remcos | 848aee75718b5e635f13a64dcb64dd0c0d4d44228952d2941a9c4c1c14fd7ea1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe
Size

850KB
MD5

f87e2aeb7bcbbb476a5d157602e47dca
SHA1

238f66f3053f2e154bf0a099aeab72698f6689e3
SHA256

848aee75718b5e635f13a64dcb64dd0c0d4d44228952d2941a9c4c1c14fd7ea1
SHA512

274b995615962f3ab52eacc6c393a76dc46aa431d109d450e37971548c0181d4ffbf048de6b2aad20aac82920f6aab425b2ce41887e1eb69e47ec28cc2798f47
SSDEEP

12288:EILpqyf4jsY/ipLmA0Hrx5ulDUyXzzq1CXvQaAQbiWzx51SwasKcZtlH0j2qDSvV:EIIyfws4FrnIvq0f5A4iWzx5nasRtpy

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

3.0.2 Pro

Botnet

RemoteHost

fgtrert.duckdns.org:8494

fgtrert.duckdns.orgqweerreww.duckdns.org:8494

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-VXX167
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
1808	remcos.exe
2144	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 388 set thread context of 376	388	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	90
PID 1808 set thread context of 2144	1808	remcos.exe	96
PID 2144 set thread context of 1956	2144	remcos.exe	97
PID 2144 set thread context of 3216	2144	remcos.exe	120
PID 2144 set thread context of 3372	2144	remcos.exe	129
PID 2144 set thread context of 792	2144	remcos.exe	138
PID 2144 set thread context of 5512	2144	remcos.exe	147

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
4464	msedge.exe
4464	msedge.exe
4108	identity_helper.exe
4108	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2144	remcos.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 376	388	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	90
PID 388 wrote to memory of 376	388	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	90
PID 388 wrote to memory of 376	388	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	90
PID 388 wrote to memory of 376	388	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	90
PID 388 wrote to memory of 376	388	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	90
PID 388 wrote to memory of 376	388	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	90
PID 388 wrote to memory of 376	388	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	90
PID 388 wrote to memory of 376	388	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	90
PID 388 wrote to memory of 376	388	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	90
PID 388 wrote to memory of 376	388	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	90
PID 388 wrote to memory of 376	388	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	90
PID 388 wrote to memory of 376	388	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	90
PID 376 wrote to memory of 1180	376	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	91
PID 376 wrote to memory of 1180	376	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	91
PID 376 wrote to memory of 1180	376	f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe	91
PID 1180 wrote to memory of 1764	1180	WScript.exe	93
PID 1180 wrote to memory of 1764	1180	WScript.exe	93
PID 1180 wrote to memory of 1764	1180	WScript.exe	93
PID 1764 wrote to memory of 1808	1764	cmd.exe	95
PID 1764 wrote to memory of 1808	1764	cmd.exe	95
PID 1764 wrote to memory of 1808	1764	cmd.exe	95
PID 1808 wrote to memory of 2144	1808	remcos.exe	96
PID 1808 wrote to memory of 2144	1808	remcos.exe	96
PID 1808 wrote to memory of 2144	1808	remcos.exe	96
PID 1808 wrote to memory of 2144	1808	remcos.exe	96
PID 1808 wrote to memory of 2144	1808	remcos.exe	96
PID 1808 wrote to memory of 2144	1808	remcos.exe	96
PID 1808 wrote to memory of 2144	1808	remcos.exe	96
PID 1808 wrote to memory of 2144	1808	remcos.exe	96
PID 1808 wrote to memory of 2144	1808	remcos.exe	96
PID 1808 wrote to memory of 2144	1808	remcos.exe	96
PID 1808 wrote to memory of 2144	1808	remcos.exe	96
PID 1808 wrote to memory of 2144	1808	remcos.exe	96
PID 2144 wrote to memory of 1956	2144	remcos.exe	97
PID 2144 wrote to memory of 1956	2144	remcos.exe	97
PID 2144 wrote to memory of 1956	2144	remcos.exe	97
PID 2144 wrote to memory of 1956	2144	remcos.exe	97
PID 2144 wrote to memory of 1956	2144	remcos.exe	97
PID 2144 wrote to memory of 1956	2144	remcos.exe	97
PID 2144 wrote to memory of 1956	2144	remcos.exe	97
PID 2144 wrote to memory of 1956	2144	remcos.exe	97
PID 1956 wrote to memory of 4464	1956	svchost.exe	98
PID 1956 wrote to memory of 4464	1956	svchost.exe	98
PID 4464 wrote to memory of 984	4464	msedge.exe	99
PID 4464 wrote to memory of 984	4464	msedge.exe	99
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100
PID 4464 wrote to memory of 4436	4464	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\f87e2aeb7bcbbb476a5d157602e47dca_JaffaCakes118.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb78646f8,0x7fffb7864708,0x7fffb7864718
        9⤵
        
