remcos | c40c1884580b0d887f3d1620769b5d7f8ff1933b38937f71b5ad6e7970296848

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250313-es
resource tags

arch:x64arch:x86image:win10v2004-20250313-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
25/03/2025, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc0fc656807e0d931352198ccc7de76a0f9b7957d901a398bb8b8cbd0e50e1fc.exe
Size

2.4MB
MD5

26bd9c6dae9b0bf7a601123ca651f8e6
SHA1

09ed61f7ddf971dbdc040d08115a78e868f17c36
SHA256

fc0fc656807e0d931352198ccc7de76a0f9b7957d901a398bb8b8cbd0e50e1fc
SHA512

a342fae3777a846c6949d20386e9a49925398b6c9bb97381faf99c3103a10bc1c74ffb40e9a50d519d26dbe86a4b8e4db59c6ec4aa8c92d35c8d0c9cb26b9b10
SSDEEP

49152:nETO4BweDR27a6fDjsp9TfgGjy624UwfIymnSVOYTxEkrGtSxnm9eQQz:ETOAlDgX38JfJjLI1ymSVtikiMxnm9v

Score

10^/10

remcos zloader blue_marzo botnet discovery persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

BLUE_MARZO

7908pt.4cloud.click:7908

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Word.exe
copy_folder
Appdata
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3CK3C1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Zloader family
zloader
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
94	752	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
5928	ABSchedhlp.exe
4948	ABSchedhlp.exe

Loads dropped DLL 10 IoCs

pid	Process
5928	ABSchedhlp.exe
5928	ABSchedhlp.exe
5928	ABSchedhlp.exe
5928	ABSchedhlp.exe
5928	ABSchedhlp.exe
4948	ABSchedhlp.exe
4948	ABSchedhlp.exe
4948	ABSchedhlp.exe
4948	ABSchedhlp.exe
4948	ABSchedhlp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fc0fc656807e0d931352198ccc7de76a0f9b7957d901a398bb8b8cbd0e50e1fc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4948 set thread context of 3984	4948	ABSchedhlp.exe	135

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\QnService.job	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ABSchedhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ABSchedhlp.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874044843972940"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1279544337-3716153908-718418795-1000\{9A309CD7-CD2E-4521-89B1-588B64852ECC}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3028	EXCEL.EXE
3156	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5928	ABSchedhlp.exe
4948	ABSchedhlp.exe
4948	ABSchedhlp.exe
4948	ABSchedhlp.exe
4948	ABSchedhlp.exe
2132	chrome.exe
2132	chrome.exe
3984	cmd.exe
3984	cmd.exe
3984	cmd.exe
2132	chrome.exe
2132	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
752	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4948	ABSchedhlp.exe
4948	ABSchedhlp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2456	msedge.exe
2456	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2456	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
3028	EXCEL.EXE
3028	EXCEL.EXE
3028	EXCEL.EXE
3028	EXCEL.EXE
3028	EXCEL.EXE
3156	WINWORD.EXE
3156	WINWORD.EXE
3156	WINWORD.EXE
3156	WINWORD.EXE
3156	WINWORD.EXE
3156	WINWORD.EXE
3156	WINWORD.EXE
3156	WINWORD.EXE
3028	EXCEL.EXE
3028	EXCEL.EXE
3028	EXCEL.EXE
3028	EXCEL.EXE
3028	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 5928	1752	fc0fc656807e0d931352198ccc7de76a0f9b7957d901a398bb8b8cbd0e50e1fc.exe	86
PID 1752 wrote to memory of 5928	1752	fc0fc656807e0d931352198ccc7de76a0f9b7957d901a398bb8b8cbd0e50e1fc.exe	86
PID 1752 wrote to memory of 5928	1752	fc0fc656807e0d931352198ccc7de76a0f9b7957d901a398bb8b8cbd0e50e1fc.exe	86
PID 5928 wrote to memory of 4948	5928	ABSchedhlp.exe	87
PID 5928 wrote to memory of 4948	5928	ABSchedhlp.exe	87
PID 5928 wrote to memory of 4948	5928	ABSchedhlp.exe	87
PID 2132 wrote to memory of 1768	2132	chrome.exe	100
PID 2132 wrote to memory of 1768	2132	chrome.exe	100
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 1976	2132	chrome.exe	101
PID 2132 wrote to memory of 6140	2132	chrome.exe	102
PID 2132 wrote to memory of 6140	2132	chrome.exe	102
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103
PID 2132 wrote to memory of 3968	2132	chrome.exe	103

