Overview

overview

10

Static

static

1

RFQ.exe

windows7-x64

10

RFQ.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 04:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ.exe

  • Size

    1.4MB

  • MD5

    a88b0ddc1c80b37e8af7ca017929bf88

  • SHA1

    601ae4b9be7c6619680d6ac19e4dae3acb572464

  • SHA256

    9b6c97ad4d3d563b1bf7330e0aef16649514a1e0ac422bf99368bbb5a0069c4c

  • SHA512

    a776e6d0db9c16ed2b2ce90ed06f3cdc4101e05399503c201a8c409a3d4b8b846d7a6dce5ca634199946962a6655788b7d6bed44509e76bd69a7590c3dbbe927

  • SSDEEP

    24576:ozsSzxWeyf1eLZajkRqxnTf/7UeCL4EryZNK0P+:ozsUW5fJkUnTfDUe04Ee7bW

Score
10/10
remcosremotehostdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

154.216.16.54:6092

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-YJ70D0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    true

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1956
    • C:\Users\Admin\AppData\Local\Temp\RFQ.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3948
      • C:\ProgramData\Remcos\remcos.exe
        "C:\ProgramData\Remcos\remcos.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3920
        • C:\ProgramData\Remcos\remcos.exe
          "C:\ProgramData\Remcos\remcos.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2928
          • \??\c:\program files (x86)\internet explorer\iexplore.exe
            "c:\program files (x86)\internet explorer\iexplore.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
              6⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:4772
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0xd8,0x104,0xfc,0x108,0x7fffe95f46f8,0x7fffe95f4708,0x7fffe95f4718
                7⤵
                  PID:1980
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,12991491390391006968,8701574706371277436,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
                  7⤵
                    PID:2000
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,12991491390391006968,8701574706371277436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
                    7⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4004
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,12991491390391006968,8701574706371277436,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
                    7⤵
                      PID:1720
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12991491390391006968,8701574706371277436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
                      7⤵
                        PID:3500
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12991491390391006968,8701574706371277436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
                        7⤵
                          PID:2776
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12991491390391006968,8701574706371277436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
                          7⤵
                            PID:2412
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,12991491390391006968,8701574706371277436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
                            7⤵
                              PID:668
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,12991491390391006968,8701574706371277436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
                              7⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1796
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12991491390391006968,8701574706371277436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
                              7⤵
                                PID:3900
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12991491390391006968,8701574706371277436,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
                                7⤵
                                  PID:656
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12991491390391006968,8701574706371277436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
                                  7⤵
                                    PID:1200
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12991491390391006968,8701574706371277436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
                                    7⤵
                                      PID:1768
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12991491390391006968,8701574706371277436,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
                                      7⤵
                                        PID:908
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12991491390391006968,8701574706371277436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
                                        7⤵
                                          PID:4508
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                                        6⤵
                                          PID:2552
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe95f46f8,0x7fffe95f4708,0x7fffe95f4718
                                            7⤵
                                              PID:3620
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:2632
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:4832

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\ProgramData\Remcos\remcos.exe
                                      Filesize

                                      1.4MB

                                      MD5

                                      a88b0ddc1c80b37e8af7ca017929bf88

                                      SHA1

                                      601ae4b9be7c6619680d6ac19e4dae3acb572464

                                      SHA256

                                      9b6c97ad4d3d563b1bf7330e0aef16649514a1e0ac422bf99368bbb5a0069c4c

                                      SHA512

                                      a776e6d0db9c16ed2b2ce90ed06f3cdc4101e05399503c201a8c409a3d4b8b846d7a6dce5ca634199946962a6655788b7d6bed44509e76bd69a7590c3dbbe927

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                      Filesize

                                      2KB

                                      MD5

                                      968cb9309758126772781b83adb8a28f

                                      SHA1

                                      8da30e71accf186b2ba11da1797cf67f8f78b47c

                                      SHA256

                                      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                      SHA512

                                      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      37f660dd4b6ddf23bc37f5c823d1c33a

