remcos | 15009b7486ce6a2ed0f1f0ebcccce1a16238fe2a439b3348a3dc2a68c903759f

Analysis

max time kernel
69s
max time network
68s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-09-2024 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
Size

1.3MB
MD5

c4fece311d6ad36ec3f85fcded890197
SHA1

7494644e33239d3668728571dfda2d786c96a04e
SHA256

bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e
SHA512

c5caed981f8a874a25af9b6aba0e0671670917c80ff149c96e501e10977b6f8e6719d8485fa4f562f61149cca9a7339771c1c1c1154fcc603fc65ce53419ae8f
SSDEEP

24576:UAHnh+eWsN3skA4RV1Hom2KXMmHa7MnFfmMlwG07QFL+SEI5:jh+ZkldoPK8Ya7IFfmMc7QTP

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

154.216.18.216:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7K8JAD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 2668	2464	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	85

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1040	2464	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
948	msedge.exe
948	msedge.exe
1308	msedge.exe
1308	msedge.exe
868	msedge.exe
868	msedge.exe
1840	identity_helper.exe
1840	identity_helper.exe
3420	msedge.exe
3420	msedge.exe
4796	msedge.exe
4796	msedge.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4516	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
2068	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
2464	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
4796	msedge.exe
4796	msedge.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
4516	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
4516	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
2068	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
2068	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
2464	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
2464	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
4516	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
4516	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
2068	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
2068	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
2464	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
2464	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
1308	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 1844	4516	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	81
PID 4516 wrote to memory of 1844	4516	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	81
PID 4516 wrote to memory of 1844	4516	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	81
PID 4516 wrote to memory of 2068	4516	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	82
PID 4516 wrote to memory of 2068	4516	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	82
PID 4516 wrote to memory of 2068	4516	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	82
PID 2068 wrote to memory of 1292	2068	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	83
PID 2068 wrote to memory of 1292	2068	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	83
PID 2068 wrote to memory of 1292	2068	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	83
PID 2068 wrote to memory of 2464	2068	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	84
PID 2068 wrote to memory of 2464	2068	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	84
PID 2068 wrote to memory of 2464	2068	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	84
PID 2464 wrote to memory of 2668	2464	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	85
PID 2464 wrote to memory of 2668	2464	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	85
PID 2464 wrote to memory of 2668	2464	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	85
PID 2464 wrote to memory of 2668	2464	bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe	85
PID 1308 wrote to memory of 2260	1308	msedge.exe	92
PID 1308 wrote to memory of 2260	1308	msedge.exe	92
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 548	1308	msedge.exe	93
PID 1308 wrote to memory of 948	1308	msedge.exe	94
PID 1308 wrote to memory of 948	1308	msedge.exe	94
PID 1308 wrote to memory of 3108	1308	msedge.exe	95
PID 1308 wrote to memory of 3108	1308	msedge.exe	95
PID 1308 wrote to memory of 3108	1308	msedge.exe	95
PID 1308 wrote to memory of 3108	1308	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
"C:\Users\Admin\AppData\Local\Temp\bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe"
  2⤵
  PID:1844
- C:\Users\Admin\AppData\Local\Temp\bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
  "C:\Users\Admin\AppData\Local\Temp\bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe"
    3⤵
    PID:1292
- - C:\Users\Admin\AppData\Local\Temp\bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe
    "C:\Users\Admin\AppData\Local\Temp\bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\bf0544c92b379c01615e44f645578572e2bdcc966c5125b1198e5d2c118f277e.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 804
      4⤵
      Program crash
      PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2464 -ip 2464
1⤵
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://taskmngr.exe/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc79ce3cb8,0x7ffc79ce3cc8,0x7ffc79ce3cd8
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,13672658755406585761,11676552775957244293,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,13672658755406585761,11676552775957244293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,13672658755406585761,11676552775957244293,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,13672658755406585761,11676552775957244293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,13672658755406585761,11676552775957244293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,13672658755406585761,11676552775957244293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,13672658755406585761,11676552775957244293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,13672658755406585761,11676552775957244293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,13672658755406585761,11676552775957244293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,13672658755406585761,11676552775957244293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,13672658755406585761,11676552775957244293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,13672658755406585761,11676552775957244293,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,13672658755406585761,11676552775957244293,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:3464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://taskmngr/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc79ce3cb8,0x7ffc79ce3cc8,0x7ffc79ce3cd8
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,6089962728799150825,15545196862854872041,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,6089962728799150825,15545196862854872041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,6089962728799150825,15545196862854872041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,6089962728799150825,15545196862854872041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,6089962728799150825,15545196862854872041,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d9e6316c0c5837074a4175346c7d8ad