C:\Users\Admin\AppData\Local\Temp\fc0fc656807e0d931352198ccc7de76a0f9b7957d901a398bb8b8cbd0e50e1fc.exe
"C:\Users\Admin\AppData\Local\Temp\fc0fc656807e0d931352198ccc7de76a0f9b7957d901a398bb8b8cbd0e50e1fc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ABSchedhlp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ABSchedhlp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5928
- - C:\Users\Admin\AppData\Roaming\CoSvc\ABSchedhlp.exe
    C:\Users\Admin\AppData\Roaming\CoSvc\ABSchedhlp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcde9ddcf8,0x7ffcde9ddd04,0x7ffcde9ddd10
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2020,i,4999814593362356369,8967958624354884110,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --string-annotations --field-trial-handle=2136,i,4999814593362356369,8967958624354884110,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=es --service-sandbox-type=service --string-annotations --field-trial-handle=2396,i,4999814593362356369,8967958624354884110,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,4999814593362356369,8967958624354884110,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,4999814593362356369,8967958624354884110,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,4999814593362356369,8967958624354884110,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4472 /prefetch:2
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4724,i,4999814593362356369,8967958624354884110,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5300,i,4999814593362356369,8967958624354884110,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=es --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5588,i,4999814593362356369,8967958624354884110,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=es --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=208,i,4999814593362356369,8967958624354884110,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=es --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5648,i,4999814593362356369,8967958624354884110,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=es --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6188,i,4999814593362356369,8967958624354884110,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:5948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=es --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4464,i,4999814593362356369,8967958624354884110,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4528 /prefetch:8
  2⤵
  - Modifies registry class
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4556,i,4999814593362356369,8967958624354884110,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4820

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2812

C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ConfirmEnable.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:2456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ffcdf3bf208,0x7ffcdf3bf214,0x7ffcdf3bf220
    3⤵
    PID:4672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1936,i,2207871510598352192,9233343219888891111,262144 --variations-seed-version --mojo-platform-channel-handle=2272 /prefetch:3
    3⤵
    PID:2964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2244,i,2207871510598352192,9233343219888891111,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:2
    3⤵
    PID:2824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=es --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2572,i,2207871510598352192,9233343219888891111,262144 --variations-seed-version --mojo-platform-channel-handle=2740 /prefetch:8
    3⤵
    PID:5204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=es --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3584,i,2207871510598352192,9233343219888891111,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:1
    3⤵
    PID:5020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=es --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3604,i,2207871510598352192,9233343219888891111,262144 --variations-seed-version --mojo-platform-channel-handle=3616 /prefetch:1
    3⤵
    PID:4192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5464,i,2207871510598352192,9233343219888891111,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:8
    3⤵
    PID:3016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=es --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5440,i,2207871510598352192,9233343219888891111,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8
    3⤵
    PID:4844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=es --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6092,i,2207871510598352192,9233343219888891111,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:8
    3⤵
    PID:3836
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=es --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6088,i,2207871510598352192,9233343219888891111,262144 --variations-seed-version --mojo-platform-channel-handle=6016 /prefetch:8
    3⤵
    PID:5180
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=es --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6088,i,2207871510598352192,9233343219888891111,262144 --variations-seed-version --mojo-platform-channel-handle=6016 /prefetch:8
    3⤵
    PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
44ee12852a2bfd8285f93c556197557c

