remcos | 1d550002b6b2cd4ffdcb4be7190d28777fe738c71c9ebb30918198beab54a6f2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
Size

959KB
MD5

976bea63c8cf1f39ec45ed3eb69c5beb
SHA1

f707ca94bc8afe8d68d847a264ad77e15d5c8075
SHA256

46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93
SHA512

22003227effe345d6384e07cf5ee5c38ea5259653daa8e7b2f39ebba270e908c53a5b0b89e453349ee42e96901f25751b2f5f6ad8da0254182a426ef80dd07df
SSDEEP

24576:WhLw9gTFvRIULTZPnRrnqmDhX7/XSY05atRNRdS:CZvRBXv7vhXzXhTbRdS

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

66.63.162.79:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1CY96M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1944	powershell.exe
4760	powershell.exe
2904	powershell.exe
5028	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	remcos.exe

Executes dropped EXE 2 IoCs

pid	Process
2544	remcos.exe
1984	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-1CY96M = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-1CY96M = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-1CY96M = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-1CY96M = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 3048 set thread context of 3756	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	100
PID 2544 set thread context of 1984	2544	remcos.exe	111
PID 1984 set thread context of 4336	1984	remcos.exe	112
PID 1984 set thread context of 816	1984	remcos.exe	136
PID 1984 set thread context of 3628	1984	remcos.exe	145
PID 1984 set thread context of 5852	1984	remcos.exe	162
PID 1984 set thread context of 4548	1984	remcos.exe	171
PID 1984 set thread context of 5980	1984	remcos.exe	183

