remcos | 74feb165656f8f823d446f77d8e791630359bc1f7a749964001feadb286c56b1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe
Size

221KB
MD5

ea710c5f0a39a9d3b524977066acde36
SHA1

ee738124decd05b712f615bcb1e8227d9b1ba3bb
SHA256

74feb165656f8f823d446f77d8e791630359bc1f7a749964001feadb286c56b1
SHA512

a6ec0fb736eb1881af88d1c0a377d3a990afef9c7a5fae9417959cec52445a1acd6c3c7d3c2cb255630bb176e0bc1bf6a0eb4511c8f603ef5d86a53ddfc69b28
SSDEEP

3072:nhz3Jl6hYIbM4rOOCNr4TDsPqbDyplNmNq2E+PKqGEMsjP96s/gDXslCUZFADWat:hDz6hYIbMuOZqgqbDAx+Pd8sLs0hEW

Score

10^/10

remcos twentysevenfeb discovery rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

twentysevenfeb

185.140.53.154:8760

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-SPSHQY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1428 set thread context of 1936	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	85
PID 1936 set thread context of 3320	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	86
PID 1936 set thread context of 3228	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	117
PID 1936 set thread context of 2224	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	128
PID 1936 set thread context of 5940	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	138
PID 1936 set thread context of 5768	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	147
PID 1936 set thread context of 5780	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	158
PID 1936 set thread context of 5076	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	167
PID 1936 set thread context of 5316	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	177

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe
1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe
1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe
1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe
1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe
3724	msedge.exe
3724	msedge.exe
2676	msedge.exe
2676	msedge.exe
2124	identity_helper.exe
2124	identity_helper.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs

pid	Process
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 3688	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	82
PID 1428 wrote to memory of 3688	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	82
PID 1428 wrote to memory of 3688	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	82
PID 1428 wrote to memory of 2124	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	84
PID 1428 wrote to memory of 2124	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	84
PID 1428 wrote to memory of 2124	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	84
PID 1428 wrote to memory of 1936	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	85
PID 1428 wrote to memory of 1936	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	85
PID 1428 wrote to memory of 1936	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	85
PID 1428 wrote to memory of 1936	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	85
PID 1428 wrote to memory of 1936	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	85
PID 1428 wrote to memory of 1936	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	85
PID 1428 wrote to memory of 1936	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	85
PID 1428 wrote to memory of 1936	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	85
PID 1428 wrote to memory of 1936	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	85
PID 1428 wrote to memory of 1936	1428	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	85
PID 1936 wrote to memory of 3320	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	86
PID 1936 wrote to memory of 3320	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	86
PID 1936 wrote to memory of 3320	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	86
PID 1936 wrote to memory of 3320	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	86
PID 1936 wrote to memory of 3320	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	86
PID 1936 wrote to memory of 3320	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	86
PID 1936 wrote to memory of 3320	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	86
PID 1936 wrote to memory of 3320	1936	ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe	86
PID 3320 wrote to memory of 2676	3320	svchost.exe	92
PID 3320 wrote to memory of 2676	3320	svchost.exe	92
PID 2676 wrote to memory of 392	2676	msedge.exe	93
PID 2676 wrote to memory of 392	2676	msedge.exe	93
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94
PID 2676 wrote to memory of 2924	2676	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mnpRWGHeiLUUV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAECE.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3688
- C:\Users\Admin\AppData\Local\Temp\ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe
  "{path}"
  2⤵
  PID:2124
- C:\Users\Admin\AppData\Local\Temp\ea710c5f0a39a9d3b524977066acde36_JaffaCakes118.exe
  "{path}"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        5⤵
        