SHA1
dcd4241b699a151e93d31a9007c917be905d1f12

SHA256
0ea02c532191458dea5e4e71fc720db669b9e78f35737b28b945bd05f7dca751

SHA512
972954a2d9fb31117a749934c207235897288c47f9dccdcb90153f11a4f85868e8a4379db746d94b969e67027066f95519a6487156623c18103f39cac5f6e272

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
352B

MD5
f4e5e0ff4a29428eee7588cdedd772c3

SHA1
f042218d2415ccdef2d616c4baa2b22c24d22554

SHA256
c18ba3ed00b36a5552d95a2c2a96c5a980f4b7ef080b331c84b5eb675a00d2dd

SHA512
9bfbf5330d7b647aeafeaf3f1bd5e96025b1b7a2d518398088ff7f2ce0664f4b8f5bb5b058a1b1b9ebd31976a9ceb8d2d1388b6d85f98399fac648cfb152cc4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
809caf637a9489043abd7a5e1f66eaff

SHA1
cd2385da1634b4e5cfbdcfc00038240cefe26b03

SHA256
98a9450cdf98b332bc7969695dcf017e31076fca13ed66b89399a6fefad9a9cc

SHA512
1d2dff66213f04ddb08cbce0772b6e7c5a8a8cb0284999b80cd06731af3e0405521f80359544b53df01526371cdbdd0c45d6069b57373fb6d805f3025c8de817

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ad19b4eee5bf800291d39a82df00e8b3

SHA1
34d52d146e540ad2eba5695ac2a1afaaa3b15e42

SHA256
dc429c78818de569af7626405a75ede5355a144f31aa68beb0cd63418b62968b

SHA512
6afacee8c06f0941294baf2c4dd07a05e9fc13394c914171fc10f80c2f6ffa3cde2f1ea86c92fc3d037f448f46695c1eb7f6759fe0f7f17271047cc3cb66d81d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d6323e59c9f86cf02083529b531975b8

SHA1
d15c126a0e12a0cae3e0aab395fc05b10240faec

SHA256
6bb3029b0b170f5589bd9de1355fb8b36788165a04a90aef681f94cc191beff0

SHA512
c219d340d45b6a8738b6d265ffa24c98cd18e832f0bf387e046d6d73e5c31182fea5eb69b63e878feb15200b563c49f989cd6637dbf5101bd22ec9a6db4f9f6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ac8faf3c42529fbacb319a7c64f5f026

SHA1
629f4689431df1089631d06cb386da81693e839d

SHA256
83c4fdd2043ba6fcfbd6170e0ba74e56f9fa4414215e9cdba2e4e1c16d40542f

SHA512
e89a53782905d71119a85bc605294e939dae7b6874f1bd772225c62cc9364cef77aa767555b321a9cc587f33b42fa075cc427c4ae601eecf9f619bfecf61681b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
2fede9dd141fda6a675e34611ff2671f

SHA1
c865139fe55875f99cd54282f364a4f7143bc799

SHA256
5bd2764415bea0bb3e6bde95905548d9ce04bf1594b172a1c0f6d13e3b2baaed

SHA512
fd0f1b27a29a634cfa127371d5aeb1b842053669556a31e6fb16764f6059549b3d20cd65ef758718f9a537949bc999df65dddde4537402a757d0ac99af5d7161

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f97f42371360e03bbd39faebb8d5cbc0

SHA1
a49f1e9766c78647da68506abe6a3eb823a5cc1a

SHA256
d374e5649eabeb5329ca777a931a9cf803e559ebdc102f896d754c8f91f8d490

SHA512
36100d6bcf573832f5c4fe7f5fbbf05ca92be43280f0b6429e03ffd5906f7fb39dd90b94596b2908b8a1bac1ca917c08b1f6f730aa80f2263e5fc6e296b2ffc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d64b.TMP