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4592	schtasks.exe
2952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
2904	powershell.exe
2904	powershell.exe
4760	powershell.exe
4760	powershell.exe
3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
2904	powershell.exe
4760	powershell.exe
2544	remcos.exe
2544	remcos.exe
2544	remcos.exe
2544	remcos.exe
2544	remcos.exe
2544	remcos.exe
2544	remcos.exe
2544	remcos.exe
1944	powershell.exe
5028	powershell.exe
2544	remcos.exe
1944	powershell.exe
5028	powershell.exe
3624	msedge.exe
3624	msedge.exe
4260	msedge.exe
4260	msedge.exe
4748	identity_helper.exe
4748	identity_helper.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1984	remcos.exe
1984	remcos.exe
1984	remcos.exe
1984	remcos.exe
1984	remcos.exe
1984	remcos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2544	remcos.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 4760	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	94
PID 3048 wrote to memory of 4760	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	94
PID 3048 wrote to memory of 4760	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	94
PID 3048 wrote to memory of 2904	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	96
PID 3048 wrote to memory of 2904	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	96
PID 3048 wrote to memory of 2904	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	96
PID 3048 wrote to memory of 4592	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	98
PID 3048 wrote to memory of 4592	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	98
PID 3048 wrote to memory of 4592	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	98
PID 3048 wrote to memory of 3756	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	100
PID 3048 wrote to memory of 3756	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	100
PID 3048 wrote to memory of 3756	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	100
PID 3048 wrote to memory of 3756	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	100
PID 3048 wrote to memory of 3756	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	100
PID 3048 wrote to memory of 3756	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	100
PID 3048 wrote to memory of 3756	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	100
PID 3048 wrote to memory of 3756	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	100
PID 3048 wrote to memory of 3756	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	100
PID 3048 wrote to memory of 3756	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	100
PID 3048 wrote to memory of 3756	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	100
PID 3048 wrote to memory of 3756	3048	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	100
PID 3756 wrote to memory of 2544	3756	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	101
PID 3756 wrote to memory of 2544	3756	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	101
PID 3756 wrote to memory of 2544	3756	46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe	101
PID 2544 wrote to memory of 5028	2544	remcos.exe	105
PID 2544 wrote to memory of 5028	2544	remcos.exe	105
PID 2544 wrote to memory of 5028	2544	remcos.exe	105
PID 2544 wrote to memory of 1944	2544	remcos.exe	107
PID 2544 wrote to memory of 1944	2544	remcos.exe	107
PID 2544 wrote to memory of 1944	2544	remcos.exe	107
PID 2544 wrote to memory of 2952	2544	remcos.exe	109
PID 2544 wrote to memory of 2952	2544	remcos.exe	109
PID 2544 wrote to memory of 2952	2544	remcos.exe	109
PID 2544 wrote to memory of 1984	2544	remcos.exe	111
PID 2544 wrote to memory of 1984	2544	remcos.exe	111
PID 2544 wrote to memory of 1984	2544	remcos.exe	111
PID 2544 wrote to memory of 1984	2544	remcos.exe	111
PID 2544 wrote to memory of 1984	2544	remcos.exe	111
PID 2544 wrote to memory of 1984	2544	remcos.exe	111
PID 2544 wrote to memory of 1984	2544	remcos.exe	111
PID 2544 wrote to memory of 1984	2544	remcos.exe	111
PID 2544 wrote to memory of 1984	2544	remcos.exe	111
PID 2544 wrote to memory of 1984	2544	remcos.exe	111
PID 2544 wrote to memory of 1984	2544	remcos.exe	111
PID 2544 wrote to memory of 1984	2544	remcos.exe	111
PID 1984 wrote to memory of 4336	1984	remcos.exe	112
PID 1984 wrote to memory of 4336	1984	remcos.exe	112
PID 1984 wrote to memory of 4336	1984	remcos.exe	112
PID 1984 wrote to memory of 4336	1984	remcos.exe	112
PID 4336 wrote to memory of 4260	4336	svchost.exe	113
PID 4336 wrote to memory of 4260	4336	svchost.exe	113
PID 4260 wrote to memory of 2796	4260	msedge.exe	114
PID 4260 wrote to memory of 2796	4260	msedge.exe	114
PID 4260 wrote to memory of 3484	4260	msedge.exe	115
PID 4260 wrote to memory of 3484	4260	msedge.exe	115
PID 4260 wrote to memory of 3484	4260	msedge.exe	115
PID 4260 wrote to memory of 3484	4260	msedge.exe	115
PID 4260 wrote to memory of 3484	4260	msedge.exe	115
PID 4260 wrote to memory of 3484	4260	msedge.exe	115
PID 4260 wrote to memory of 3484	4260	msedge.exe	115
PID 4260 wrote to memory of 3484	4260	msedge.exe	115
PID 4260 wrote to memory of 3484	4260	msedge.exe	115
PID 4260 wrote to memory of 3484	4260	msedge.exe	115
PID 4260 wrote to memory of 3484	4260	msedge.exe	115

C:\Users\Admin\AppData\Local\Temp\46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
"C:\Users\Admin\AppData\Local\Temp\46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bXbaAKkaFi.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bXbaAKkaFi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A95.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4592
- C:\Users\Admin\AppData\Local\Temp\46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe
  "C:\Users\Admin\AppData\Local\Temp\46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5028
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bXbaAKkaFi.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1944
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bXbaAKkaFi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9AE3.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2952
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffab5846f8,0x7fffab584708,0x7fffab584718
        7⤵
        
        PID:2796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        7⤵
        
        PID:3484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
        7⤵
        
        PID:672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        7⤵
        
        PID:396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
        7⤵
        
        PID:3336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
        7⤵
        
        PID:1412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
        7⤵
        
        PID:1620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
        7⤵
        
        PID:3584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
        7⤵
        
        PID:3460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
        7⤵
        
        PID:4292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
        7⤵
        
        PID:4896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
        7⤵
        
        PID:2568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
        7⤵
        
        PID:2972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
        7⤵
        
        PID:2868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
        7⤵
        
        PID:1316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
        7⤵
        
        PID:756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
        7⤵
        
        PID:5140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:1
        7⤵
        
        PID:5572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
        7⤵
        
        PID:5664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
        7⤵
        
        PID:4648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
        7⤵
        
        PID:5944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:1
        7⤵
        
        PID:5708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
        7⤵
        
        PID:4680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
        7⤵
        
        PID:3840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
        7⤵
        
        PID:5368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1
        7⤵
        
        PID:1756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
        7⤵
        
        PID:4680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
        7⤵
        
        PID:5560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14369418821132007956,12644400221808046220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
        7⤵
        