        PID:2924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
        5⤵
        
        PID:1636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        5⤵
        
        PID:1008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        5⤵
        
        PID:2632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
        5⤵
        
        PID:2152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
        5⤵
        
        PID:2272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
        5⤵
        
        PID:3300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
        5⤵
        
        PID:4420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
        5⤵
        
        PID:1600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
        5⤵
        
        PID:5052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
        5⤵
        
        PID:2760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
        5⤵
        
        PID:3300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
        5⤵
        
        PID:2680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
        5⤵
        
        PID:4956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
        5⤵
        
        PID:3084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
        5⤵
        
        PID:1088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
        5⤵
        
        PID:5588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
        5⤵
        
        PID:5676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
        5⤵
        
        PID:6000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
        5⤵
        
        PID:6032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
        5⤵
        
        PID:3224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
        5⤵
        
        PID:4476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
        5⤵
        
        PID:1832
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:1
        5⤵
        
        PID:2384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
        5⤵
        
        PID:5264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
        5⤵
        
        PID:1652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
        5⤵
        
        PID:2108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:1
        5⤵
        
        PID:5824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
        5⤵
        
        PID:3480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1408 /prefetch:1
        5⤵
        
        PID:2780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1
        5⤵
        
        PID:5128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
        5⤵
        
        PID:5872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7536 /prefetch:1
        5⤵
        
        PID:5260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7568 /prefetch:1
        5⤵
        
        PID:3672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7292 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
        5⤵
        
        PID:5632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7792 /prefetch:1
        5⤵
        
        PID:4976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1536 /prefetch:1
        5⤵
        
        PID:5700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6473944057396011675,10800738397373614392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8060 /prefetch:1
        5⤵
        
        PID:1632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:2532
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    PID:672
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:5104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:3908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:4860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:2588
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:5520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:5532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:5908
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:5920
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    PID:5928
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:5416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:5428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:6128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:5680
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:2292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xb4,0xe0,0x104,0x40,0x108,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:5204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:5372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:5408
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    PID:5984
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    PID:5808
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:5384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0xd8,0x104,0xfc,0x108,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:5344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:1652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:3792
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:5248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:3980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:6072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:5112
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:1292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff51ef46f8,0x7fff51ef4708,0x7fff51ef4718
        5⤵
        
        PID:4492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:5992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
66KB

MD5
776e6f89118aa30c4140c1dd1eceed7f

SHA1
d5ace03bec07b6997e711cbd48a1eb08a425858e

SHA256
5077049621eb3f53f30bd5db0aee77f2c4da42915e626b5eba1b169353623a63

SHA512
28b60eca1728229a42b81a1f51add9343ff50888a73a472d3df67831e8cdd2a96e492bab21e5646314dbe4e5bdd6da4fa11c57868d1c0e7e0b5748754fa72c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
464KB

MD5
e0b43243e36a16adabedbdf1a88a5373

SHA1
6ea4d79e9a797509580dce34be077252bc02fc89

SHA256
a96d0bdd5a47fca745812b48bf4ae357f7ddd9f7c9484cc3a867eaaef99f05ab

SHA512
5da6ff1795252d238734e491b969a559e82976129d00070b4fc7312efa7eaf791b00741fe9063706a62d6cc3c28e228682af6f0510957f84c84d7475162b7ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
89KB

MD5
98db18464a56f95219347f617c10988a

SHA1
4b7ceb7f088678f5affa0520bb33226039db1b07

SHA256
ab049abeadebd891ac067b41a84047617988d00e01b5fb1ff8e6fc8da3407c62

SHA512
58158ca51dbac3319830909bfc45ebc4a35d753e551fdc449bc1579b03eca133d4d8970615aef1f171fbe307b73e24adf0ef1656f047be75d3395a233c058b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
18KB

MD5
74f49bcdbd13777670657d78944e97f8

SHA1
862256addfc55950fa4b4da43e5619c24722bd31

SHA256
1f4aa7693f801ea02e189c3b85101e1a5c24ffd6c335d54d1b212f9981ea3f05

SHA512
c699383350446f3f665418edaf74e4e235532963801ce3c9fd57f49526aeb9b8fb6cb28fd9bb0a3e65a0521029b4d1821eade0e8a5d56eeafdca244650dd9f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
32KB

MD5
6e78ee324e008296108bfcdecd77e318

SHA1
f7c39ee02c65bceb2c66ad2d7f45523feb5ad156

SHA256
eb7a4ff0f8ed4c8a95b2183968b5a59f4058b177f580ae2d2bef4595b6f6e092

SHA512
bcfff936bcc46ab4120690cff3af93491080e13084ea2bcd8bce1a2470ea86eb007d695aef23b73e0b84cb3c7fbf351d025be47ec5d232ab613a420074f8a448