SHA1
cc38dc9254a8969422079aa7f4f4c93e8e6f0300

SHA256
90ba1a649f0cd23bfe61bd97a2e963fee4015c9363d449ed877e706143d500dd

SHA512
ff960d8e8e69f4d13bcbfe5db47903aed7f982b0fba0cebcebf4ef849193d0e9f95b339b96cd4f0252bf4f4b023c61124dc8da61dbcfafba495e311e43928fd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
150bb8f746383d4b835d227023b618f5

SHA1
abb8013f5752b5579cd993cb470968be84175505

SHA256
6a9e365668921107c3ba68288a0ab82783a80a03cb98c9e388339cb0a0746305

SHA512
75728bac4017fd9e73e1f2fe752b797082d0b2ade3585491ef67254eccf0ade052911a2163adc3c40c8c71b35539715242b4ad6b39ad419af9ed3970ab5c2a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
d3ae5a656b5caab319c2150d31a058d9

SHA1
c43b2d4dc2270cb2bc5ba529a4ae094957078ed8

SHA256
ceb2423659a0015fc22e775a2c873ac3f923551b2974d05621e5516a72433032

SHA512
63cbaf907304401443145c1677f1f0dd6b1adcbf683548fa6d738454fa935820e52864032917488684aaad2573e1a20a26b7fad4ae72d474510cbcf704fa6ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
66a5b7dd922906d9d60b1f9ee6962385

SHA1
6e06b2b62541eee673638440a6c9c0b19e485edc

SHA256
b0db276fa3a07857ebd0136f7b0c68154f7b0fc0dfd684ada71d45a795cb950b

SHA512
a680b41a089225b94971b81edaf4002e01237ee46b5aca6287db1e5ed41ab072fca7762e8ef118286111445949da50700c29c0fbe43640e3bad92ac505df4db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
d40fd6b70295f6a88c48dc49f68eb201

SHA1
33a5b1db350b7c31a500420c569d10d300f0a977

SHA256
11deb2156ada403791e1af56fb41c85bf19d90dfd0c246c781ab9a8e22e875a2

SHA512
6eeed1c58274ce72aab5f58e24b01100f602a43e2c70750270d2952e3ca3a438077a0862ebb5cd3c2b3335fd828b71fec20658ec05bc432c4c68f631b55fba6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3fe6e14313381c9ab2ed484715e8d89f

SHA1
a90836bd2fabe1ab96fd331adc1eb2f3ed06c6cf

SHA256
5fbef883cd7dadeb6a8c4793c98947a22a40652706ad990172126f674e8206b1

SHA512
2f746b5dce428be7c6d632d3012b8c121f339136e8ee0d542e0087f66a806c261abe89aaebda300711f44a8224f5e4e6a719fd067af1af1a1f6fea6eb5d952e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8e869d164ef85e5168fff9b203253d4e

SHA1
c6a0828f90a03ca5cf7723b9cc574380e6fb744e

SHA256
e1268e251c6cc45384ce73fe495cbbafd419059c56251a5b707030bb54c841c2

SHA512
5b98733b1c83d2a261496713a0e56a6961a7651b87ab9538504b0956dd361500c03dfa5deb405c19cec58d07274ed354b1d353515ecea5e269a9cb5c63c3e5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c4b231c24ecc18420af787eeecac2f6d

SHA1
02bb657c42e765a7e422bebc9076041ea4a5530a

SHA256
0293d3e541333e6d919687a8e623db902592c220d87df88d0a0f6ca0a8aa43a0

SHA512
e7c16c028b8abf5804492c77e30c125a409b837df1488608e4240728e975da5b9092b1568bc0e4064e165f75b104ca34e7edb1159000e322d8d7c8e83c57e234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
07ea5d6bba153f10c0d9d9cea1fa7965

