Overview

overview

10

Static

static

3

Quote.scr.exe

windows7-x64

10

Quote.scr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2025 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quote.scr.exe

  • Size

    984KB

  • MD5

    09d1f74cf4434fd7ff3ee83a2479d7a9

  • SHA1

    d70d3164f2fe24b4263e56ff2df171c15110e33b

  • SHA256

    9f05db230894256a6be6bf1b5b523894e621cf0b43632c0465c76717058d3ebb

  • SHA512

    7e8aa100fb7da347d56b9f34a87a91e5dfe71fa370f9dd42f571e70a37b779819253682dfe879224e06427b0ff10f4951e5b31648945011fd44584d480b062bb

  • SSDEEP

    24576:3IHzeLasydPeQ7h+ue7k+i4ZcPU33R1f4VTPx4pty9A:YaLaVJeQ0ue7Tcs33R14Fx4pty9A

Score
10/10
remcosremotehostadwarediscoveryexecutionpersistenceprivilege_escalationratstealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

2.58.56.182:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-GM05WY

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 10 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quote.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\Quote.scr.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Quote.scr.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3136
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YPabBLvsNvjDRI.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3264
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YPabBLvsNvjDRI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE956.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2964
    • C:\Users\Admin\AppData\Local\Temp\Quote.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\Quote.scr.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2544
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0MwMEY4OTEtODM4Ny00REU0LTgxNzYtRkZEOTdGNEQwNjA5fSIgdXNlcmlkPSJ7NzYyNkE5NDktRjJBRi00NERBLTk5Q0EtQTc4NDEzNkQ3NTIwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjAwNTA1RjAtOTY2Ni00RkM2LUFEMTYtNjcyOEM0NjMzM0JEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjcwODkyMTkwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:1892
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{279BFD8D-E10E-4D5E-98B9-E2CE4608579C}\MicrosoftEdge_X64_133.0.3065.59.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{279BFD8D-E10E-4D5E-98B9-E2CE4608579C}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{279BFD8D-E10E-4D5E-98B9-E2CE4608579C}\EDGEMITMP_D3B04.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{279BFD8D-E10E-4D5E-98B9-E2CE4608579C}\EDGEMITMP_D3B04.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{279BFD8D-E10E-4D5E-98B9-E2CE4608579C}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4928
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{279BFD8D-E10E-4D5E-98B9-E2CE4608579C}\EDGEMITMP_D3B04.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{279BFD8D-E10E-4D5E-98B9-E2CE4608579C}\EDGEMITMP_D3B04.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{279BFD8D-E10E-4D5E-98B9-E2CE4608579C}\EDGEMITMP_D3B04.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7426f6a68,0x7ff7426f6a74,0x7ff7426f6a80
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:1000
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{279BFD8D-E10E-4D5E-98B9-E2CE4608579C}\EDGEMITMP_D3B04.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{279BFD8D-E10E-4D5E-98B9-E2CE4608579C}\EDGEMITMP_D3B04.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:2344
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{279BFD8D-E10E-4D5E-98B9-E2CE4608579C}\EDGEMITMP_D3B04.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{279BFD8D-E10E-4D5E-98B9-E2CE4608579C}\EDGEMITMP_D3B04.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{279BFD8D-E10E-4D5E-98B9-E2CE4608579C}\EDGEMITMP_D3B04.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7426f6a68,0x7ff7426f6a74,0x7ff7426f6a80
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:1712
      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3552
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff721c86a68,0x7ff721c86a74,0x7ff721c86a80
          4⤵
          • Executes dropped EXE
          PID:4936
      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2364
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff721c86a68,0x7ff721c86a74,0x7ff721c86a80
          4⤵
          • Executes dropped EXE
          PID:4624
      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff721c86a68,0x7ff721c86a74,0x7ff721c86a80
          4⤵
          • Executes dropped EXE
          PID:3988
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
    1⤵
      PID:4280
    • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
      "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4756
    • C:\Windows\system32\wwahost.exe
      "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:516

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Active Setup

    1
    T1547.014

    Browser Extensions

    1
    T1176

    Event Triggered Execution

    1
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Active Setup

    1
    T1547.014

    Event Triggered Execution

    1
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{279BFD8D-E10E-4D5E-98B9-E2CE4608579C}\EDGEMITMP_D3B04.tmp\setup.exe
      Filesize

      6.8MB

      MD5

      1b3e9c59f9c7a134ec630ada1eb76a39

      SHA1

      a7e831d392e99f3d37847dcc561dd2e017065439

      SHA256

      ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

      SHA512

      c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

      Download Submit

    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      Filesize

      3.9MB

      MD5

      ad5f7dc7ca3e67dce70c0a89c04519e0

      SHA1

      a10b03234627ca8f3f8034cd5637cda1b8246d83

      SHA256

      663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

      SHA512

      ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

      Download Submit

    • C:\Program Files\msedge_installer.log
      Filesize

      73KB

      MD5

      26f5a039be21d7068c9f0bb237282b4a

      SHA1

      566189f363c85a36dd76560bc7712ade55ab66ff

      SHA256

      14998da93090dae903d3361b193f35cfd4d1389b16a8037e29e0410b91c45338

      SHA512

      f52beabb955a93733a34faa623412a667703976ae86b0d57e3c68c1229fcf8afc3f8fda45423fb630f810c33ba55bb1216ae669f50c86f1623b0bf4e1719d2f8

      Download Submit

    • C:\Program Files\msedge_installer.log
      Filesize

      99KB

      MD5

      9372974feb20b2430abbfe85dd15b12d

      SHA1

      c4c073bd43085e42fbc14c5b2083da1550bdd739

      SHA256

      ef0a33fc1c446bc4fc5b2b50f135c27651a2615685908fdfb042e5e98b1115b5

      SHA512

      adc4c846e44b30d20b4267280566cbbc8931d0004c369a87d7b96a9d82a90cbaf9cdb6c7b6bdeb81818ad2840128eac3b49700a0a5bec699c8913d8ab94fe315

