Overview

overview

10

Static

static

d55db3e1a1...b3.exe

windows7-x64

10

d55db3e1a1...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d55db3e1a122d2193f804f76a3ed2cb3.exe

  • Size

    448KB

  • MD5

    d55db3e1a122d2193f804f76a3ed2cb3

  • SHA1

    c101298055a396fee1d26220c2655125065e9fe6

  • SHA256

    5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044

  • SHA512

    fab4122e82639b7acab49ee77f54c76edcf116b946b12a8a3915d5f3fc32e43ccb1b53685899f8f2f2ec31dfb2d59b3e3e4cae0ea62574e5eddf55595f38638c

  • SSDEEP

    6144:xoR0EvklriDeO8pZIgVBcY/LfSSk0MeYFuRWYsraTkxAJAJ9U8sgutf2iddj5XDw:uW68NVBcY+SCY+3xAJAJ+f2E5eJQ9jq

Score
10/10
remcosdec 1stevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Dec 1st

C2

terzona2022.duckdns.org:3030

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    Windows input text.exe

  • copy_folder

    Microsoft Text

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Windows Display

  • keylog_path

    %WinDir%

  • mouse_option

    false

  • mutex

    Windows Audio

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    Microsoft Sound Text

  • take_screenshot_option

    true

  • take_screenshot_time

    5

  • take_screenshot_title

    Username;password;proforma;invoice;notepad

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d55db3e1a122d2193f804f76a3ed2cb3.exe
    "C:\Users\Admin\AppData\Local\Temp\d55db3e1a122d2193f804f76a3ed2cb3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\d55db3e1a122d2193f804f76a3ed2cb3.exe
      "C:\Users\Admin\AppData\Local\Temp\d55db3e1a122d2193f804f76a3ed2cb3.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4996
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • Modifies registry key
          PID:3844
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3552
        • C:\Windows\SysWOW64\PING.EXE
          PING 127.0.0.1 -n 2
          4⤵
          • Runs ping.exe
          PID:4568
        • C:\Windows\Microsoft Text\Windows input text.exe
          "C:\Windows\Microsoft Text\Windows input text.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1676
          • C:\Windows\Microsoft Text\Windows input text.exe
            "C:\Windows\Microsoft Text\Windows input text.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1204
            • C:\Windows\SysWOW64\cmd.exe
              /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4628
              • C:\Windows\SysWOW64\reg.exe
                C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                7⤵
                • UAC bypass
                • Modifies registry key
                PID:4196
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4480
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1292
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff80d1946f8,0x7ff80d194708,0x7ff80d194718
                  8⤵
                    PID:3352
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11428909505762483746,16724793286595544740,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
                    8⤵
                      PID:1000
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11428909505762483746,16724793286595544740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
                      8⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3412
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3156
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff80d1946f8,0x7ff80d194708,0x7ff80d194718
                      8⤵
                        PID:3384
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,596799711922906002,15871986214188769797,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
                        8⤵
                          PID:4040
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,596799711922906002,15871986214188769797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
                          8⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4724
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,596799711922906002,15871986214188769797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3204 /prefetch:8
                          8⤵
                            PID:3128
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:2020

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
                Filesize

                471B

                MD5

                d1287b882680d426851631f5cc6f98d8

                SHA1

                6182ed7f6b85ad3fdf2de7d50f78802aea537753

                SHA256

                4afcd48438f2bc14b1f22635e5ad8f9b5519de90fb04af02ad6ab017a505a4f0

                SHA512

                12817b72604ae58c4a33f4eb43c00554938a25df605c674f9d53c50d1d386555b6324906b99ec6a46a086853ee9c10acfefd85722dedb732f5e31ac6e93c797a

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
                Filesize

                471B

                MD5

                3121a89c589b43806469c733a1d6fbb1

                SHA1

                af970955ec34de61958a2b1e0bf271d440b514d1

                SHA256

                c57070af2586a5fa446a93cde9c596e9cea16c136c803b4eb920d70da56b5e45

                SHA512

                b02b94cc6438ccab4267eca60f66a63da970761c74f04e46541d5eb84c9f98fcff54aa8448b8d6862a588f58fcecc904104aef9b6c7fee050ab87383ad688c6d

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
                Filesize

                412B

                MD5

                9f88ca375eb7122e8d3ff3d1c4229f0e

                SHA1

                3397b45f18727b8a37e6ab3e1a37a687363bc196

                SHA256

                0227f9b08a94102004c3fb28f9e9511f07c719628ab78738c3fcc0a5c01cb334

                SHA512

                2f35969ace45f108b5c922e5d1812c0401b6cd4c0aa63e8f16f7528af0253c82c0b635b4c7be457fe3c36be5489daf60fb3f68fc6072b8cfadf6fcb1c0f81910

