remcos | 3e9dc00f7570354ba5099d43f1df7e6c6703632f24e57d8a58c5d0bbe1f61e4d

Analysis

max time kernel
19s
max time network
17s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
20-04-2024 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sig.exe
Size

2.1MB
MD5

b2918aa81a993ec13679c27afa0d566e
SHA1

e64567342b3998345a446a75493a71967bff06e1
SHA256

3e9dc00f7570354ba5099d43f1df7e6c6703632f24e57d8a58c5d0bbe1f61e4d
SHA512

9080b209d8faac5b0efa828dc96a05d685afa17fc1e75f9d9073ed5c529c9d0e19ed05d2684d53b3c8e22a0bb8060f9d088c16e40b6755ec0a508adff1a3559b
SSDEEP

49152:dlAkd3caFGIJoZx7lRFosPEHcX4und5GzAqxTQBoQot95+gVXX3bzo:dlAkdMaAySx7losPZMADWj5BXX3Y

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

4.9.3 Light

Botnet

RemoteHost

127.0.0.1:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-52SPIJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Sig.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\AviraIsCrap = "C:\\Users\\Admin\\Documents\\ChromeUpdate\\AviraAntivirus.exe"	Sig.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

Sig.exe

pid process

4160 Sig.exe

pid	process
4160	Sig.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

msedge.exemsedge.exemsedge.exeTaskmgr.exeidentity_helper.exe

pid	process
496	msedge.exe
496	msedge.exe
4972	msedge.exe
4972	msedge.exe
4360	msedge.exe
4360	msedge.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
2420	identity_helper.exe
2420	identity_helper.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

4972 msedge.exe
4972 msedge.exe
4972 msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	4468	Taskmgr.exe
Token: SeSystemProfilePrivilege	4468	Taskmgr.exe
Token: SeCreateGlobalPrivilege	4468	Taskmgr.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

msedge.exeTaskmgr.exeSig.exe

pid	process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
1412	Sig.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

msedge.exeTaskmgr.exeSig.exe

pid	process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
1412	Sig.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe
4468	Taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4972 wrote to memory of 956	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 956	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4408	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 496	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 496	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2960	4972	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Sig.exe
"C:\Users\Admin\AppData\Local\Temp\Sig.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:4160
- C:\Users\Admin\AppData\Local\Temp\Sig.exe
  "C:\Users\Admin\AppData\Local\Temp\Sig.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://taskgmr/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa08eb3cb8,0x7ffa08eb3cc8,0x7ffa08eb3cd8
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,670882616138432173,7885645777485782293,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,670882616138432173,7885645777485782293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,670882616138432173,7885645777485782293,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670882616138432173,7885645777485782293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670882616138432173,7885645777485782293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670882616138432173,7885645777485782293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,670882616138432173,7885645777485782293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3152 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,670882616138432173,7885645777485782293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4032

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0fcda4fac8ec713700f95299a89bc126

SHA1
576a818957f882dc0b892a29da15c4bb71b93455

SHA256
f7a257742d3a6e6edd16ac8c4c4696d4bdf653041868329461444a0973e71430

SHA512
ab350ca508c412ff860f82d25ac7492afb3baf4a2827249ebc7ec9632ee444f8f0716389f0623afc0756f395cf00d7a90a0f89b360acdf72b1befe34eecb5986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21986fa2280bae3957498a58adf62fc2

SHA1
d01ad69975b7dc46eba6806783450f987fa2b48d

SHA256
c91d76b0f27ccea28c4f5f872dee6a98f2d37424ef0b5f188af8c6757090cbb5

SHA512
ae9ba1abe7def7f6924d486a58427f04a02af7dd82aa3a36c1ed527a23ec7897f00b0e30f22529e9599ae2db88e8abc7ba8013b426885aa3c961ee74678455f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
41a5f0078156c6b7599b5923d390c191

SHA1
435a26f175ed251a874118a9c54a347a75b7e50e

SHA256
1a752b0729ded504a4f7dab917a894c7c19d5b481d372b57bb1101ad1ecfb81f

SHA512
02685a8ba8007c80b408a24a5f27ff71f22473cb6186daadd98d2a47b88fdd738fa2394c298a803bdcf93bdb5136f278e1bf0f6ab94aff33b1c7ff23c34a5d9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d6945763-29df-47b0-8cfa-bcb8a07280a6.tmp

Filesize
6KB

MD5
ed980c3c436a70cf4c8ed9250bfa7b53

SHA1
493d403960964d04c305b3cf1dc2f2b4fc8b8cd0

SHA256
8b3bb62e94a3cefbbd20a7dde33663bcb2199080abaf807358d1c6eb9fdaf704

SHA512
9ead71d206fe1b2e2e400a67118a818357fe0e5af2ff90260047a962d165c26b1118a755824e39457b619ad47d034ac52ceb8199ab4a33c41e75a9c5e598d8e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9660b91bf9bbc50960a62e928011b36e

SHA1
df4e84add340ae0a54cb4e621646d90f5164705a

SHA256
b17eda382a04c4758be382d7e3b144c62f290f82bcebb944915c28441afd173f

SHA512
c3823c592ca25eae9d4e63f31124f9253ef3646afc17529df801524488ab7897a1e7620b795dbdf16e6b5a2c9a09901c2f5c6174fd1bc873c410bafa25e26b0f

Download Submit
\??\pipe\LOCAL\crashpad_4972_RFVKCDUWDLGRMAXF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1412-63-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/1412-81-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/1412-71-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/1412-70-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/1412-64-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/1412-62-0x00000000000C0000-0x0000000000135000-memory.dmp

Filesize
468KB

Download
memory/1412-60-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/4160-59-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/4160-57-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/4160-58-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/4468-36-0x000001B0D8A80000-0x000001B0D8A81000-memory.dmp

Filesize
4KB

Download
memory/4468-30-0x000001B0D8A80000-0x000001B0D8A81000-memory.dmp

Filesize
4KB

Download
memory/4468-31-0x000001B0D8A80000-0x000001B0D8A81000-memory.dmp

Filesize
4KB

Download
memory/4468-26-0x000001B0D8A80000-0x000001B0D8A81000-memory.dmp

Filesize
4KB

Download
memory/4468-32-0x000001B0D8A80000-0x000001B0D8A81000-memory.dmp

Filesize
4KB

Download
memory/4468-25-0x000001B0D8A80000-0x000001B0D8A81000-memory.dmp

Filesize
4KB

Download
memory/4468-35-0x000001B0D8A80000-0x000001B0D8A81000-memory.dmp

Filesize
4KB

Download
memory/4468-34-0x000001B0D8A80000-0x000001B0D8A81000-memory.dmp

Filesize
4KB

Download
memory/4468-24-0x000001B0D8A80000-0x000001B0D8A81000-memory.dmp

Filesize
4KB

Download
memory/4468-33-0x000001B0D8A80000-0x000001B0D8A81000-memory.dmp

Filesize
4KB

Download