SHA1
c387975e4dd595ef37cad6679d1780a9274391d3

SHA256
15f35aac6b2ec3f46364ab7bb489bd8c6b6f6351e695838594e9d9be2e17e88d

SHA512
4c5855c7c71a539f37b503b026a31e17af2c32cf981f3945dcef80c571e8dd6a7268d7a351af4af6eee87813e06625ef5d621925499854aa5e17fdbd2c641c0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
457274bfdea2f06a99da01dbdf86d2a7

SHA1
82ab6eb85c2b96765c05dfcf94384b5560033df6

SHA256
ca7aa965bd29f560fc83ad22223302c2039ac3b79749c39723cd20a15583348d

SHA512
4f16ba3c4e43b0cc2e8549ecb0ff08a71f8f3dada502e0f7b73316d6e9a1fdb7dd1c3e72483799f49ca0058385f6098ebe0b43ac69398d33ef8d676f271bbe88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
156B

MD5
fa1af62bdaf3c63591454d2631d5dd6d

SHA1
14fc1fc51a9b7ccab8f04c45d84442ed02eb9466

SHA256
00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d

SHA512
2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
aeeefcbdc194e3fe60f00e46fd951aa9

SHA1
4de16e42189a62fded77c15a53ee311493da28b8

SHA256
b767e6bbfc6ed0026b1399c50d98dd2c9325703d5434c5a816bcb46edc13be57

SHA512
63008fbf6ed817eb0963d885fc334e6b6b892e85ebc46c265abdd28d08a8f3834b91c3b391b016ace8bfa89d3df54adf19ab32b6679ba4a62362944d528ce73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13369907529846713

Filesize
957B

MD5
0a1d3900b04d8ed4d3c47a11ca60672f

SHA1
a8587cfaf6cb4401023fb4375b61d62d0edbc645

SHA256
9b11e7ee47c7413c0a9821be7f6b188a0a65004c3d2d6cd88c38aea14f9aea27

SHA512
f7e5778785f6f44f7c46655d3e2926ee2bc5f6deb81342cb5ceb8efe169dececf9171293a0efce5cd196742f39e96ffb4e475ed36332e773b429e1124aa82373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13369907530003713

Filesize
1KB

MD5
ec9f20d65dd760fb0c61685817d654f8

SHA1
05d45fd396d1babf6e77b1166619b8be1e7b0b40

SHA256
77944c73c7705dcd2e9bdb85b76dd2af55b7fa9619feef8310110e11cbf4a067

SHA512
ef0877f7ee783ceccbbc7cbb0ae7098a61746f52a3455f1af96305abfc7dab59bf49b1e69c3f90bbf67295214beb1dd5a188f4113941b5b864e0ce11fa34711f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
25a2de3e72c092f049ba5799bcfc59e1

SHA1
3f61d63813a8b0f3a5c0246e44d40bfe4ff4a730

SHA256
40ab8079fab2271cdf6e48f8cf2a850cf040c54fbb253fb87a44de58da1d604f

SHA512
00f06999c9b021e7bc0c09bf442b552325d0ef5fb7fb52873f0fe6b1620fa6cee877594418b2148c3f52951d5713da6532b42495181571ba98f9c977a27b99b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
5939bdc85660dd690e98ba718424e50f

SHA1
92b772cdaaf9650565cf0b94cd0cd5be1bbec8c2

SHA256
f3382ae41b2a7d22fdbcf2e7fe8e8729a5560bb1f50751239923a407434d1c89

SHA512
7bffe631bc282b7f2600466f61dd66f6091f17db4a13fe517c845532b13f8ff3bf2957f0a104a4933c0dc81de8258d4263e2d5285632074c36f6b880b17f8707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
1bfc233ede5f94e245032b1f43025bab