        PID:984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        9⤵
        
        PID:4436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
        9⤵
        
        PID:2504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
        9⤵
        
        PID:2272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        9⤵
        
        PID:3684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
        9⤵
        
        PID:4956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
        9⤵
        
        PID:4172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
        9⤵
        
        PID:1836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
        9⤵
        
        PID:528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
        9⤵
        
        PID:4864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
        9⤵
        
        PID:2224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
        9⤵
        
        PID:3576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
        9⤵
        
        PID:4692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
        9⤵
        
        PID:4900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
        9⤵
        
        PID:3912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
        9⤵
        
        PID:4864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
        9⤵
        
        PID:3584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2756 /prefetch:1
        9⤵
        
        PID:3636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
        9⤵
        
        PID:4636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
        9⤵
        
        PID:4740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
        9⤵
        
        PID:3824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:1
        9⤵
        
        PID:3320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
        9⤵
        
        PID:5176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
        9⤵
        
        PID:5572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
        9⤵
        
        PID:5676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10121386649234841176,261620897564301257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
        9⤵
        
        PID:5208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb78646f8,0x7fffb7864708,0x7fffb7864718
        9⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:4352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb78646f8,0x7fffb7864708,0x7fffb7864718
        9⤵
        
        PID:4940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:3036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb78646f8,0x7fffb7864708,0x7fffb7864718
        9⤵
        
        PID:844
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:3480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7fffb78646f8,0x7fffb7864708,0x7fffb7864718
        9⤵
        
        PID:1560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:2264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb78646f8,0x7fffb7864708,0x7fffb7864718
        9⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:3592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb78646f8,0x7fffb7864708,0x7fffb7864718
        9⤵
        
        PID:2316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:5480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffb78646f8,0x7fffb7864708,0x7fffb7864718
        9⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        
        PID:6092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb78646f8,0x7fffb7864708,0x7fffb7864718
        9⤵
        
        PID:6104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6c2fb462-2625-476b-bcb9-a1ee4464498a.tmp

Filesize
6KB

MD5
a543e7e957c65f63addc9b6a34534f59

SHA1
fc73f7eef515d3594edc239b9f941922b6d6d39a

SHA256
788ee312d618db2e8c6dbbe4ffc7ca70961e4b5fbe000cd4eaff76c61ab72ea2

SHA512
11eed8a204a1be7fb69b75a2b6e5650559f042cf99fd2c45671d97a6b5495dc8c22cd99dcef1a12bb5952308ea06b7e0dc70b2d362323eb6fdfbd86f617d6f18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
66KB

MD5
3eada94bcac51488e32b21b8d7afd6ff

SHA1
85e6cc27faae802a385be9527baebae4310d92bb

SHA256
07b0dd2cce62bef3109017da2703d32deb23a059da4fb689b3687866c3e54710

SHA512
9c79b6d7a8e2c8ed03cc86a463dd6a274178f19a71e7b43a00661f5368b3561b2e0b3c5cbc982c06694e4c63fffd963b9b7eace4df15562d9b25eed1e4659fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
464KB

MD5
bb1a7d25289fd9a6e49c9edb43cf5c84

SHA1
68820919bd6accb1916b8a87c312f856a2f858b5

SHA256
28885ae52d0eae20a17ef43cf4cb105782c645708057b08045acea4f0b3fd3d8

SHA512
3128acc965b6ebe679ce136a3b944e27a7ce474da2b4e618e2053bfa4cf1f13a16aa232b1438c4962863292330338d8ba753b94484b6dfbecc896c90feb02476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
89KB

MD5
98db18464a56f95219347f617c10988a

SHA1
4b7ceb7f088678f5affa0520bb33226039db1b07

SHA256
ab049abeadebd891ac067b41a84047617988d00e01b5fb1ff8e6fc8da3407c62

SHA512
58158ca51dbac3319830909bfc45ebc4a35d753e551fdc449bc1579b03eca133d4d8970615aef1f171fbe307b73e24adf0ef1656f047be75d3395a233c058b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
18KB