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0adbdc98d9637d11_0

Filesize
1KB

MD5
cd41de7efbc032578986d49a1378b8de

SHA1
17831e6665a71230f936266f14f9689165c718ea

SHA256
ce948b1d15094a08bc987446f6c75c7c569788a8484752b31941bbac1fb44b18

SHA512
3412eaaa0fd8a3608117b016278619b60b122f94de3690814943d473925477c7eb44e25713e87bd2231f09ca59941579c6ec5055787daa9af291ea7e6ecee8a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1347c708172161b7_0

Filesize
297B

MD5
29ec4d9a712f8e42a5fca7d7f60d59a5

SHA1
d22f5d7dfdfd6011318179a59ae88eea5ece5666

SHA256
19bd27768ccf48834dc4700a257bc3d105ec3f71b86c21f5902d4bfe7ca0a37f

SHA512
917bf4c2be3d47a0301b1ffe90f43ddb6a9bd45fedd23a6c6eebb9f51a7fec2ff2101937d9c68d1e869abcd26d430413498304788ab4ef43ff4408e832ed5040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
69d821a8199471819f07edc82b81421d

SHA1
bb580c3d62c093286078a9f1be72b20dd320e91e

SHA256
0581d02a9fe94d8de9ef2d27fd113fbc537d880994a5f0ec1ae4f7f169ce8d59

SHA512
6d517b76c8fd14cf4b890e59f5758ca0be44392d8f3e081d1b65b130868cb3d33f14ad7a04111d3b96105c8e8b7b81d12968fe663987501fcebb9f2ccc623846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\62128012e9e7c706_0

Filesize
188KB

MD5
d1a750b1493dfdf8aae345c1df3d5e1b

SHA1
e01f3d26283ca0748326b438fa9ee149abca6f10

SHA256
3581c5addc0e2978f87cf7b1080fbc285f3098684d4e62815e7ed0e4d2834a68

SHA512
1a33c8c1165acfb9838e9cdc33979214c3244b7adf69e8e4bcb4acc809e22b019a80da3c4bae54d91cca76d3d050abd7e220c04e518cf16911601114e5ac5be9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
dd9087aa0d4cb4c5564e4b293c8fa829

SHA1
ea6b5ca87aee44be23ca68addd1b46aa05380724

SHA256
802c2a05de4812c017850506b77066dd8ed8bf3505cc36c297868250bb1eca23

SHA512
17e5cdc3dd127c3b1b6b7ed6526042e271d6c937eb50ea076c1da46cb8610f69b1bea8b4d087fab7abd81134a368af9377aafe553a2268cc74e0725e92a679c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a9db9179e335de7a_0

Filesize
1.1MB

MD5
61f7819a9905f58a2ae0173bd525209e

SHA1
f4b6683513b7dd3327a5fd755d1253e6d4e177db

SHA256
c5d4d3d8331e3fc9df2dcbeab050c775e7ea005784734f5552b920e9f1b14024

SHA512
3391c130eb37114ad57bd29f7befec16f9a4cafac8c8091574326bd41a6857c325eb015795897d6b5e36c8ef96efc246955cff8ffa31a883539429f37233cd1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ad50f10a1c4b5795_0

Filesize
1.3MB

MD5
ea263b6d8e8677bd469eba20a69b0497

SHA1
7e2fb40c1932a4518646c0d09e153c606e8b2996

SHA256
df8effefbd017eb63a295c12b08dae659fe1487fb2c3368ca2fc8f8b10b066b6

SHA512
4c071518ff592c2ad09d3f3178cc9f1126fe81f83e4deab9e33e61b2ee2cd082250520ae19691114a9c4852e8caa6a3d4adccca4d681aa680382001a9698c131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ccbb191a5c1cf368_0