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
                Filesize

                446B

                MD5

                d05d4e9c10c31edc906ceee357a269a4

                SHA1

                e8addd93a74a023f021dcb8fa4de8dc7a8452aae

                SHA256

                9d9f0cea960cad0127f39f0c8a73fd5da54ae4249fa6578a32ac87a374959d7d

                SHA512

                a9f2e3e95ebd2f57d22901bc3006a6ce414124ef09ab533b1ecafbdb09a75f310ad75312c3dd1e492c06c7debcc1305a064a29b99e0d544c2c94e3e598d2100f

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                Filesize

                152B

                MD5

                e1661723f09a6aed8290c3f836ef2c2b

                SHA1

                55e08c810da94c08c5ee54ace181d4347f4e2ae5

                SHA256

                a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

                SHA512

                dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                Filesize

                152B

                MD5

                e1661723f09a6aed8290c3f836ef2c2b

                SHA1

                55e08c810da94c08c5ee54ace181d4347f4e2ae5

                SHA256

                a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

                SHA512

                dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                Filesize

                152B

                MD5

                7b3f352bbc8046d1d5d84c5bb693e2e5

                SHA1

                e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

                SHA256

                471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

                SHA512

                c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                Filesize

                152B

                MD5

                7b3f352bbc8046d1d5d84c5bb693e2e5

                SHA1

                e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

                SHA256

                471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

                SHA512

                c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                Filesize

                152B

                MD5

                7b3f352bbc8046d1d5d84c5bb693e2e5

                SHA1

                e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

                SHA256

                471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

                SHA512

                c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
                Filesize

                28KB

                MD5

                5fe526a3ef5f9dbd18bc8da89e83f236

                SHA1

                12c80da790cbbef44aedbd199cf3d341d859050c

                SHA256

                52d1821df53e91d3a93a6f74cf31a4d561fdbe53b624bddedf0ed3a44ecfec20

                SHA512

                be44267b05066985ef0cd98b3534e8590f24860cb57999edf1a881cccf0d437f575ab9f5ace4d4ba7bded9f8700520d569ae7751fb08b575cdaee5600ebacbe7

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
                Filesize

                40B

                MD5

                7db6359a730fea73adafe1ebb3bf88a0

                SHA1

                60a80dad1d551bfca99e6445484690bbea4cb471

                SHA256

                d3c9f4f810cfc4fce7990b68bae524320bf9600b017ce84fb2673e0b53dbd1af

                SHA512

                7d5b9beee44cfd2e2039ab0e863885963600d7c0ed22c7cdd24054f02e85f1dd5898766c53b462df344cb2982a41c0a2c14ab9fd120f8036e95902f256cb0830

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638055039137925133
                Filesize

                3KB

                MD5

                5125353cf2c40e6c689b2607ba5f0331

                SHA1

                8d6fa6678ac8698a1025d20a9d23e45637dba661

                SHA256

                66ffcb91ed367b5a5ad5cc580060de181bff23d4373ac2ea8d9439452abe9d6c

                SHA512

                2b947584c5e4c96d88a03b4e67443e95128975f333c840a8cbce75f56bdc710ba4d5f69bd9bec0ec55bd17891456c1c4b4986736c457e2d7dcafb9f2b678c8ff

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
                Filesize

                29B

                MD5

                52e2839549e67ce774547c9f07740500

                SHA1

                b172e16d7756483df0ca0a8d4f7640dd5d557201

                SHA256

                f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

                SHA512

                d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982
                Filesize

                450KB

                MD5

                e9c502db957cdb977e7f5745b34c32e6

                SHA1

                dbd72b0d3f46fa35a9fe2527c25271aec08e3933

                SHA256

                5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

                SHA512

                b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\install.bat
                Filesize

                99B

                MD5

                cd13321bdef41f7575c97a6c302668c1

                SHA1

                f7de6ac53a6914dde55fe408c67ec934686ecc9f

                SHA256

                2e7ff7169fe44c0360335a47264f1963bb65ae1ca3f93a20922074f143491dc8

                SHA512

                75ea823f45820f7bc118f8f982faee3b4ede68ab42958723647c356b9f667026d37c75702f4360bc38e19b44efbf4d9bf574e8b65f6a8ef37139216041ab234b

                Download Submit
              • C:\Windows\Microsoft Text\Windows input text.exe
                Filesize