MD5
74f49bcdbd13777670657d78944e97f8

SHA1
862256addfc55950fa4b4da43e5619c24722bd31

SHA256
1f4aa7693f801ea02e189c3b85101e1a5c24ffd6c335d54d1b212f9981ea3f05

SHA512
c699383350446f3f665418edaf74e4e235532963801ce3c9fd57f49526aeb9b8fb6cb28fd9bb0a3e65a0521029b4d1821eade0e8a5d56eeafdca244650dd9f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
32KB

MD5
64d3be46eb793f6fe19bee805638cb80

SHA1
93bd75cf654214f8a76af8e1290499147d971c5c

SHA256
74c048fd2c6c9516438db1f627419a783622abcdc0522a5c4a1a568317a3d13c

SHA512
4646ac163dcc465669a868003b2667752eef8cad1f40dbff48c7f5d4c5f2120637f2514a0202f2008d52edfb377d1341d1b0411e556011ce9e2de194ee405908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
ed5bdb90f9644471a1ef7d49ddcda1df

SHA1
d38408dd594d43394fbbdb746a34e2c3727e434c

SHA256
2b200ddc3e5f4a7f7e4ac282b506de9636c289de088cc0cc2eca955494595012

SHA512
7097da1301b7d1ae0bce595bedaafd436e2961d7ffa231f3fe6c7a87ec93710a4cda52c4298acd0ea4c957acb98e5cfe80a556cd54a80a90df94b5285600e71b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4780d24bee4d976a_0

Filesize
188KB

MD5
f903757aabb00de0b7000c2805184e6b

SHA1
8f49df76049e7f67d084ea31f892915cb8663b08

SHA256
677f7bcd480b2b39e28e92287272e3bd0ee8ecae8d98cbe319e6aa6e0d686429

SHA512
5890a53f0c9facbf541ee3bcf3eabed2ce198c6f849da6f74001dbafb77112eb37e61bfb6ec28c39540352c183664fd84376e9ca62924d1401a817c92234dac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\519d22f6a659f621_0

Filesize
1.1MB

MD5
ed05bb129f9f71fa74adab0dc04c6bdc

SHA1
2a9de1cba17549e9276e52fd4e417de9694edc82

SHA256
0c1846770003466e700ad155abc2d33cd4991612eb51015de0a6da8f2f6df591

SHA512
c5cb3317a1513e6dabf249ba47bb298e901eb60ed4e88034f3a3c56c4f6dc72f92f47ef17f043cc0dfad5c3487795f47405d2d1ea927bb0c6c6df1773f5d14a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
fa2cf6262a0fc2ac7299ab65ec818dce

SHA1
c8bdd8a95d5e8a507172008d9a4832bbaa2ef634

SHA256
e0bd5d3388f2cacf485c10562b16959f3d885d93750d4b1f2a2387c30d7cd9d1

SHA512
41f4265e58112343bf7cbee0f723b6befaa6ecabcf1863c81e2d036865cb0b5464b2d50ea2ee37723a2fda0edd8b789972d8ba931fde63ab0f24212f058d6b67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\84ee0fe5852b3b96_0

Filesize
1KB

MD5
7294d89d774ac74a1cb3b1f54848a3ef

SHA1
a350f7d32c37b8b68459c8da4cbef932ed8373a1

SHA256
62f1de90ef3ceeec3e20757ca546b08cd73de8d4672ae55ecfd0559a00e087b8

SHA512
84403af8128427ebf868bd5104121aa665e584359b5d499f51143e6ff7e9fbe39418d81662a31a1c55c003a9802904b8850f3cdcb654a764297e32452994e8b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8f46b5e85629224b_0

Filesize
297B

MD5
bf08ded872a29938d7dd9b64b8c69061

SHA1
047195a79b83bd2fdc129b4f1ba6a5311d398a73

SHA256
c591827d92cad023663603e0e105dd4e06a31cba3fdc56a1420fa885957ff9f1

SHA512
572ac04512e37b4b954a68f44610daf4f3fb5735e64d002eabd75c195f69919c9e593a8d4fb0c15e84b90248e0b3d209d1ac3c1e9fa41ca0a9ad052240224e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bd0e8d961948aa3c_0