                                      SHA1

                                      1c35538aa307a3e09d15519df6ace99674ae428b

                                      SHA256

                                      4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

                                      SHA512

                                      807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      d7cb450b1315c63b1d5d89d98ba22da5

                                      SHA1

                                      694005cd9e1a4c54e0b83d0598a8a0c089df1556

                                      SHA256

                                      38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

                                      SHA512

                                      df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                      Filesize

                                      264B

                                      MD5

                                      5ac3f593f14ae201bb29e722654064ce

                                      SHA1

                                      0bc276dd100660076ed2a34fe0851b534f1957f6

                                      SHA256

                                      64e28f6a8f0bc02beb008f6aaa3a6479e62d69a8cf2a5d82d4d092b7716eda70

                                      SHA512

                                      6be772f7633c7989d7fbc3d598d1925b9a59f30c28c1e01b1838e4a45e59ae31feffc41b53d9ee87310c703d75248c6544bbeb3fe755a964718a9381c9163a5c

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      5KB

                                      MD5

                                      a6d1ff954db36bd2dfab88cb2858da07

                                      SHA1

                                      071dce28c0fa4b89d57059be519e63ccb4ee312d

                                      SHA256

                                      583271ef19273ad89b905907a176ef5b8ce8c28d740eb54e0db8fddb486963d9

                                      SHA512

                                      4300ff8f61c54775428d13cf4306ff81b6737424f63a317b855299f386b815f56fc4db9602c98b7a8811ae40d52a569a38aacf537f6981247deef1e51cc16f78

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      6KB

                                      MD5

                                      300c5cce517718c6b05498ceb738ccad

                                      SHA1

                                      a7ce4580ae10fd9bb5a38962437bd7b157654f73

                                      SHA256

                                      15f1acc376ba8020edffe3576a6142d149b3eeade87cbf4e06158001e069fc21

                                      SHA512

                                      d6999b5e0b99e11bfc7cc1261854965e6caa158d50f45c93c18db47dcd03b1259e20dc76951e490a065525bc4310f9cf2b96850e6215a66decc0cb3d4204d187

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                      Filesize

                                      371B

                                      MD5

                                      d7efae374696a83ddcdba613dd3be29d

                                      SHA1

                                      d7d10b9c375fb2001aa14911a2567cdbc74af756

                                      SHA256

                                      8d53159b23b488f1046fc98b90cafca547cfbcae116163d1de9bdf9ac96db32b

                                      SHA512

                                      f319173b03ae158276cd3ebdab6b5fe353ebf65f1cbab9ca07995b858f8d9122640dbe60de0b98abb893a8563d0430bbfd1a6a9e87b622affc995633309f00fa

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591757.TMP
                                      Filesize

                                      371B

                                      MD5

                                      7b3c9ce7eb9155cecfba0f27be910864

                                      SHA1

                                      e68bf97672863a18cef15245406bd5930c3df70a

                                      SHA256

                                      59c940f4d8e03741d1e4f38de7f57f7719164a8860e13249dbabc0e8618bdfb4

                                      SHA512

                                      e69a5bc130799659e81487aac2017f176f1985c6f2c4173054b2925589225c691599c53cdd77e611ff23c1c51ea971aeaa8606ef74062ddb4c5b3a371da1756c

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      10KB

                                      MD5

                                      e5793c73b28d0be5d6a3d4177e6822b8

                                      SHA1

                                      df007386394608dff4617285edd652ddba46e98d

                                      SHA256

                                      f87893718adf83576498e77fe6a081948f362cea044257e1d876342318b41324

                                      SHA512

                                      59ac3ccd8a21d4f874545bb2ad928aaafb3330a25ead9106c6fe56cbde6e653ee5ce1468a3d6738981b9bcc9e3ddc76517b81f4ee1928d66815cac451629e2ff