        PID:4136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffab5846f8,0x7fffab584708,0x7fffab584718
        7⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:816
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7fffab5846f8,0x7fffab584708,0x7fffab584718
        7⤵
        
        PID:4292
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffab5846f8,0x7fffab584708,0x7fffab584718
        7⤵
        
        PID:2972
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7fffab5846f8,0x7fffab584708,0x7fffab584718
        7⤵
        
        PID:5520
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffab5846f8,0x7fffab584708,0x7fffab584718
        7⤵
        
        PID:5844
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7fffab5846f8,0x7fffab584708,0x7fffab584718
        7⤵
        
        PID:5724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:6132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffab5846f8,0x7fffab584708,0x7fffab584718
        7⤵
        
        PID:1780
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0x104,0xd8,0x108,0x7fffab5846f8,0x7fffab584708,0x7fffab584718
        7⤵
        
        PID:3572
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffab5846f8,0x7fffab584708,0x7fffab584718
        7⤵
        
        PID:5432
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
959KB

MD5
976bea63c8cf1f39ec45ed3eb69c5beb

SHA1
f707ca94bc8afe8d68d847a264ad77e15d5c8075

SHA256
46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93

SHA512
22003227effe345d6384e07cf5ee5c38ea5259653daa8e7b2f39ebba270e908c53a5b0b89e453349ee42e96901f25751b2f5f6ad8da0254182a426ef80dd07df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0c86fe6e-aaf6-4d73-9761-22ac18933ecd.tmp

Filesize
371B

MD5
cdda763369aafa9ea18d5bd08dc58f5d

SHA1
843b6aa16c36de064b027a791d1f5f5d5cd87e6b

SHA256
8c7b36fc9abf2dd660e3f6fcfac48850bb9854892de741ac9788cc739a8a8a9f

SHA512
c10c39a1056c3db4e22294dc5e565b233dcebc779d0a8e6017db4224e31c3ff95c1939569007828a86a75981cab805236516acfb7ab059e0ae0c71f1200ad6ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
68KB

MD5
debb8e478711b4da34163f63d2f86e19

SHA1
17fb8d650de3bccc647ada89a1d2e8a17484ef29

SHA256
7f3c5e4a4880f736cebf61db91f751c5c6e7e29306cf2705c86e0554aa4e2a13

SHA512
f1d8417e134a32fffe089166fdd6fa4e3ee26fd9800557560632c1bcbc45f0064e2a9457c6a5b912df408d1f77f09b27a4b81c44080ac1c0f4f5e40f9f31e5a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
486KB

MD5
9125f2721f58f9446c6fd7d5b0691f3f

SHA1
acc0ba9eb5ce3a7eff9d5de315657b6e2f89f4a8

SHA256
89097617406a425e08998ba9c248c247f0b7fcd5fcaf77c5244de54c06416921

SHA512
26b1cc0154bf7aca16070dfbd78911630ee332c3891d9f239a25e27ebf6c08823e4e3800b17d979e9549a70d9d8732723915b05c1a24463df41adf0b78456a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
89KB

MD5
6c66566329b8f1f2a69392a74e726d4c

SHA1
7609ceb7d28c601a8d7279c8b5921742a64d28ce

SHA256
f512f4fb0d4855fc4aa78e26516e9ec1cfabc423a353cd01bc68ee6098dc56d6

SHA512
aca511bfaf9b464aff7b14998f06a7e997e22fcbe7728401a1e4bd7e4eceb8c938bbd820a16d471d0b5a0589d8807b426b97292fc2a28578a62e4681185556c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
4d0bfea9ebda0657cee433600ed087b6