Filesize
295KB

MD5
65b336e4e154aa3952660d9e82a55357

SHA1
02649bb29283258d8a367f06ad07e1b4eca728e1

SHA256
f485111ccae75d93275a0834801d0463243bdf37471ffbbb96f8463f4a1503f2

SHA512
9f1084e3bc62b04a5f03c9b78a62911bd7a922a8c148d2c1e6f378a28cadf3c265f5855cab2d3c8a329873d76c3397073ca743a857813199fb85204636aa96fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d67e0bb6c1de79f5_0

Filesize
1.3MB

MD5
6c6c1c2caa198792ecc4564f83fef214

SHA1
5b081fa7cd5b1aee07450d3a3863a99d17fd276f

SHA256
8d46fdde7dbedfbf303cf62b9368e1b50cca6528e55575eff6232cfd5773c942

SHA512
0a54776b15c66130de617b8e5170df755925c39460773943691f268d122ac34a5f77857937571340b3a1e9fadfd68c9dad3dad7e1e0448d1921a9f56eab37d8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
6fcd62b5f1abe7721dbca96e9825aa12

SHA1
554bf276e46ea5a33a49f13b1e25be4d50b1dcaa

SHA256
1dc4370b1e5ab7e174bd74778dcf9bccd5c9948f320c47f69e9ec6086594e40e

SHA512
c172fa58c2d464954b69e06ab634b9f29007b9df083bed2893c89845f8d27bbcd87a50ed14995cd18f1dbaadc9d915a1f4e16cde4a14d57cb06d636a6d1daf07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db248203fe6d132f10272bd38cff7d1e

SHA1
3a130c00b62ee77f8fa2d73273f59563f7bba24f

SHA256
5631f88b1bb828d4499cbc7c21e32a02ecc3104de88b5359894704fc0f07a5b5

SHA512
9f79f79987e4ab7a1112fdbc067c934719ed3719bb34a4d710e85dca72d8c13f71a45fdf466c62f44409bb604ea5218d3609c6f8dadda508aaf8e6fe6b5779fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6ee4d0bad656292e3f598bee56c85c0c

SHA1
1d96bcf9c9e40408bf2bd03df701dd28fb0b3021

SHA256
26d3e82f3fa0b161fcef15a03f91a8978909a4f133769889e8355cc754296fc7

SHA512
7016234c673fb077e9e97b91fbd46612f144c94d12cb8501f66322062a2eecdae32e7645451edc3e5509a67db24d11d6ff7c8a47892feeb3f0fa7b03e3976d21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8d982689744f8875260417bd95d8f224

SHA1
98df506d911d45cd064f5b969ac13e49bde4e7e8

SHA256
5fc28da9d6d0b49da366daa651cb238d4b0483d6196fd71455189ae8ffe65478

SHA512
ecb8ad1f1daa0e2516de2f7156283b66299d57efff198803b167c4757daa42ed5620666fc4d746ce64e9a3c756cbecd1deb917452e05eb09a98779ee627253cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7e37c0a8c64141b1d9e11b39e85ce780

SHA1
af574823bd2749e2b0c2ea61d4b0e92a93af3db4

SHA256
e9dbe41b7dfa0e33fcce0389b3ce668a6ffad089b831fa4fff123fbe6beae72c

SHA512
bf5018b1526cee541b0d40024d8245866db2bb93317cfaa302e85d128f5fe202adc01075f1502fcaa8cf5c5c932d242dc17fbc29c48170268a7b611549ca2f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e625cf77783e86f8f6ecef812361a15

SHA1
bdfb717712d1c67b80ec922048dbb2f7a32ff738

SHA256
8bdb0781be9f98f81a650fa1e9900468b987bb76488046a9803994d0cc8b416d

SHA512
672b137cc82aa774fe1793cd53b4d7f324da5883b58d3015af81543d475a8ac3d1f3f6267b8d2b2d7e0dd0c9f6e7227f19f39785b6477e87aca64e21bf4ef1b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
7354de2b79071a010478f80efd293e33

SHA1
aef370d667f052f87cc81c1a68c972a1953c71b2

SHA256
acf993d92fb998b7c4bdfa7ca2ee0f166c423046c548d3ed43ea60377f247209

SHA512
255922be4389474a55ed0d8e5923597738e896e9e1c61cc0e590af1fee10aac0c0553b0e58ffc2c032e0fbdd26d12420d8ae1eb56be6aa5f7b9992e66c61f9fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
32d38ba596716e06ae590d41314184bd

