remcos | hxxps://docs[.]google[.]com/uc?export=download&id=1dsWzz5MJqUyDF0rB9Vou2Z93YaUnD98

Analysis

max time kernel
117s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/uc?export=download&id=1dsWzz5MJqUyDF0rB9Vou2Z93YaUnD98

Score

10^/10

remcos saturno discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

SATURNO

ijdfidjsbfjisbdfv.con-ip.com:1662

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-278IFH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NostaAshamed = "C:\\Users\\Admin\\Pictures\\NssClipper\\ClipperNss.exe"	MOVIMIENTO INTERBANCARIO - TRANSACCIONES DIGITALES.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MOVIMIENTO INTERBANCARIO - TRANSACCIONES DIGITALES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MOVIMIENTO INTERBANCARIO - TRANSACCIONES DIGITALES.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5036	msedge.exe
5036	msedge.exe
2892	msedge.exe
2892	msedge.exe
5068	identity_helper.exe
5068	identity_helper.exe
2404	msedge.exe
2404	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4792	MOVIMIENTO INTERBANCARIO - TRANSACCIONES DIGITALES.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4792	MOVIMIENTO INTERBANCARIO - TRANSACCIONES DIGITALES.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2472	2892	msedge.exe	85
PID 2892 wrote to memory of 2472	2892	msedge.exe	85
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 1660	2892	msedge.exe	86
PID 2892 wrote to memory of 5036	2892	msedge.exe	87
PID 2892 wrote to memory of 5036	2892	msedge.exe	87
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88
PID 2892 wrote to memory of 4232	2892	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/uc?export=download&id=1dsWzz5MJqUyDF0rB9Vou2Z93YaUnD98
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe318f46f8,0x7ffe318f4708,0x7ffe318f4718
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,10039492945559449725,17986692447043080757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\Temp1_MOVIMIENTO INTERBANCARIO - TRANSACCIONES DIGITALES.zip\MOVIMIENTO INTERBANCARIO - TRANSACCIONES DIGITALES.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MOVIMIENTO INTERBANCARIO - TRANSACCIONES DIGITALES.zip\MOVIMIENTO INTERBANCARIO - TRANSACCIONES DIGITALES.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3912
- C:\Users\Admin\AppData\Local\Temp\Temp1_MOVIMIENTO INTERBANCARIO - TRANSACCIONES DIGITALES.zip\MOVIMIENTO INTERBANCARIO - TRANSACCIONES DIGITALES.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MOVIMIENTO INTERBANCARIO - TRANSACCIONES DIGITALES.zip\MOVIMIENTO INTERBANCARIO - TRANSACCIONES DIGITALES.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
222B

MD5
246e3e531329600c36e839a87829cad7

SHA1
33422b35a5e5ff8bebf6655c1ec58801e04a3c9c

SHA256
b47177e7782899d767a1d34df5e30b41de8646d4a3bb25b970ad8a7bd35b60ca

SHA512
0258c4b520851f49985d8a29f99aa3485276bc1314e5b5badbba906b17aa281c7909bd20d68dce8d11062829820660a1cf13fab5df736d67ec7b5d80d2e459bc

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
402B

MD5
7742cea5ed45c9f19de315f3ed3bfbd5

SHA1
e388702e1ac9e6f6ad3750d8264e6d751cba266f

SHA256
c43b3a3af3bb8b5816923e52b8d351cbfea5bd854d068697e6f1b72d5c914191

SHA512
fcfad6dba8332b5d2c2077fd63d87b44ac169bad6dfb1b5ae7d11070f162a45fa8cfec7c03f3e8d5a8877b1659d71f30ad586d73004c77a5dba77a510bb101b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
990B

MD5
3abe09ce3a92273e6ba4df3d2481e407

SHA1
210c32476e2741405d32369633bfb48f34586a4b

SHA256
0d6ec73e11a405a9fc7bba32c8b41c311cdd5bb13c16c7ccf31a70afba57d170

SHA512
f968b60bb8ea5804e36438b3da9d7b703c0d670ebc8885ba317409a88e67fe03225292cab50e0837e0c1f0daac4074d96c8567f652114e77cd644564847576a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9c26120b8284bff8d84fd68a3fc4b6e4

SHA1
cb78ae2d7b6edd495f16c996fb5c8bba2825675f

SHA256
a15efed6c4a729ea68d68771021a9557526517edf21bc9f98aadcc965cd0b09a

SHA512
2aaa4fbd0df4f04795e515196a1e3b3b603eb1f12e6d64fd13e8b811c6a1a5879165941f7b2a7cb2513f1b1bf89563a730f402766803e173e1d68cd3e83768bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b7ecfe20c6ecd57462ca16cfe37c5460

