf8f0d3bb5d949ec8cbd62238213e38e1ca37738b1b1e88f43e4f9

SHA512
30e918b21b72349f8c5464fc4e5c9358a537903acf9ed71a113f47abf160b866bf9beba0cff903287517d456c315c980eedc5fa9a4b70e67097b7e16593bcbc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
8acd8d583570f9608d60b7a33ddb91df

SHA1
3dee9dec7570ffbbb0a7ee11a4e9c7bcc47dd09a

SHA256
9332139e783f7fdaea4f326510d799df6fa6b96fae27b972265bd3c67c99ef20

SHA512
5af768a728bb5e34e692e1bc11b58a7ac9e04de40380734c553f9b9f45681cafd07a2f7f2a15b60a6b24f6844bae0230553a8bcda287cc7fd7841f1b53e99c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d3e5.TMP

Filesize
371B

MD5
e0bc74e2c9bebc98b138ead1586b8c3b

SHA1
505fc9bba7fbaa259c91d7101741bc4a3788a721

SHA256
0a1e05422be2569c9fefa2d307980275a55c23f3e3e2df281fd3ac03212e9693

SHA512
788d5e9cd24ff984c1db538f7ddad0004897a86bc0761fb7523af541160bd71bc0b45027a5d8914e4ffe059ebb6ebb808079d8c15e807475ad385a07dd21be89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
10afaa827a4d7a448bdfd9384fa8720f

SHA1
7e92f7801094c0b4cf12239d4138fdc0d6667f4e

SHA256
3f233fa26c6707e05c1dc088a7350e2f452d904c485fb747da30753b163174f7

SHA512
446d6092dbe4777a9d87de87478f624d7535f6340b1a7358bc0b158f5c4aebbf8d6c86890a21441bdb06655916dd88a0ff59a3da73a8aa41dab1fde3da53c742

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
422B

MD5
57c7d195a177757bfcf67886fd7c170c

SHA1
64187068dae395acd2bed9dd6c42d10bddebaa98

SHA256
35780c2a4ec8203bb8fce796654f77d441ff9196851ccea72f9c207b22f51382

SHA512
270f1fffa624530ba45c2bd6b55e66b2a07680331f85d9f0d2d2502f9bd2bac83f92fdf968dd05170a9c02d38783fb8bef0b484f28f1c919680ec6ab3c324d7b

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\logs.dat

Filesize
111B

MD5
afbbd67dac564521fcbaa14fe31e88a4

SHA1
4ebba0c0abf59e38e80cfbb3e9304c5e334b7d2f

SHA256
04df1b8e93d49ea365c41d0b7e6d418dd50ccd5b05ebd1b89e2117bdbd520199

SHA512
169ca137052c30160d49bc3bb6e81f783db1ff2a9c395adfb39b1cbb1e6354f0102cf18c5d443bdfe7236614f27c8e4326cf4c560933c8a5f7af122940b766f9

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\svchosts.exe

Filesize
480KB

MD5
e12fd7343aae44cf9ba75d87754a51ad

SHA1
0d4aa92ae887175f42095a578337457875736536

SHA256
ac03de9eb86c038c61523da3b2e8e8d6748f6f45762e44564547f96df37acbe4

SHA512
b9325b2052f886a1b7de67d7819961a53542b7cbaabbd6edd872184230849d46f78be63b68aa9d89117795b10194bb07014fbaf7d31e803687a37cfc73b83b8b

Download Submit
memory/680-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/680-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/680-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/680-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1180-33-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1180-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2800-7-0x0000000005880000-0x0000000005888000-memory.dmp

Filesize
32KB

Download
memory/2800-0-0x00000000750CE000-0x00000000750CF000-memory.dmp

Filesize
4KB

Download
memory/2800-10-0x0000000006B30000-0x0000000006BA8000-memory.dmp

Filesize
480KB

Download
memory/2800-9-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/2800-8-0x00000000750CE000-0x00000000750CF000-memory.dmp

Filesize
4KB

Download
memory/2800-18-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/2800-6-0x0000000006D80000-0x0000000006E1C000-memory.dmp

Filesize
624KB

Download
memory/2800-5-0x0000000005670000-0x000000000567A000-memory.dmp

Filesize
40KB

Download
memory/2800-4-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/2800-3-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/2800-2-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/2800-1-0x0000000000C40000-0x0000000000CBE000-memory.dmp

Filesize
504KB

Download