Filesize
295KB

MD5
ca637327f31b5f45cfcc6c870a21513a

SHA1
d8de816831a850e925e6cfe7a05ed15db5e0e4eb

SHA256
ceba6b06c0e58ccf23fc93b2d1c2589f77a8649de4b9211ef8265e79c5e7d1ea

SHA512
3053414a8a91aba0259ac8f255bf56032bee84394b250465c6a1b7839e04f2272561c813a165963abd023846a0cf682faeba2fbf82363680e1d5a53229974a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
34aedcbac5e08aa152eeec4b310e7d1e

SHA1
1e1bf3eca1d44a643d2cdd32225f8ac7317f4b8d

SHA256
a79415e679359d7de37fe0b428ddc23bcd47f99871b2d3d3317231e01897d0c3

SHA512
bc4e844df98f6a4d66ccbfd76cc8aa00f28bb675d0e084391ae1c74ab7c78e2f72a3f9bb682c6d25679a27979c4f611505e21fda23609f3ce7fd5bed6b525007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
d129237b0f1a50c94e16ada542b1e68e

SHA1
55a5ebd6b897eb9c05f607c87d368eeda4956e71

SHA256
dccd4befef93d6cd86bcf4d88daa8ec98ed4cf64098856710ef5c72f2a1f7c91

SHA512
c6b9ddb047fc5905a90e425c10a8d48f7dea714f3bbc5743b3cd72701f35ded2e0a6214583dcc0288da3c27ed72be50b80c8eda69f22645e3a4663b748dda231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cd5bb06cd7c01b3a962457834b1faf75

SHA1
2be005d9a8c4cf05341d68fddd12a9c76d0f89b1

SHA256
f7efd611a297fc13bcddce131338b783c9739adf2181da946662e28ad3f44048

SHA512
fc6289a254067688fd90f69854045c8747a740d85d4344c242319f217df307d87491d231c667208f633d93e448bc98e1ced58b11e9d69d7bb3b024475bb5a6f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
08dc2a5392c5b53d1abb23508f030820

SHA1
ecffe5ffa29920454a30209c584291b132e48339

SHA256
278231881373d29f7bf318b1f8ae979a59a51b7b2f14d3017b6a8a1d2620e9d2

SHA512
58fcfdca1c4a67237ae696db1762376811abf4423236d219389575ac303e4cd99b7cbeb4eeb998d2458fcc3723311c13563324a1378b68b8e557d0525ac6a976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
14cad627c07d29f7c04ed4bc9ed04cb9

SHA1
859253d34e5b54366e2178b7341bb96caed4ba1f

SHA256
0261cd6e759cce0f11a5ba6325f873dec5b9c7683fda1f3b3f5f5d7e29c92ba4

SHA512
e2ec7cb809ba92b5ee81c87bcda6eb78bf8590cc93c0cb14d70cd31a0e8fe2c4e408be38df5f13574f9e2104686a4df1b0cc9d642dc952bcadd3b88d731bc254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3d602d0d011b43b83e3333e2ca7bfc47

SHA1
e6ba24e73b769e6b01436789ac41d3e4dcf2a4b0

SHA256
0f082be77b89c634e40d7ccc054dedb74d7d0505b3b54e9c0767fbcaa59fdf99

SHA512
b3a7a86638b8c683459ef1aac6d9671f2c5a05bbcc43bd57494985777e2c6d4d4530d580b5446467a9d1ed4f8c322702dd4ce417e01093dc5c659e1bf84a07b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
320577d7fee6c3c87a7106505863ca64

SHA1
59e3075106c262b50daf578f63de1958b7f90c7a

SHA256
41ad6130655fd71d5401e91c843e1bc6a8da11706be131de2a78095b83e13e45

SHA512
1bf72439f7cfcc0ab3d28256ce29fd5b234b11241171dc2223656db691eef3b555954f23cf557fddc99693d647fbf2251a196f5da7ac6ddcf4a25927d1fefaa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
975f8c14a05e72d91b2c483f79961f9e

SHA1
ed8c1719172ca4b06e6310529818c6c450e227a4

SHA256
521e443d013128fd40bd4033570af888f52997b9e0560475e66fe483e61f881f

SHA512
056a19eeef39a29214548fb66d6c35798cffde1a86e68db24363e79a703be677738b605155fa8bc2213520f0d96914af20f68d005121f29d8efe204b9cde7b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
977616d1c50296476a3dfce8d2fc3fe4