SHA1
f13c690b170d5ba6be45dedc576776ca79718d98

SHA256
67e7d8e61b9984289b6f3f476bbeb6ceb955bec823243263cf1ee57d7db7ae9a

SHA512
9136adec32f1d29a72a486b4604309aa8f9611663fa1e8d49079b67260b2b09cefdc3852cf5c08ca9f5d8ea718a16dbd8d8120ac3164b0d1519d8ef8a19e4ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
32KB

MD5
6e78ee324e008296108bfcdecd77e318

SHA1
f7c39ee02c65bceb2c66ad2d7f45523feb5ad156

SHA256
eb7a4ff0f8ed4c8a95b2183968b5a59f4058b177f580ae2d2bef4595b6f6e092

SHA512
bcfff936bcc46ab4120690cff3af93491080e13084ea2bcd8bce1a2470ea86eb007d695aef23b73e0b84cb3c7fbf351d025be47ec5d232ab613a420074f8a448

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1a6c21ba34b7eb2c_0

Filesize
297B

MD5
1de84dca1d66101fdf06a6fa17af3a96

SHA1
1d2f65f94b971e0eb146f5ceefc655b2b56fc5e2

SHA256
5a372f935702c6eff81d784e66c50f5f4c94bebbab5690660f7f3ca8b99425c0

SHA512
01f3c666b761b700cadfb13201797a61328270c9610612f35a9b4b71e2a918b5ffcba6912b38228198f9691998aa5339c3c1bf87b1ed2802c3672dbbbcfe2b18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\27ed6d3cc6961400_0

Filesize
1KB

MD5
b8cfcf153259acfd527e259104d0281b

SHA1
d4fc0edebb9d2f8bc356688df9833f7785be6a43

SHA256
03449393f6a3056eff6a5415e3675c31f7fc2a243a08a8eb9e2c3bd5490e0732

SHA512
6a126bd4b8ae22625c4b40e90eea583c16f7778d809b87e15c4762d21dbcf44409939200f70b835791629edb1430ba34149c030e62152552e128b22d72087601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\29f67077b04f6f6e_0

Filesize
188KB

MD5
ea4a6904b4202670f128d53320fbc507

SHA1
ef71801d2262fb28fae5f9db45d68cc38cac9561

SHA256
ecb3f3ac69d76f495090938287bcc21556e10fdf75f25fadf6b7b336dc0c7eab

SHA512
b44efd5b34d742dc5c907aaea9f13b559486f8fb6d75239958822193d42a788e86a8e8ef7c198ff1cbe9c320d6b781d37218fa2b9619ff9ca27f42a9bff7f26f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2f36559b58f83917_0

Filesize
1.2MB

MD5
dffa13855b5bb158d3698348083e3697

SHA1
b97786bff624a6d635b0ffb66d5194a1d8970a36

SHA256
5eaf91b1b43630eefecb5b311bd9a7bdb938b18a6c0ae112df2ee10052087e64

SHA512
746b3d2e5f08f8136896a802ad572fdc9320137d9441229c7874603dbc5507bf56bde85efaec03243a7fe4d261b94bdcf51743afdec59ea89cc27b1ee7499f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
4081c773998f25545b701f68ec386a00

SHA1
a60f54b5e58b757dc391ea392c3913439700a72a

SHA256
cc86c32f6cdf2a486171429b242f77411c914ead7182ba627cf0c6e8c66e3734

SHA512
961192a6943305c17257952da16204370fec0262a784febbd8f53d67dba6eba796341064075ee7caedc4a3c9ace588f6ac34be93f50327e171fecff023e3ab81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
f4467d10516d8e41cfea8fea2780d332