SHA1
bc0b4073e93c555b72281c6bdc2d4f17c11a0273

SHA256
8488084366bb518f96b3a2310525929e382c83322d477fd1d20697ddecfab20c

SHA512
aa4337d117d6e4c69bd65ffdd8abb29cc5dbb1ad5a51b143e44d6bf1db0d1b11c4eccaf8bdc32c7a60a918fffe6200a8fab9e80df313adf0cac27eb8cd24c0b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
d271eaf0888eb677acea116153e31fd9

SHA1
9a299d0534149f08c7e2e52629e3d8b9471ffce1

SHA256
8de4ff8dd8ea9e30435b80c465b517599af0100ea7df48a7f82fee5d747565b8

SHA512
4e9bff52f3e1beb6334e31c32a2f8e84b504e10bc6cf3b8ca0ca08daf8731ab9b5cf3aac987858af837de8ea30cab73a0a4c68e22ec4cefffc1d8113b15f3c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
19B

MD5
0407b455f23e3655661ba46a574cfca4

SHA1
855cb7cc8eac30458b4207614d046cb09ee3a591

SHA256
ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7

SHA512
3020f7c87dc5201589fa43e03b1591ed8beb64523b37eb3736557f3ab7d654980fb42284115a69d91de44204cefab751b60466c0ef677608467de43d41bfb939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
d268c2795cfdb222a76702a6b0282810

SHA1
a5f5c472cdd2ce4804484e26e06db0c61f4e632d

SHA256
77292a7147d07093e8d52413b9abb50434330854c22d393b59508c9c1113d8f5

SHA512
daf5589d964f532a50ac6299a80d4b70dffa358b26a3ac2a01a4e031ec0b68734b040e1fecf4902f852c39443b47e243fd03d1cb0afb7a79f80f40cf9f722f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
88c5a91ebee971913240f47755cfcee2

SHA1
3afb04bc84d80c1172ffe7db9ec71354b147755a

SHA256
73527a5a759c6164cda66c77b6cd5bac10a18cb39252153ee0a499e59bfbcbd1

SHA512
ff39f5d342e85a8af8311a60c1d367a3a665ab8112c5118e51dbba1fbeca60495870bdcf887f6f1430a4ed45e0502dbb5296b25f7c6f7f48e4a64bf687a00be2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
b551f1e3b05c2aa6eece53381c16ec47

SHA1
7922f1c558f4b500780e674366174178d8cb5be6

SHA256
98c5bb734d1a09a79fbd25100c6037edc3372995fd39595b970c2cbdf5535795

SHA512
b5df68e7e12a81c590ff4c53637e06747825037856a7d32cb07e3b8e0c226117901b875fd3511fc4ac498cf607f47bc50e7f65c7ea8811db33125e1fc08b8bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
c8e20463c539d21cbed1c38879113c78

SHA1
64458d1e7022d648932a8cf246d95432e3120b48

SHA256
c60ab5ffe7df4f147db38a04d6213f5583f35e7349620edce349203cf0c83aa0

SHA512
856fe10b8a6dc2be642f2c2323b9bbc78712ffda5edf20a340ac3cb66322c517cc9452214f00de882581f5b3b8c9001847e680720383e95a7c09dc1b8bfc19db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
78d51f22920418854eb17cdf80344edd

SHA1
f5360e4a27dd050b677a9179eb553688f94f4f63

SHA256
8ea4c78c1ad21db4eddb617943a1d82cb6e25e5e9e9f36fe78bb4e8a65e8c8e4

SHA512
e4c6c0e41c1960f450f047e78c6c8c3afe0724968701337bd178d43679dcd74a703b8f74cafdf4982e2ad0651fe113bbe30b52944a3507f775ed0f553436ba55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
c332d65f8a7ce0719113646d7c2490ae

SHA1
4ee5a408af842ff76c0bfacc64ace11e27e35983

SHA256
99a4ce5b3fdfbdb01b9f9ca6623c2849347b5c7d81366ffb31542b26724b612e

SHA512
c12e4ceef9c19a199947c7efde727f6a3d5308df788a17ebc5cb1844e7a7c4456d7a4a1959f2e53ba1d86eb7b9f2ad3b3ec22116aaa9b1eb11419a1af808d258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5b356446628d2d484ed836d0e39d2f36