      Download Submit

    • C:\Program Files\msedge_installer.log
      Filesize

      102KB

      MD5

      92cdcd7b5f0048ced35972043e858cc8

      SHA1

      fb7c6610547070da110d1ed77fbb07ef790becd8

      SHA256

      b71729984c4108ac2a2565bf04ae459b2139d23b94f33cf62a472c8920b5aff4

      SHA512

      280392c07d7b1949492adc572392e4045906abfd791223e6ab2f9123cf63b5889d3cadd98501cd57b4ba3840ff91a9fa011996da88a43635ec6c619c37ded51e

      Download Submit

    • C:\Program Files\msedge_installer.log
      Filesize

      104KB

      MD5

      ee9c4485ebead18ff2c1d253c4a31903

      SHA1

      6aed1fb93bb4d4a96e2385d6a5a43be89c13405c

      SHA256

      0ddfd489b32b894c66e5a6bcb33378fee2e97c0180a6ff323f6db508efd64550

      SHA512

      3b28fd597e120bb6dc95f7c3d8c594371f5377a91918eb68a5ac45941cff93948b2af86c8698ead2a14fe831c8574488e7fa579e655dabf9ee762d42ad77d31c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      47ceeafe74add40febcbe8e6663d23b2

      SHA1

      9ea90a54f85969f303eee8e57c6799902044769b

      SHA256

      c1b9e93beadd69b13d4d3aa4a9125c81f694475dce51658e0f5608a0df89617b

      SHA512

      9c4a90aadd7f71cb84bb9d5da2477331600251fa2779b8f9858a6af3179d664b28c6a7acd67ae3d3acb8eae1d9eb6715e3e30afd2fc4c4164954c8576193f803

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_orr5hzkf.bkc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpE956.tmp
      Filesize

      1KB

      MD5

      18a6945d332182b0950a29216ac93019

      SHA1

      6f03cfdb850b58271aace8a67945c3a7481f5d3e

      SHA256

      1decb2235ffae8f93a1cb307aa8c78d5cc0b90c703d55ef3d1e6c7e808816a06

      SHA512

      2d36eb76842dbd2cdec5af92458597cf774855a66b35bd0fdb0830703e11d1635ac4a4b2be9082d9bd24914b36c49b86eaa21b841c9f6691bca43802625f1901

      Download Submit

    • memory/2252-10-0x000000000DA40000-0x000000000DADC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2252-3-0x00000000053B0000-0x0000000005442000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2252-1-0x00000000008C0000-0x00000000009BC000-memory.dmp

      Filesize

      1008KB

      Download

    • memory/2252-53-0x0000000073C10000-0x00000000743C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2252-2-0x0000000005960000-0x0000000005F04000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2252-9-0x0000000006890000-0x0000000006954000-memory.dmp

      Filesize

      784KB

      Download

    • memory/2252-8-0x0000000073C10000-0x00000000743C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2252-7-0x0000000073C1E000-0x0000000073C1F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2252-0-0x0000000073C1E000-0x0000000073C1F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2252-6-0x0000000006D70000-0x0000000006D8E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2252-5-0x0000000005390000-0x000000000539A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2252-4-0x0000000073C10000-0x00000000743C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2544-48-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-54-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-46-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-235-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-105-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-50-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-172-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-49-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-104-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-236-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-55-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-56-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-58-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-103-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-102-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-99-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-100-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2544-171-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3136-19-0x0000000005BB0000-0x0000000005C16000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3136-81-0x0000000007450000-0x00000000074F3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3136-84-0x0000000007600000-0x000000000760A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3136-85-0x0000000007810000-0x00000000078A6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3136-11-0x00000000010D0000-0x0000000001106000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3136-87-0x00000000077C0000-0x00000000077CE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3136-12-0x0000000073C10000-0x00000000743C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3136-89-0x00000000078D0000-0x00000000078EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3136-13-0x0000000073C10000-0x00000000743C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3136-83-0x0000000007590000-0x00000000075AA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3136-82-0x0000000007BD0000-0x000000000824A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3136-32-0x0000000005C90000-0x0000000005FE4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3136-98-0x0000000073C10000-0x00000000743C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3136-14-0x0000000005580000-0x0000000005BA8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3136-76-0x0000000006870000-0x000000000688E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3136-59-0x0000000006830000-0x0000000006862000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3136-60-0x000000006E7F0000-0x000000006E83C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3136-15-0x0000000073C10000-0x00000000743C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3136-47-0x0000000006260000-0x000000000627E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3136-51-0x0000000006290000-0x00000000062DC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3136-16-0x00000000051A0000-0x00000000051C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3136-20-0x0000000005C20000-0x0000000005C86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3264-91-0x0000000007170000-0x0000000007178000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3264-33-0x0000000073C10000-0x00000000743C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3264-34-0x0000000073C10000-0x00000000743C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3264-35-0x0000000073C10000-0x00000000743C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3264-61-0x000000006E7F0000-0x000000006E83C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3264-97-0x0000000073C10000-0x00000000743C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3264-90-0x0000000007190000-0x00000000071AA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3264-88-0x0000000007090000-0x00000000070A4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3264-86-0x0000000007050000-0x0000000007061000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4756-177-0x000002118A720000-0x000002118A72E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4756-178-0x000002118ABD0000-0x000002118ABDA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4756-179-0x00000211A4C60000-0x00000211A4C68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4756-180-0x00000211A6000000-0x00000211A6249000-memory.dmp

      Filesize

      2.3MB

      Download