SHA1
022ac23f3b8af8ed20c775c0a68842ba8d6963cf

SHA256
726f1715fb8eb5f27fc44c4573a03c65e00799bce6239942fd1a655af08c7165

SHA512
15836cd1b13314c1577e0edbe44d9c654b50ee84fd32c229f18828d69521cc9f3551669f1344b5d1e773b01a94f9cd45b5a152dff8458d035f9d5995136cd4ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7d0a74c181bb8cd7_0

Filesize
295KB

MD5
f15faf2271f79d78da702930e5cb1e6f

SHA1
a3d2124fe5eb809bedb43624581f234bdb19b106

SHA256
803ece2d1c44088c68ac0c0e0d5ff33be4315b89cbfbd63a13c270b8b5faed32

SHA512
c4a05f2860c0813d8970ecb8b04a7336c58b5b05c6074ddaf35402519017050f3b436a1d5d9eac5c1fb92c8f50248588d306332e94f7731532312f5cd252891a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d7fcdfadfe68d27b_0

Filesize
1.3MB

MD5
1f6666e13e1c3a3615e0ff05f4097f9f

SHA1
6f95b83a9a3225459ac57c5c6bc262008fbb7a51

SHA256
9c8dd89a9f1caaed4b0f9e50f4fe556a498358b5a463c9248a870892342cb7da

SHA512
3df3b4aef80a37577f56f940980bf0e2f2ba75b469f845e4360dc4f92f25e8d7b5c6ba591e786dd50706868f82117185ce0e050936d0458e2791db62e7034632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
37e31aa54443a614303f05a3ca0117e9

SHA1
f16072ccdcdc563093b7a8f2a5f03fbadea1eb3d

SHA256
188b5e42e0d193404799e684bbef99c7a4ab2b02f4c6deaa8421cdd34f7953ca

SHA512
77fb79687128b0bf9df31da98db9c53787e16427afbf3b795416d73f73256885794999fb5433d59779c84d09ad3ae8a14306ae4390b30ab1fe3527749b166882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
6f0956b7320621e2add229397b16cc4e

SHA1
87428f0d0ee271f3e9edbb647569ffd17e6539c0

SHA256
a0c000dd88d7120fb62fe5008e6b6dee6a948e93cbe6fad152ab227bbb04f71a

SHA512
d00a4b80c6ccc972a6c4d35e1a4739f49e4292b33ea83924a7a3f8a0a599fcf6714da0431bdf7f1f4a351febb000d91f63e010ad0d8070163822f262bb5bda99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d5a13491af3a74f0efa7357e08712857

SHA1
29713512d47ee09f7436b389bdf5fc437904bdbf

SHA256
e059b13381506b7c2ce3b312868d1ddae896f78cc967e9a2d4baf8469d93b907

SHA512
7d71f539e5b36c700e7d3538ec383c167f49d9226de4bc3c33c95e092e44cb309b9abd6b686a6cde3289ac7d0ba1889f39e4c67c35146b812173016d533e3e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dd90272ef499fb34b38acd0e4c663cb3

SHA1
20ecbaecc7fb8f59a845d71516410c214df62a5f

SHA256
2be97b103ed0398f5f10f1c8163245960aa7e530364810182bc61a727ab55300

SHA512
eaec95a2667f7ac8243ce6defa4e86381cc9ffb30f911a9c3fc1b2cb6f2bcff44a355837602661442a09da5af4c40dff9ef76c153943f6a51d94a985793ad402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb855fcc38b624de6b0b8083054a0ef2

SHA1
86f19779df61e26b155ac46c02d7016e1bb3366c

SHA256
2190d86212b401f492f2026b42857a00b7f898fa1b4f15afbc35dd2638678e03

SHA512
55fe29204ebaa440e16cb3093248aad76368cecc490affd6f47bafe8ab5ef172d3acb59f6fa506a61fabb26c03160e6eb5798c21cecb3d04bad2a9a59b49d634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6224109145231eebbdfb2b8687ef8a95