SHA1
6096ecef74b27ef90d9effb7b49cd987b257d64e

SHA256
974eb003257d03049279d318e336eea7a7aea7b9f40ba1107ce28e5be9abd98a

SHA512
ae197314d953e2046db06826b776327746faebefc7205c08a259631f3fb158bcd2bba21eff3b94ed122dfb52747b9916e3ab26eac4c534525827123e389fa25b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c739d24056c081b24cef2cf6e5d4bb6a

SHA1
f4c22a5f8333f41086fe459259a1bed6be5911c7

SHA256
97cd8a6f5d365b6e1f0e954d3c98167226776cf2a7f2dbdee722c0ecfd1d6045

SHA512
a04afea4fccabfa91394406ffe13cba072441f29e7af75d6028ad49d6e512e5c876ef4f3647df7d7697674d8e40673a14bb85bd11115fc3d8f4ea8ce5174e027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a4d12b1d87af88fc0ca062fd9b707fc3

SHA1
e29be80340a39f3c8d4f2f60966931371e07201b

SHA256
4ab9889aa1ea44e3aded1a7ed6539de9e9c9c33923131f4d5be2add3dcf654b2

SHA512
1eca3527b032f77a2070f53c9ec18f7678904d1db79f168ae3b620e8e3e1c88082a1ba09f36b9970c8019339e7c7d21126499e7e3c2a74354103b637e8412376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
581a39196b52edf023940cd3a8a39c66

SHA1
9c2506b3bda31131cfc878dc738a204eabb720a0

SHA256
1e2b996cb04b6597ab508480504de6f01134e8115bb8b6775613ac7031f95b8e

SHA512
309a174de2317086e56f7110468d2d4df47d17b2078341943a512fa6f0a69c4f9e89bbc30ee14222bac175dfb79f5b7ab95119dd9592cb9d78cafcd4c699fc25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
252b7771ca9227246cd5eaf037c1d0b3

SHA1
fae998df916cb84ecdae0b7c9d4c72101b0c7c8a

SHA256
0717eb1b579653136ea145b8a0a26356ebe88a161e970b7d4c38a05641f493d7

SHA512
22b4c03fe0b4616d5501a222079b93a20f23920ca7deb8c8eafbb933b8593bfc69528ad2affd493a1c76e43bd7ed60405ed49cb990b633979a34ae64c219958f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dbac88c4dc3998890caef7353e06730a

SHA1
39dbabc7011114e068dcc7a25adcfce430014d3e

SHA256
b589f9d03b9490ecb4c19a30bd8ab94627cc1800ac026bae7fcf4e2584f4c6bc

SHA512
4a0bef177299349ba3097059d966de67a17e99416d36048c6312965495b936dc4748882030f7a6a1e932e594229beaa51718080959d760d4ff6ae58d96d485fb

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 62150.crdownload

Filesize
1.5MB

MD5
ce1a5405c4349b54bc0d623be5567cc5

SHA1
32fb0ae8833c428ba77bd607c5d9b8610b9eb354

SHA256
ae5b745fe44c5112001a5508d57ca24d6384a9fe638f04b905eda86ece2ca7b8

SHA512
e89acee4ff37c01ff81b6f425994529921c114220f9c3c9718a5999358367db9025705aa40970560e3996635355684b750dad31eb374e472b527e4ea8a8d07b2

Download Submit
memory/3912-122-0x0000000000400000-0x00000000006D7000-memory.dmp

Filesize
2.8MB

Download
memory/3912-125-0x0000000000400000-0x00000000006D7000-memory.dmp

Filesize
2.8MB

Download
memory/3912-121-0x0000000000400000-0x00000000006D7000-memory.dmp

Filesize
2.8MB

Download
memory/3912-120-0x0000000000400000-0x00000000006D7000-memory.dmp

Filesize
2.8MB

Download
memory/3912-123-0x0000000000400000-0x00000000006D7000-memory.dmp

Filesize
2.8MB

Download
memory/3912-126-0x0000000000400000-0x00000000006D7000-memory.dmp

Filesize
2.8MB

Download
memory/4792-129-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/4792-135-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/4792-136-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/4792-137-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/4792-134-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/4792-182-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/4792-183-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/4792-124-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/4792-128-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/4792-130-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/4792-133-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/4792-289-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download
memory/4792-290-0x00000000006E0000-0x0000000000762000-memory.dmp

Filesize
520KB

Download