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      18KB

                                      MD5

                                      e2c5244c3e020f9abf9a7832902d1749

                                      SHA1

                                      7536d3d5ef4b2a918438393986535dafaadb8286

                                      SHA256

                                      9b78bc4a002c0a4e3b88b8b6e748f652b5dafebca8a4cd014445b7e6f6651b76

                                      SHA512

                                      8e7cd295fbde477568a0d00cb45e821b7f19c6e5119d4a640948d490e8dc5727dda86ad412ab63df97f65da305b3f87b367a193240ead7adbdd254722183af41

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zlu4iaf2.12u.ps1
                                      Filesize

                                      60B

                                      MD5

                                      d17fe0a3f47be24a6453e9ef58c94641

                                      SHA1

                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                      SHA256

                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                      SHA512

                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                      Download Submit

                                    • \??\pipe\LOCAL\crashpad_4772_ROIGGMRIEMVKXUQN
                                      MD5

                                      d41d8cd98f00b204e9800998ecf8427e

                                      SHA1

                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                      SHA256

                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                      SHA512

                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                      Download Submit

                                    • memory/1956-48-0x0000000006CB0000-0x0000000006CE2000-memory.dmp

                                      Filesize

                                      200KB

                                      Download

                                    • memory/1956-67-0x0000000007C50000-0x0000000007C64000-memory.dmp

                                      Filesize

                                      80KB

                                      Download

                                    • memory/1956-18-0x0000000002DD0000-0x0000000002E06000-memory.dmp

                                      Filesize

                                      216KB

                                      Download

                                    • memory/1956-17-0x000000007461E000-0x000000007461F000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/1956-21-0x00000000057A0000-0x0000000005DC8000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/1956-20-0x0000000074610000-0x0000000074DC0000-memory.dmp

                                      Filesize

                                      7.7MB

                                      Download

                                    • memory/1956-72-0x0000000074610000-0x0000000074DC0000-memory.dmp

                                      Filesize

                                      7.7MB

                                      Download

                                    • memory/1956-30-0x0000000005E40000-0x0000000005EA6000-memory.dmp

                                      Filesize

                                      408KB

                                      Download

                                    • memory/1956-68-0x0000000007D50000-0x0000000007D6A000-memory.dmp

                                      Filesize

                                      104KB

                                      Download

                                    • memory/1956-69-0x0000000007D30000-0x0000000007D38000-memory.dmp

                                      Filesize

                                      32KB

                                      Download

                                    • memory/1956-45-0x00000000060A0000-0x00000000063F4000-memory.dmp

                                      Filesize

                                      3.3MB

                                      Download

                                    • memory/1956-32-0x0000000005EB0000-0x0000000005F16000-memory.dmp

                                      Filesize

                                      408KB

                                      Download

                                    • memory/1956-29-0x0000000005740000-0x0000000005762000-memory.dmp

                                      Filesize

                                      136KB

                                      Download

                                    • memory/1956-46-0x00000000066F0000-0x000000000670E000-memory.dmp

                                      Filesize

                                      120KB

                                      Download

                                    • memory/1956-47-0x0000000006780000-0x00000000067CC000-memory.dmp

                                      Filesize

                                      304KB

                                      Download

                                    • memory/1956-59-0x0000000006D20000-0x0000000006D3E000-memory.dmp

                                      Filesize

                                      120KB

                                      Download

                                    • memory/1956-60-0x00000000078E0000-0x0000000007983000-memory.dmp

                                      Filesize

                                      652KB

                                      Download

                                    • memory/1956-49-0x0000000074EA0000-0x0000000074EEC000-memory.dmp

                                      Filesize

                                      304KB

                                      Download

                                    • memory/1956-66-0x0000000007C40000-0x0000000007C4E000-memory.dmp

                                      Filesize

                                      56KB

                                      Download

                                    • memory/1956-62-0x0000000007A10000-0x0000000007A2A000-memory.dmp

                                      Filesize

                                      104KB

                                      Download

                                    • memory/1956-61-0x0000000008060000-0x00000000086DA000-memory.dmp

                                      Filesize

                                      6.5MB

                                      Download

                                    • memory/1956-63-0x0000000007A90000-0x0000000007A9A000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/1956-64-0x0000000007C90000-0x0000000007D26000-memory.dmp