SHA1
d5b31507bbcf031058f4586c29fb3d917f0b7458

SHA256
d2ac437a0eb6dca84a2752e8a463d2f8853e743df879c7244c06dfbdea20e95b

SHA512
e0d016104d708bda984ccfd364994ba4a64fe7121e1e3065c3c9fd8b2bb6840799c96eeed94be0aab29b80b9067ac5bab8f5ae3643ec8a4f166a04b4c51ab5bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8973ef4f670595d41cc330c6de0e05c8

SHA1
a9e595b1a668f782789145ca377b7a44340484ca

SHA256
e2b4eb9a31837a576bde074b1f7bdb906032f9f256143daaa7ab0d919c24d72f

SHA512
fbee426d7ec3bf74410dca3229807febf8e09387867e645867a4936f1996f8d400e897ec8ec373864855b1cedb8cf536b8a40fc7638e22897c71020fa16ec607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cf2bae1ccd238deba457e20d9afd8e71

SHA1
ceed62bd88efd22754d87388f4076c1c87aabd2d

SHA256
dfd013b32d03b82d95847ad311889a2cde5fa510123134381f994c264d2048a1

SHA512
0afe418a127b4c4a75fe2ce8b9ef036b241bf8679a848995bde3e52947d17f3d0e3136731346c62a481f9b6cb59cf6126ea607e08fc61691e259ca1b39be3121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
92ddd0fcbd06b552e76c85a94a573bbe

SHA1
3511331da67c6599768dbfd1358f53bd6f8b805b

SHA256
6fa99327b9155d8f334af83be7b2743ca6812f0a8ace7ff7d581cd7b85c618ff

SHA512
53055526b019ef78413b0e5f734a421dced6c9ea234128030f5175742c2aaa2e3d3ea42b2a2416b8d9f649f417a605fdf46cb766de83c08a8c7e22b7021ca99c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
fbef3b7945f1cc4577e612c0a5bace00

SHA1
71e7d95e1bd4b1bd81f2e50ec5b6e143d8a0e7eb

SHA256
f5d61012e766b356af253777f6182745fe4b4b7069cc86c495e860ee23f1a0d5

SHA512
9fab91484c7944a48f11cb22bce964380e9ab879b0b176fca43c57760e6f773f069a5c35fe8904ec885d8f9fb5c7458aee1725a08d4e9a36bb22248425b50cd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
1dc9d65aac78414705eebf7bd4404a29

SHA1
9784fde758464714a565b03ca496c0d9332714a1

SHA256
79db374ced89abc32fa0173ebd4d9610a83aa5ac2cd192ae72e48c0f5caf01e6

SHA512
2f3c7da8bd1c9984d6e794b82af8af8d9543f23c661ebbd42d38dcc79ad4cb4b01bf53557ec0dfe7cdab3723d49fa6e712b55cf559d94ef39c98e66723f5199a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
e72e22b18476073eae045dd546c4486f

SHA1
e9c8ff45334e3d64275c11963e727060ae5e0c59

SHA256
b98adc02d983e04e581f33f421727ff364fc88e6f6dc7eca9112d56ced730bf2

SHA512
b039ac27650a1ebf5bdf65c70ffcd46a0312fe3640b6ef2af148c72cbb9e45619014fd86046ea5854abde00c220e46c5a458bea239c0f2b286f5e61dee402872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59114c.TMP

Filesize
371B

MD5
cd4ded1764effdf9ea30d01e5251f358

SHA1
36b600987dd58e3e586f72ef2d22d88f3bcf29f9

SHA256
8993760ae3832f889c82ca05f316e9513c0b1f3fdb80f8b1f75b10b76f967f22

SHA512
0fe66c657405b48c6bb17e2f8173f36afd55ac2c558b77ea378f8c03c934ed7ba4025f545f5cfc18334dac0b191152ddfb809c1dde520c2f128183e36d84297a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a097114b-8421-494c-814e-bfb0d9bdabd6.tmp