SHA1
9f2e5831a7d8c5c008b82643214126d792eac6a4

SHA256
fa4d4c85c399ed513aa5bf7cfc50079310af491e247f5721e01d838fab0d592e

SHA512
b4799a5773ee5280384166d651f17db579c60f8799e38142020c420ca5b3ac2e9cdba40256261bebd195db4a4947e6652ac26b3d33cc35d2593f3ef777b16208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
07eb0f7f19ab04fbdfb9f6de89bd81bd

SHA1
edc84428733ba483555fcc77a944c55f409ea0f8

SHA256
df99caf40ca90a1d993791a963771e6f98c45d7d98024a2005956a41c18f176a

SHA512
5d98ec62d5f4e4a2e8a597fa63daf50e44a5f03b56e6574b203aff373edc138926f6868d3ebc0a911e299863a5ecae7412c919d80865e6a24829105bb0a77be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
87d7b1880b8b316063925b883f0335c8

SHA1
f8b6cc0b0b9e7828ad45812e185f0c0909584a9a

SHA256
9b6b4ba8012db12ff734c4bad30ed329c5e50dcf1b813951b792685970efafe3

SHA512
66811acd13cba6773bba1f6f77cf24c8fecbaa5faa3a63fe8e405cc8bc169b9073d4e1ae974c33733ba6c12ec04e6a0aa0a81edcb0062f167944e3bdb7bd8df2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
1f213343a8b23f84bb3a4a58fb393e3a

SHA1
562d7a5b0934d3b58bb94ed4bab8249b7671b644

SHA256
3ac88f78a14a90d89653ca88cb957daa6cd4c622077a857c064939371d2230ab

SHA512
9509afa96785b9c7f901dee48210dcf10443c65b5c9dc41dcfd5413aa8e149b0e3aecbe573a46c8164d02446f2822dc7c2c1d8dd20f65a866096dfbadf436faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut8750.tmp

Filesize
385KB

MD5
8ea0c84aa1f5b87cd38d2464437fda89

SHA1
7152c90e5aee703dcd56b7e601bfac41f601c462

SHA256
109684a896bf0b1cfca6e1a8c33c6682c2f55eef215cb5a6594b2ea9f128b20b

SHA512
9def862097ecd2071c72dcc9a778f40a4d554185875a2f697d6d3e77ce2f2ea8368852e0bc697c54f22f123ffdd2088b8085912c750cb894e9695242bea9feea

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut8771.tmp

Filesize
14KB

MD5
654fb3ce9b5ba3b1653a114b60caa46a

SHA1
523d606198dc4bfa6e2f89d9f64ac85b05282c46

SHA256
844b27b9d8f4857255eea0cf2870ecaf47f8a395f5cb330c260693ff5785359a

SHA512
9c3ce5fb1a60f00a4a579a48c74b48061f99df7b35ff9a3f272aa9ec52de0032fa9e2e0427c78e1767d36bfce6371e6c47cb867b253016fd5675231a6f7eb7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\benting

Filesize
196KB

MD5
369831fd11e0d54974552e4b8cf4c086

SHA1
ec14327c38bd7308b7926f357e63999a783520ff

SHA256
6266c1de959ecb078811b273ad8db10785d6a28eba032bf3df5e6b8a14c7ccb6

SHA512
7d21262011cf1bc005c52ffbd599022db55be2ee98876d092f936b4e8cfcf34ee0983f44e6c9d83ba562936a2ec86fce35ea13661491e7dab7bb034dd66375ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\definitization

Filesize
483KB

MD5
376469bcac88bfb4a69c425d2a14299c

SHA1
37d20359af713f3a366bdf8a4d70900ec6478e33

SHA256
52472acbc3a70156bfcb8cdc622107eacc0139fde3411e2b08a90c66daac21af

SHA512
066503db63196f8ed5295fce802ed9d34c9bd715f54868ebc9abfdfac2604a4dbe7d5a9d75b7a150a2eaa66e68b4989429aaaf9e3125ece5c25098413fe2a8bb

Download Submit
memory/2668-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2668-119-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4516-11-0x0000000004050000-0x0000000004054000-memory.dmp

Filesize
16KB

Download