                448KB

                MD5

                d55db3e1a122d2193f804f76a3ed2cb3

                SHA1

                c101298055a396fee1d26220c2655125065e9fe6

                SHA256

                5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044

                SHA512

                fab4122e82639b7acab49ee77f54c76edcf116b946b12a8a3915d5f3fc32e43ccb1b53685899f8f2f2ec31dfb2d59b3e3e4cae0ea62574e5eddf55595f38638c

                Download Submit
              • C:\Windows\Microsoft Text\Windows input text.exe
                Filesize

                448KB

                MD5

                d55db3e1a122d2193f804f76a3ed2cb3

                SHA1

                c101298055a396fee1d26220c2655125065e9fe6

                SHA256

                5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044

                SHA512

                fab4122e82639b7acab49ee77f54c76edcf116b946b12a8a3915d5f3fc32e43ccb1b53685899f8f2f2ec31dfb2d59b3e3e4cae0ea62574e5eddf55595f38638c

                Download Submit
              • C:\Windows\Microsoft Text\Windows input text.exe
                Filesize

                448KB

                MD5

                d55db3e1a122d2193f804f76a3ed2cb3

                SHA1

                c101298055a396fee1d26220c2655125065e9fe6

                SHA256

                5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044

                SHA512

                fab4122e82639b7acab49ee77f54c76edcf116b946b12a8a3915d5f3fc32e43ccb1b53685899f8f2f2ec31dfb2d59b3e3e4cae0ea62574e5eddf55595f38638c

                Download Submit
              • \??\pipe\LOCAL\crashpad_1292_XHBUSALJNBLNXUPJ
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit
              • \??\pipe\LOCAL\crashpad_3156_WFPCXZXIQJVWDGCH
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit
              • memory/1000-171-0x0000000000000000-mapping.dmp
                Download
              • memory/1204-152-0x0000000000000000-mapping.dmp
                Download
              • memory/1204-156-0x0000000000400000-0x0000000000417000-memory.dmp
                Filesize

                92KB

                Download
              • memory/1204-157-0x0000000000400000-0x0000000000417000-memory.dmp
                Filesize

                92KB

                Download
              • memory/1204-160-0x0000000000400000-0x0000000000417000-memory.dmp
                Filesize

                92KB

                Download
              • memory/1292-161-0x0000000000000000-mapping.dmp
                Download
              • memory/1676-149-0x0000000000000000-mapping.dmp
                Download
              • memory/3068-132-0x0000000000B20000-0x0000000000B90000-memory.dmp
                Filesize

                448KB

                Download
              • memory/3068-136-0x0000000005550000-0x000000000555A000-memory.dmp
                Filesize

                40KB

                Download
              • memory/3068-135-0x0000000006040000-0x00000000061E6000-memory.dmp
                Filesize

                1.6MB

                Download
              • memory/3068-137-0x00000000014C0000-0x000000000155C000-memory.dmp
                Filesize

                624KB

                Download
              • memory/3068-134-0x0000000005580000-0x0000000005612000-memory.dmp
                Filesize

                584KB

                Download
              • memory/3068-133-0x0000000005A90000-0x0000000006034000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/3128-190-0x0000000000000000-mapping.dmp
                Download
              • memory/3156-163-0x0000000000000000-mapping.dmp
                Download
              • memory/3352-162-0x0000000000000000-mapping.dmp
                Download
              • memory/3384-164-0x0000000000000000-mapping.dmp
                Download
              • memory/3412-176-0x0000000000000000-mapping.dmp
                Download
              • memory/3552-145-0x0000000000000000-mapping.dmp
                Download
              • memory/3844-143-0x0000000000000000-mapping.dmp
                Download
              • memory/4040-172-0x0000000000000000-mapping.dmp
                Download
              • memory/4196-159-0x0000000000000000-mapping.dmp
                Download
              • memory/4568-147-0x0000000000000000-mapping.dmp
                Download
              • memory/4628-158-0x0000000000000000-mapping.dmp
                Download
              • memory/4720-144-0x0000000000400000-0x0000000000417000-memory.dmp
                Filesize

                92KB

                Download
              • memory/4720-138-0x0000000000000000-mapping.dmp
                Download
              • memory/4720-139-0x0000000000400000-0x0000000000417000-memory.dmp
                Filesize

                92KB

                Download
              • memory/4720-141-0x0000000000400000-0x0000000000417000-memory.dmp
                Filesize

                92KB

                Download
              • memory/4720-148-0x0000000000400000-0x0000000000417000-memory.dmp
                Filesize

                92KB

                Download
              • memory/4724-175-0x0000000000000000-mapping.dmp
                Download
              • memory/4996-142-0x0000000000000000-mapping.dmp
                Download