remcos | hxxp://185[.]96[.]166[.]113/Project1[.]exe

Analysis

max time kernel
74s
max time network
65s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03-07-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://185.96.166.113/Project1.exe

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

66.85.26.234:7888

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-RMII0S
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Project1.exe

pid process

4332 Project1.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Project1.exe

description pid process target process

PID 4332 set thread context of 1972 4332 Project1.exe csc.exe

pid	process
4332	Project1.exe

description	pid	process	target process
PID 4332 set thread context of 1972	4332	Project1.exe	csc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 780577.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Project1.exe:Zone.Identifier	msedge.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid process

2236 msedge.exe
2236 msedge.exe
2472 msedge.exe
2472 msedge.exe
3116 identity_helper.exe
3116 identity_helper.exe
1920 msedge.exe
1920 msedge.exe
3968 msedge.exe
3968 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2472 msedge.exe
2472 msedge.exe
2472 msedge.exe
2472 msedge.exe
2472 msedge.exe
2472 msedge.exe
2472 msedge.exe

description	flow	ioc
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2236	msedge.exe
2236	msedge.exe
2472	msedge.exe
2472	msedge.exe
3116	identity_helper.exe
3116	identity_helper.exe
1920	msedge.exe
1920	msedge.exe
3968	msedge.exe
3968	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid process

2472 msedge.exe
2472 msedge.exe
2472 msedge.exe
2472 msedge.exe
2472 msedge.exe
2472 msedge.exe
2472 msedge.exe
2472 msedge.exe
2472 msedge.exe
2472 msedge.exe
2472 msedge.exe
2472 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Project1.exe

pid process

4332 Project1.exe

pid	process
4332	Project1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2472 wrote to memory of 232	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 232	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 3000	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 2236	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 2236	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe
PID 2472 wrote to memory of 472	2472	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://185.96.166.113/Project1.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe7d273cb8,0x7ffe7d273cc8,0x7ffe7d273cd8
2⤵
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,12881337900612674423,7615705917929703529,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
2⤵
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,12881337900612674423,7615705917929703529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,12881337900612674423,7615705917929703529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
2⤵
PID:472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12881337900612674423,7615705917929703529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:3632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12881337900612674423,7615705917929703529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,12881337900612674423,7615705917929703529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,12881337900612674423,7615705917929703529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4040 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12881337900612674423,7615705917929703529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
2⤵
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12881337900612674423,7615705917929703529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
2⤵
PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12881337900612674423,7615705917929703529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
2⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,12881337900612674423,7615705917929703529,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6036 /prefetch:8
2⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12881337900612674423,7615705917929703529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
2⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12881337900612674423,7615705917929703529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,12881337900612674423,7615705917929703529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2260

C:\Users\Admin\Downloads\Project1.exe
"C:\Users\Admin\Downloads\Project1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
1ac93c0d61c7f1388ef0b20ddac31bb5

SHA1
c05648450603b61ad89e58567e9230a1e884c0de

SHA256
fcb6699e30cb7fd1d44f5c91c26b824cb437a779535f3fcf49fbb8a65ce4f642

SHA512
f3a86e9d6662370edc55d008385eae3aaf2b8de0cfe8880aac407e0ad666d3867f5376528e2be5900aaad865cded41eb1d894cee674a0dac27dbb14a19e15224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
55c1265af278547d45d8ed2b173d1a20

SHA1
7cd4421b6d5dacc48b28936f2ac15617d6e05d11

SHA256
1f7f12b447b88c902359f94046606e9e5b12d3061adfc16cfebf21aab785c1c5

SHA512
6f036e01f54c2859295267d60bf6b7d6135958b0d94e72f8dd64cfb2cb0078b844168c967336620525dba5498bc53ddf01fe30736cf970c27f2db59a56964c81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
10bcd46ab269314d33b0b18b29713047

SHA1
afbc4297cfa65d7ac07906e479004bac5717fadd

SHA256
e8a159db614b54afd06f0f4a28b781116e3b206c2d9630fcdbea4c9503951c35

SHA512
c27c36c724ecfd986259aca91cd4841ed14c625564cd817a56c3d5cb3c0f72c37e46c3d68c4496d06fdbca94cafcbc9a3d87e4bfdc105317afbefdfc79cf4a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
5f5c13602361ced6c82a449a51fc0414

SHA1
3d214ae6b6e884ab3b07af44044d39710d6e0e12

SHA256
d9175547a3e9797eb19cfdea4cecbdca9941629ac08d32b39194e0713417853b

SHA512
7123d7a8a94b28a5195c41fd1b71f6d33218a477181e1c7bc2ed896b5d885ee4389f27229e3dbe8e07dc4a83108e31df37fa9e14983463ecd66acf820db1a548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
82e989aa0e4916bff45d7c189aa3ae50

SHA1
35eca4f63bf8582e82faa58c5d3f89ff4d42006e

SHA256
2878c82393b9113fccb8bf9756c4ee378206b21310a6d788387ed9e05291f113

SHA512
07a7a8914dbac8420c350023ae4c4f7092a42abf5d5227f098650d94deddf7a0549fd77eed500fd3c72792d40788548fef26c6cce66f6b180120428ab26c681b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
164c060d3b1622fef3a4338c5cb75576

SHA1
cf55689378b8b09712018c288bbda44daea593f5

SHA256
bc8c0df5083c33ca5ab0fe09719e85af74647ce978d497f2d034aeeac208c51a

SHA512
0eda44270cd96bd9626f61d2c588f70efb4ecd322a4c5ae732e1c98e40450136d7bc26fdf0dee0652026aad652069a4ce98e8e1856047b9b49317e4c80395e07

Download Submit
C:\Users\Admin\Downloads\Project1.exe:Zone.Identifier
Filesize
70B

MD5
ff026903193eba8088f0dff699cdd280

SHA1
ac7b33c285d0a0302f072c7b23dd3e137826f2af

SHA256
e63b563c2b892361fae24209858a7fa9fb8163545a56f117aee3d5f615100656

SHA512
e9ee4ac0471d8fe1f4dcbbec058561d550707c25d74ffe630a37637c30de340e38250e39fe8d9621119ca2f2286ff5d5cefce708c2622d0b7b54020c2dd1bc93

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 780577.crdownload
Filesize
28KB

MD5
2ad77976e012a9187343046d0d9b4b54

SHA1
55baef2682884089f3c3f7f1d4c091b14f2340c7

SHA256
bc6603ae647fbf1ed116de15443e2a4cf087ccb5d8d6e7a7ff71b0eec9f17120

SHA512
a3deed2ba2e183ad8797cd0dca8b163633be0515faa6a91d3f7e5f554332c36eeb4d8a09ec113c858dc3bf3bda260055caab24f0b22db4b7bd150a12e542bd9a

Download Submit
\??\pipe\LOCAL\crashpad_2472_CWCEMYBWCFMREQRK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1972-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1972-107-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1972-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1972-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1972-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1972-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1972-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1972-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1972-134-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download