Filesize
371B

MD5
68c6171c2bf853fafc7316c0d71bed12

SHA1
f792c35d986d7a3651e4554473a865093b865b75

SHA256
0b9dbb5a73c17d43b26df9e41524010f2af484d9ac597783feb760d72cacfda3

SHA512
811e6f8bb24ecaa935a5c6bc5d9ca223d2eed4cc9392cdf2749fedd131054c22ec5f545a7ea09676f0dae570416f454971268c63297a0a4bd6ac92e29ece86fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0bfd188cbe9c3ece93a51500b21fe51f

SHA1
2777a54228e0998dbff10c1567ca01826a737a73

SHA256
3aeb7fee7d0c8a07001a21475f913423895740d1bc66006e2649fc3b7b709050

SHA512
f961b535526dad05215f75654578c8295c9901b6f82555880fc26f1efd4f5fbb90b939a4dfb58ec9dfacf427b51e62e0494932b251ff55741ba9ae30f59d5b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3485bcea020761e68c2f9eea0be92884

SHA1
0ca248b7c6d7d99518aa48fe9c5aa300a5304568

SHA256
d65b6ef8a84a030c5610d764bb170a20d6f31c2e3e2f4ca967600a1df7a45cf4

SHA512
70be7589ad6d42e702fa82bfdb93b3aad9df8b7dfb9615719c1d9dcb3ff8a4784d6335adabd2967c97cf6de0b088ac690f4e1322ca1d1a68c273dfc7d5117f4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
70906ec241a4a38b57fd781f05c80521

SHA1
c0184d73924119d4bc4dad75418e5779f5229cbc

SHA256
0a3161b079e3c0c75e46a77ac20f3842c1e5ba2f8c5f2dc5746231b89db19a1c

SHA512
a29ba2b5943dd67d9d3393c340b671143bd5cd6316ca4f2dec693cb70d34cb098577580f11d43507aa4768a2f80e9ea09b9a23c63cdf2544183028339768a5e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c01a02aad220922378a4d0bf3e623ad8

SHA1
9becb57cb938eca7b241414b43be71174d5dcb22

SHA256
ae0c31c3331557f09d6856d8e942cd6f1dff44b6c62d2ecdc6a45049c408f45f

SHA512
2f463ef439fb33f1bbf47f6e8f6639f2dfe0785b7b04728779ca4b6c3b08c63ca088de2eeda5e902cc29e5925dd0701154e7f2297124188c60f9e9ff48d8bcd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1b3mbiy4.1be.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A95.tmp

Filesize
1KB

MD5
ac69d8ecc7292dea3d4a1ce63a97e8b1

SHA1
8cae6749e46048021d492bd8ca018d3c9d1a0ba0

SHA256
117d2cc61a62ba768e978e27dfd2966ab3138c40e99a2ffaeb214ebbebfd4131

SHA512
7c3695430e084844ae495f2574c5b0c37673e2e17a9af3894254ae21be3004b04a52f45d155b17330a20742c889fba53660830aa9db283f9e2580e115edb5da2

Download Submit
memory/816-296-0x0000000000800000-0x00000000008F2000-memory.dmp

Filesize
968KB

Download
memory/1944-182-0x00000000759B0000-0x00000000759FC000-memory.dmp

Filesize
304KB

Download
memory/1944-181-0x0000000006110000-0x000000000615C000-memory.dmp

Filesize
304KB

Download
memory/1944-204-0x00000000070F0000-0x0000000007104000-memory.dmp

Filesize
80KB

Download
memory/1944-203-0x00000000070B0000-0x00000000070C1000-memory.dmp

Filesize
68KB

Download
memory/1944-192-0x0000000006E00000-0x0000000006EA3000-memory.dmp

Filesize
652KB

Download
memory/1984-354-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1984-355-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1984-155-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1984-158-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1984-553-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1984-554-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1984-156-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1984-723-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1984-722-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2904-35-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/2904-101-0x0000000006430000-0x000000000647C000-memory.dmp