Filesize
48B

MD5
3af6540cc693f3c468205417dba8ccc4

SHA1
fa89e03e301e891306f2f090084e28cc2b204cbf

SHA256
3b5a6d5ba58239d4b2365ec14f058e0530d7189a85fe2cd0aa7de5e80811aa01

SHA512
4e374378fc3dea76229a13def85fe1eaf7e462e171d3318a66a104c37660ecbc085e889524ebbf91362aabd7902a6ba2e0a2b2c09765cf333eb077536d880748

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
fe8957130a451628458ac1bef11e02bd

SHA1
d919d032606245ece3312b5c535b3c3a7d016a6b

SHA256
13a42c90c908e1ab1eabe1ac0f03d6ebdfe6475e856a6e5c36fe5612be394adb

SHA512
35661b17c9bad2d56fe891fdfcd118c5e27b4c05f7bd8b96b6d8982c3a9f34c47e7c211edfa80e2a8acda7f7e14270b69683a98ccb80217d6c8d1c137acd6be8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
dcc5eb693c4298b0599e39ddee24d09d

SHA1
e92aba98400eed4d0c5c065bdc23e8249f12ee21

SHA256
cbc8b82869a82ab9b2abf41517ed0f7d850ddceb99619c947914fd591c53e7f4

SHA512
465c0b98cf6c22e12a08064af0ee894bf059720132fced0c26b51f7d1e0f4967dd5c97b722165b0a534f3e439358b73390282960c212130b4b946570c7b94535

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
34d06a692d83dc1de7f7045875d64995

SHA1
c1b7d0a831dac9f6d9d276ba1d71380f4775927f

SHA256
c5315033272bc1a2584faed6e1da3ce9e6541e28c423728d81035e4d21ae41f3

SHA512
0669c3f102a3472d303933b2c89f6dd02dbff92b7c10e92d1545bb5bb453d12a0adcf5b657715047a3b80d8cd2ca388cda7e4851be1ccc7afcc66cdd002b25ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
5e444bfe74ed94e471c57aef743bf06a

SHA1
044df1c636cafad22eaa6b7623e7084d5d1aa7f0

SHA256
106740e95cef8f9baef06cab97bfaf69d8db7c14db3af1fd4b9e193dbd6c846d

SHA512
77cdde6b7ac1507dd05c6f466238dfc2caa6072da056c4e81a44612a76bace0142ea1f71889ecc9622ac2c90d80947432eebe4fb6edeb181b807ed58a06912b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
b8af007a7546ea5bc1e0609f9fc28e74

SHA1
20ac16cc0eb86b3fe36c2615af06d8971f904dbc

SHA256
fb0241ca22e77d83bc7b1c686dcfa604ee7aee445b20a3abd080582d832e3d66

SHA512
4c2d9beab96ef9809d24168a7b129ac1d950291b27d9cf0b98a5f48747bbf07c9277e6006c1a31acb28dd8c1eeaabe8c2f2567dc8eab9d4968d7ca49cefd81bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
108KB

MD5
17f67c89851ecae127655e6d8376bd5a

SHA1
7da77058c8732aecd102eda54d8e053fbddc8f01

SHA256
426dce40d359477e84cb9bc31eb1abb89ea49385071682fc8486e6bf4870f55a

SHA512
ee42b7031f31ec4ac4bd26de0288ed979871b59f0ab0e7afeed4a4f5b4a5f2c39294ce0343466bb67c1fbb17654f25c7df150e356cd93f39d4f885826dd42752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
2f174cc9f2e338eb31d080801ed5ff61

SHA1
80b284747e1931b3398975b16c3931a2c2577c48

SHA256
e6cdd98e41776199bea31a4fe61dfca275f477d14bceef24a033295a497c0b50

SHA512
29711b19ee07c2b868cf0efd2bb69d4ceed6798f086f24422ec6f408a464ed2ca4a5041796a2de25544c9975cde3e8787bd9f6a700883123300f14e2312bfecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
811ce4e201642e71961d7ba0521c972c