                                      Filesize

                                      600KB

                                      Download

                                    • memory/1956-65-0x0000000007C10000-0x0000000007C21000-memory.dmp

                                      Filesize

                                      68KB

                                      Download

                                    • memory/2452-73-0x0000000004D50000-0x0000000004D62000-memory.dmp

                                      Filesize

                                      72KB

                                      Download

                                    • memory/2740-78-0x0000000000C30000-0x0000000000D90000-memory.dmp

                                      Filesize

                                      1.4MB

                                      Download

                                    • memory/2928-76-0x0000000000400000-0x000000000047F000-memory.dmp

                                      Filesize

                                      508KB

                                      Download

                                    • memory/3920-92-0x0000000071560000-0x00000000715AC000-memory.dmp

                                      Filesize

                                      304KB

                                      Download

                                    • memory/3920-103-0x0000000007260000-0x0000000007271000-memory.dmp

                                      Filesize

                                      68KB

                                      Download

                                    • memory/3920-104-0x0000000007290000-0x00000000072A4000-memory.dmp

                                      Filesize

                                      80KB

                                      Download

                                    • memory/3920-102-0x0000000006FB0000-0x0000000007053000-memory.dmp

                                      Filesize

                                      652KB

                                      Download

                                    • memory/3920-91-0x0000000005F40000-0x0000000005F8C000-memory.dmp

                                      Filesize

                                      304KB

                                      Download

                                    • memory/3920-80-0x0000000005650000-0x00000000059A4000-memory.dmp

                                      Filesize

                                      3.3MB

                                      Download

                                    • memory/3944-6-0x0000000005360000-0x00000000053FC000-memory.dmp

                                      Filesize

                                      624KB

                                      Download

                                    • memory/3944-4-0x0000000005240000-0x000000000524A000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/3944-9-0x0000000074610000-0x0000000074DC0000-memory.dmp

                                      Filesize

                                      7.7MB

                                      Download

                                    • memory/3944-0-0x000000007461E000-0x000000007461F000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/3944-8-0x000000007461E000-0x000000007461F000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/3944-1-0x0000000000670000-0x00000000007D0000-memory.dmp

                                      Filesize

                                      1.4MB

                                      Download

                                    • memory/3944-2-0x0000000005700000-0x0000000005CA4000-memory.dmp

                                      Filesize

                                      5.6MB

                                      Download

                                    • memory/3944-7-0x0000000005300000-0x0000000005312000-memory.dmp

                                      Filesize

                                      72KB

                                      Download

                                    • memory/3944-19-0x0000000074610000-0x0000000074DC0000-memory.dmp

                                      Filesize

                                      7.7MB

                                      Download

                                    • memory/3944-3-0x0000000005070000-0x0000000005102000-memory.dmp

                                      Filesize

                                      584KB

                                      Download

                                    • memory/3944-10-0x00000000063B0000-0x0000000006474000-memory.dmp

                                      Filesize

                                      784KB

                                      Download

                                    • memory/3944-5-0x0000000074610000-0x0000000074DC0000-memory.dmp

                                      Filesize

                                      7.7MB

                                      Download

                                    • memory/3948-16-0x0000000000400000-0x000000000047F000-memory.dmp

                                      Filesize

                                      508KB

                                      Download

                                    • memory/3948-11-0x0000000000400000-0x000000000047F000-memory.dmp

                                      Filesize

                                      508KB

                                      Download

                                    • memory/3948-14-0x0000000000400000-0x000000000047F000-memory.dmp

                                      Filesize

                                      508KB

                                      Download

                                    • memory/3948-40-0x0000000000400000-0x000000000047F000-memory.dmp

                                      Filesize

                                      508KB

                                      Download

                                    • memory/3948-12-0x0000000000400000-0x000000000047F000-memory.dmp

                                      Filesize

                                      508KB

                                      Download