SHA1
29d66e349f5bc21bbc3632d8918dcbe127e7c599

SHA256
80b4ecee923831a9767aab3143b0c80e7df12656554b0758ad02e40bb86c50cf

SHA512
7e69dec353b5caa89566e0eddb15ffff37aba34ceee410b6dd1e033384fabc68ad239b86c95e3b1ea31fba845ada9c05d128c80fe0a22d62a2bb085cf70a6e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
67ce1bf09d980c912123902e9b719ad2

SHA1
33ca20c581d743a1b790adda58b8c8e7de158bd0

SHA256
cabe9e48ef52d0cd514625e448349f882db91a8a56ffd092be277338baaa3a23

SHA512
2ec2b50b8df942004a367f2a4cc93e8e0a7ca383098649a50dba8d42903ab11b0ede791c7dc109781fd740320f58dc7aa84ae82b72959dc256946b66a32144b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f23e155b246d7cf4747a458aeb6dd50

SHA1
1931df67f76c8b095a3801d0552bff69c14e9eec

SHA256
f9b1f32ab7fe05716f8a84e66dcc4e1c8dae7f97715e415a6070cd4e86c79f6f

SHA512
a973ec6009b78486635e971eea9ed41f1bd73a3108018f490b7d3298ce1990b117fadefdc566aa6ee8892393914739307d09217fbd949089dccbbe5a943c213d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8e54eb65e3da0117193e36f6290a5490

SHA1
d6301929e64fb3ac89200bd0081a8239f9fdbd30

SHA256
83699ab70468fa3a348a35d90874e50c67e92c9c53ea2446f4718b8e63721732

SHA512
e20f2d45100c3a47e590348ce18c460d00d341a3c484276a54271d7cbd7ac778376bf7f9ba3ee0f7931d10409ce601774069b9ffc155a820bd10c7f32fb096c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
c9c4ef8140a6b5e8d89af8da3d2d9cdc

SHA1
d83d0620a398578dd700180b48206f6c829ae888

SHA256
eed18be002c6ddf94c528556d1ccf4bd66811e81305dc5cec2ef0da797681e43

SHA512
587f7e4d668d7f2ac9fbef2c852e01deb5a2dc4da9a2ce161f4e6b9cb6a73fbdce0f7a81c6f9c1fbda9ce99f795555c22cae1987f989d751f609e54d16801494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
51f9bb31eb3148deb023ea5d95b26d61

SHA1
d1452257e8c75667aef2ff70c4cc364880dc58b0

SHA256
20b228ee9b18f5c5583cc586700c1857004a50990e52468a58bd570546c8ea39

SHA512
300c2bd5128f8180599d2f409383db9525fe7684668d5864cf4b902bab3704720e904583d52040ebdbd058c3cc1fd9286756b37d71c644f60721f8f78e036c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
1b4be636e046d4860204b133a3a47947

SHA1
85b8b21715b87af0bda327dc9e5022de97dfa3df

SHA256
2d853eea3fb3c52b5883169741386bd11cb03bbd6b216224afdc4b1f53b574d7

SHA512
6670678fcae05ad2e0effcf091d1fa65444b951e9d39ac4cb74b6632a33d5ef8f7efa8816e03cbc499a28dc20166201e189c6068ab3ce6b9f43ae6bc76647eb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
5f80cf326567aba26964c55d8fe9bc24

SHA1
8a4e51ce0eac0f372d49698999813ed678eccedc

SHA256
1d3c237f5ab0995ce2856c430900a9a7fe4b742b59fb2546ccb457ab531e6272

SHA512
e2b3c44121211d117b41f65e7b966996b968e92e74106ad05312010b4a3c81393e5afe1afe99ebe99415da6324b3519f33c6e24c5810f6d827f8e7d153c08e07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
f1a093305666e12b75f7e22b824ef62d