SHA1
f33a9b541d497d07ea576c46730ebe4654756da0

SHA256
ea562d511419abd4447c02ac97c01554016b6b3113a3a932624f567dbcf6953f

SHA512
6fff794fc118fab17915e0eeb2a1f7b884fe166b0942bf364d4829fde788e97307a0ac98c258e9aac2e57cf40f43f53050283878f4cf9565a93357bf5080b898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
3112ecbb2d1167642ca7d3bc59def046

SHA1
1d211307359cfc36eb3cc0f8ec23d77a2adf2553

SHA256
6ac6916292fd19f166231bed77f6703908c3b2b50ef37210b63cbd2a749a09f3

SHA512
930acf09d9f218e025786a516a3613cd3a7d4e941db74b4873229a986f4f6d6def5796b2260919add00530d85865a83b8966e0c021ddf22cbc34ea504d3c0c59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
24KB

MD5
5f8e4585647ccc5db86dcec5ed8ba897

SHA1
cf28af5c7419f1385c82249e3ca249dcd99b0920

SHA256
c8cdfacc772de0234ff9e80544b131ab61017237acf5e66602b63fe413ff9b6b

SHA512
45ac5af532c720405d4c8de6e1fb0b63a91e4fc5e2eb677a870d1e84f0bf00cf825419d2dc76ec3fe73a5b4440ebe797eb2a682316621a3e7cbc5079e61fcce2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
465285e7f259d0ef678737c74fd05b63

SHA1
74f2994a97525ad4667587106e9291be73d22731

SHA256
a1ad6e7ae02b39934aa88725e313ae6fda1b798858b00fe578bd309eb857a0ff

SHA512
f1e836b44334cf1b10faeb0615bb90ae531ee3eac4d53c50669943cf39f4fd05b66ec133629f9f8668485558589d36db20b00fac14b643a8dca31c7d4fce839a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
b6785a2d85d5e5570a8e6fff68b09b5c

SHA1
a5e1027fef73e8521027ba2b8101e4f1ab32bf6b

SHA256
ce5e9b0c4874b997a5f847efddceae58f9682074bd2c8d475f1b6d6e95bdffb8

SHA512
7a1f3f689a6a2bcaa72e8cbee7861adc6cc8aec83644d0f1d6e40eb09b137efd48d22a350a53b688f40a2e6699af863e2e32da6d3a68b53dad0261799c8b66ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\98532AAE-0C6F-4D6B-8257-27E1C48BFB4C

Filesize
178KB

MD5
2419a4ea918ef9affce5a45f9f3103bc

SHA1
038bec23628e062e705e61f05c1c2745c54ba078

SHA256
7f629da3e5235bb2ce4233d68c53001085781692cba62b01d6f209c31748c346

SHA512
a702bff404904a5627fe2173dc809349a5404c163d95180403860fc63294093f67105a9184b284839f2f01869bb25db9e81cb1f54a7630b2bef9809326d3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
4aa2b4a55271972b272073d7188394b9

SHA1
595057b7c056828a2a5858f984741867d4e430c0

SHA256
d47a7245b6deb7530b395ad4651ffd3142f3e17e0cb90650e56e1d928eeb7b69

SHA512
faecc74ca099b0992e2a0741a5cf8cd330aa13448193b9060151bb4da2b4a3d957a428d79efef47205f8d16b3cae8bdd9db24b37aa0f790de84926a0cc4ead8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
1590ca2e1afca124639aeb6a625706c3

SHA1
8c71ee3a81691a98d32bc108be0dc29659e63bac

SHA256
b7d431ec6c1c8e17cbeb92b7166b50211a87f6f9675bd291f4fa689e6cc7b140

SHA512
1492f4630eed74e7d24dc3488cfae6a4e12e7bb51ab1bc29ef6f0acd29fb827a7af6fe94f17cbb8804d71bd0338e40181c3f7c9b09d6b3782e3c30c0da4cd0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
bf114ad8139c5913111df1e7eb257d4d