SHA1
638a7ad170def82eedaa72d5777ffaba3987d92b

SHA256
b61002d3dcdc690bcff8c885e8d2d93f9c2c885b3dcfea350458cae36893482a

SHA512
e0ecfba39e8e72b11ac3d4e2a99a95c844e5f1fafa76f9f0459f0f1c680f88509b0227451a714f5f48015fc99c7906ac4b5c79b8af783a7968debb3f475c864c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
692b807319cab752d1bc3a048967b353

SHA1
f12c881b479768fddb1a145fe1efd9a065645625

SHA256
4bbc1b6564e3191172e3a7a6ca341a739f5727d319ac6239d3284a26dac3363d

SHA512
765b7c5d8d1251d8ac6d39433adfc1754013f07c897e1b2117c5b4588e469326171a2b9a5fc5e5c8cc1f68bdb9d30ad6d9d2456b93545dc2bdff7eac788b6bbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
5869c9bbacb2a281ee49c35bf0105365

SHA1
daaf79a1fbb5cfb05616a6294a189105ad99e32e

SHA256
aa638d77030e74cca951bc446e35ecf46dab93f1f6b21e6ad675b2380d329f6e

SHA512
b0b1754d0c83972361257f17909655005f8a00b209adb603231583823bebd327adf6daefee2b99ad31ea19fc60bb5d1a0555ed1c4688704de3b0731b179b31fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f0f3.TMP

Filesize
371B

MD5
9aa1563ce2b841b668db33e060c30f96

SHA1
b732f87a16629c4e6d1bfa8621f4f227e9eece6b

SHA256
dc89cb80f2707c673f07e6b82f1d1ac3d179af0d69c36acba76be8f97fa5359b

SHA512
5744984930576b76eba9356ded737a6cdbbcd5c72c6d8091a77b5e41e1273a0eca413292df8b4acabaaec762b3970eaa4d1bf7b799aec1fe95fadeab92d77bc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3b6f837a457f4f33d6783d38abbea3e8

SHA1
c3bb677766c39d295afc70e6176167df584220f3

SHA256
4d4bc36a4af0223988f1ef8d5f420e74103290cac129d57ab4b612a0e57111b3

SHA512
50bc0c7df03d57457fa4dff7b2b5569521b431cfae5a04ba4143916e38a27b9bb0d9dc0f9f7e0e447074166ecbd81e179f0d35abdda65a90082517a1d4234afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
418B

MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\logs.dat

Filesize
111B

MD5
2c35f1378dee4fe9cae3a4b1babf0a98

SHA1
cf1dea21a262a13198cd74d2dd6bee9899b91e77

SHA256
960698bd3ce9cf5e020bc727a0208d323f8da669b5e1b12e8a105b7ad517192e

SHA512
16451a1fb82e951c8652f1e88ad32f1928228e11736b7bea9922a3e6fad533c9c9bf45ffcfc1ec0c973b668b2bc14aac1a079cac0b9eade4a678bb964b9246bf

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Filesize
850KB

MD5
f87e2aeb7bcbbb476a5d157602e47dca

SHA1
238f66f3053f2e154bf0a099aeab72698f6689e3

SHA256
848aee75718b5e635f13a64dcb64dd0c0d4d44228952d2941a9c4c1c14fd7ea1

SHA512
274b995615962f3ab52eacc6c393a76dc46aa431d109d450e37971548c0181d4ffbf048de6b2aad20aac82920f6aab425b2ce41887e1eb69e47ec28cc2798f47

Download Submit
memory/376-14-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/376-12-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/376-21-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/376-15-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/376-11-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/388-6-0x0000000006270000-0x000000000630C000-memory.dmp

Filesize
624KB

Download
memory/388-7-0x0000000004E40000-0x0000000004E48000-memory.dmp

Filesize
32KB

Download
memory/388-1-0x0000000000110000-0x00000000001EA000-memory.dmp

Filesize
872KB

Download
memory/388-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/388-10-0x0000000006750000-0x000000000681C000-memory.dmp

Filesize
816KB

Download
memory/388-9-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/388-8-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/388-2-0x00000000051B0000-0x0000000005754000-memory.dmp

Filesize
5.6MB

Download
memory/388-18-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/388-5-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/388-4-0x0000000004BA0000-0x0000000004BAA000-memory.dmp

Filesize
40KB

Download
memory/388-3-0x0000000004C00000-0x0000000004C92000-memory.dmp

Filesize
584KB

Download
memory/2144-29-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2144-30-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2144-33-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download