SHA1
d089efe903ea47e64043a10645725a7f4cc6879d

SHA256
f69154cd784b37d7cd99720664c665c0f6777c6efcfb198217d7ef849b1359c6

SHA512
c72788c039f1e1e9143bfdc094e40092c4f6107c3fe03993d3fcccc01bebbee349f9d550db397acbe05ad737ef076ed1bf45e2070da8ee20001fdc3007cbab26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
cc508efa913f92a75896636612b12aa0

SHA1
562da0e039778c410ec8bdeca9b80ef2ee6f9b40

SHA256
be1790c218f8a18cf87e12d753a02dde6e224fef20377274be99c740c01d5070

SHA512
d94840bf43681ecaeada1e24acca0eae7c854324afded54d5dfa0fe101cb5531b676ad75cc5dddb002f69986cd5bc21c460b274a8549b7a95454b20cfad79d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
c3740567f1f926898f7c4e65c5bc8baa

SHA1
de565212098bd6523a3d4bf275c2b47b43328354

SHA256
60e76884ff15e50fe91b3cb48ad6746bd899808414429a3ef98b08db146c2057

SHA512
618afcc86a48b9bca179d5c00987aa9d81bca8da68574ec8cef7b0b36df3ab0e33e462f873fe0809aa98e4586bb89768c2db6f1c366e9b197e2ffad3c0aa8055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
d976073ec28fe1f12a9aa02b8b8970a7

SHA1
9d649f0e75085dc96e092916f39405ff6c5254da

SHA256
5da93cb87e08871f70610554e2aab6714f15885981aa160b515c51e06a5e1b70

SHA512
f34a4875b62544e35331ddcfade8bf8de09a45281b1dfd7c66f9c194026c436aa3b725522a0e4adca8ba3100b09d9c5b1693161626a94178d0fded3eb845b683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581edd.TMP

Filesize
371B

MD5
6d9c133ab9456f0838d9b2b706e51357

SHA1
6ebc989ece3983e7ae7ffe2cf19380e2fd47fab8

SHA256
f2061532926f787bc37f273715f960b3217f199d1230df2ad5836206d2bdc995

SHA512
246a24b70dd04768a89ca3369a3f3b22243754c3ff28004d9c940fbdda0e6c613aac14bb5ab10b68faddd7bd07e4b177ede71c584d32af52d97ba044c1a8cc8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9ef50f7de60ec3c98961fad6a242024f

SHA1
8d9a8f20f47fff8e78d8e64257a435d55111c15f

SHA256
d8980bf5eeb9c21f0477053c91e665682dacc5406895f33535401b2252d72d44

SHA512
51eff10fa6952d94e4f8806572b64f935c9eb64077027c035dd0799ce99989232aa2d21b59d7bf2decd32be3a098b9054834fa7e835d774e516c916ceb6820d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAECE.tmp

Filesize
1KB

MD5
d2cd534ef1dd6553fd5ec8bee1f64e74

SHA1
6ffabdb5524aea74ea678de230b16509be9297d6

SHA256
a41fedbef88cbbb5b7d1f7264f2f2289e745ef29bc2f96cbc496304807913127

SHA512
867c4f0da7a418c5e06bc485aa7d211468eec4bc1190cf0fb01903cc56d996d6f25d6d6c46b8463857b3cd65e0e9a749d37579ce6f0087b23ac71bf993c1b666

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
111B

MD5
c455ab7d7e3e23025bf944f336095585

SHA1
7ac91e05d6a023cb449e76bb425d66a9d72a196e

SHA256
2213a0c933c449b5bac0174801dcd35b38302793ad21b3e5bfa822b82b3653a6

SHA512
a5fd13ffc640b0efe0bbed71a1d868bb69a7ed5fac9b9413f1d6f839ad0e0f83effc556dee378fac67d066ed94c13294b6fad72d74735525d6b3ad90be8443ff

Download Submit
memory/1428-20-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/1428-0-0x00000000751E2000-0x00000000751E3000-memory.dmp

Filesize
4KB

Download
memory/1428-2-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/1428-1-0x00000000751E0000-0x0000000075791000-memory.dmp

Filesize
5.7MB

Download
memory/1936-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1936-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1936-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1936-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1936-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1936-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3320-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download