Filesize
304KB

Download
memory/2904-149-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/2904-19-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/2904-113-0x0000000071490000-0x00000000714DC000-memory.dmp

Filesize
304KB

Download
memory/2904-138-0x0000000007650000-0x00000000076E6000-memory.dmp

Filesize
600KB

Download
memory/2904-123-0x0000000006680000-0x000000000669E000-memory.dmp

Filesize
120KB

Download
memory/2904-20-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/2904-33-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/2904-134-0x00000000072A0000-0x0000000007343000-memory.dmp

Filesize
652KB

Download
memory/2904-27-0x00000000051F0000-0x0000000005212000-memory.dmp

Filesize
136KB

Download
memory/2904-112-0x0000000007050000-0x0000000007082000-memory.dmp

Filesize
200KB

Download
memory/2904-143-0x00000000076F0000-0x00000000076F8000-memory.dmp

Filesize
32KB

Download
memory/2904-34-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/2904-137-0x0000000007440000-0x000000000744A000-memory.dmp

Filesize
40KB

Download
memory/2904-139-0x00000000075D0000-0x00000000075E1000-memory.dmp

Filesize
68KB

Download
memory/2904-100-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/2904-142-0x0000000007710000-0x000000000772A000-memory.dmp

Filesize
104KB

Download
memory/2904-42-0x0000000005AE0000-0x0000000005E34000-memory.dmp

Filesize
3.3MB

Download
memory/3048-0-0x000000007515E000-0x000000007515F000-memory.dmp

Filesize
4KB

Download
memory/3048-6-0x0000000005080000-0x000000000511C000-memory.dmp

Filesize
624KB

Download
memory/3048-99-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/3048-5-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

Filesize
40KB

Download
memory/3048-1-0x00000000002B0000-0x00000000003A2000-memory.dmp

Filesize
968KB

Download
memory/3048-10-0x000000000A6A0000-0x000000000A760000-memory.dmp

Filesize
768KB

Download
memory/3048-9-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/3048-4-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/3048-8-0x000000007515E000-0x000000007515F000-memory.dmp

Filesize
4KB

Download
memory/3048-3-0x0000000004E20000-0x0000000004EB2000-memory.dmp

Filesize
584KB

Download
memory/3048-7-0x00000000060F0000-0x000000000610E000-memory.dmp

Filesize
120KB

Download
memory/3048-2-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/3628-399-0x0000000001040000-0x0000000001132000-memory.dmp

Filesize
968KB

Download
memory/3756-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3756-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4336-170-0x0000000000CE0000-0x0000000000DD2000-memory.dmp

Filesize
968KB

Download
memory/4548-623-0x0000000001280000-0x0000000001372000-memory.dmp

Filesize
968KB

Download
memory/4760-141-0x0000000007CB0000-0x0000000007CC4000-memory.dmp

Filesize
80KB

Download
memory/4760-124-0x0000000071490000-0x00000000714DC000-memory.dmp

Filesize
304KB

Download
memory/4760-16-0x0000000005B40000-0x0000000006168000-memory.dmp

Filesize
6.2MB

Download
memory/4760-17-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/4760-18-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/4760-150-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/4760-36-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/4760-15-0x0000000002E20000-0x0000000002E56000-memory.dmp

Filesize
216KB

Download
memory/4760-136-0x0000000007A70000-0x0000000007A8A000-memory.dmp

Filesize
104KB

Download
memory/4760-135-0x00000000080B0000-0x000000000872A000-memory.dmp

Filesize
6.5MB

Download
memory/4760-140-0x0000000007CA0000-0x0000000007CAE000-memory.dmp

Filesize
56KB

Download
memory/5028-193-0x00000000759B0000-0x00000000759FC000-memory.dmp

Filesize
304KB

Download
memory/5028-159-0x00000000054B0000-0x0000000005804000-memory.dmp

Filesize
3.3MB

Download
memory/5852-519-0x0000000001000000-0x00000000010F2000-memory.dmp

Filesize
968KB

Download