SHA1
b313ad8efebb9cb319c26c573391871130861ad1

SHA256
dfd410c305643e6415504743d62d0421cf1c2419c9213ad97dcd8c55ef939cf2

SHA512
8800b436db43fcaeb7ff1b4d0f261dd0012fb563473f23331ad5fc644b06e1af48dd91f203c7a4ca637dff193814a48a58d7179b15b14e09ee3362a53bc231be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ABSchedhlp.exe

Filesize
625KB

MD5
1aac338b57c1be13358d263079d8db60

SHA1
25d69025d785229ac5d01162b34db1547521239c

SHA256
7eb7b2d16776cc18698558919d57117ca15d9fccd4a73a1dc0b213e2965b0c94

SHA512
475f566a7154f99b2b7db57a172f0e20555813f170f3b992aee19cae3689e6e45fb6502a1057c21c4be450e0eddb280375b07ab8b4c64ce5ab66d25ee6be85c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Comn.dll

Filesize
349KB

MD5
f76f5a566cbb5f561d26e7aca841c723

SHA1
4838fd2dd9dbfcdaf2b1f11091f15a17f93c29be

SHA256
0576fc3b0c9381c47a8a9443abdd195eebb34ece0adc5c6d17624ca0e914e8e3

SHA512
9f574f09a4c54b8e786846297fcfad7af647eb134d8e960b078a83e982ccae2956aa6c4c1014c01c7774461e31314904cb6dfc325c7a90c3e31130838beb24c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\beggarmyneighbour.ai

Filesize
68KB

MD5
a222f37991f4551322c0e8a98dc1f896

SHA1
db790e807802dca83b39302e95d29a19c0257a10

SHA256
4e67b25546b032733e969b260461e9b09933f1180dcd24ee2f99fd446f197ac9

SHA512
2c3bf00b888134f83379d82520ef84b80e436b8e21ca8004e8923bb630b96c1dc290f118229892365a6b809bc53f4e967e973d66954c304fbb768fd9c6523d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\canakin.iso

Filesize
987KB

MD5
1d585d0711d3585df71c36bd1c004833

SHA1
a7f2f6c91acbea9787cd3b6f818e8c9ca42e2421

SHA256
f78001749c068ef309b383f718e05b890344c78f8c0a7bf3562900dac481d9c2

SHA512
f73c44d94e5fc0091007bc3777a384488035c1924d6e56d1fa390cad852a64983fd06811972afde3dd5fae4473d8a906e58b0eddd6443aa413e82c36b2a5db46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\libcrypto-1_1.dll

Filesize
2.2MB

MD5
3ef76b065d88a328824ea4262400c486

SHA1
738e4db5547039323bd29202ffd9e32fd9286fb9

SHA256
6e0d05310826f56d1c7902d6e59afbe09241c412c2a55c1890d63f3e048df296

SHA512
293e1a67f7ba01a4e51ddc632a0cb7adcc4ad96637ad0f4ce368fd10845ae951e5efc1707196cdc0fbe4a74b77da00ca2fe9d2a5f0177bbecd382dec457dc50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\libssl-1_1.dll

Filesize
641KB

MD5
cdbf8cd36924ffb81b19487746f7f18e

SHA1
781190c5a979359054ce56ceef714a8f5384cfbb

SHA256
0813c77df688b39f26bad0be2b3e4afde13e97d9a1ebcbdb3b1f4184218d1a57

SHA512
ca43450e853b3c74808ad199abe329ac2a2d7ae2e84c17fb467374c22ec9620fb102c75889e279e2d28f0ebd14d8bafafe700241ba4141fd64b4801802a3d474

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msvcp80.dll

Filesize
536KB

MD5
272a9e637adcaf30b34ea184f4852836

SHA1
6de8a52a565f813f8ac7362e0c8ba334b680f8f8

SHA256
35b15b78c31111db4fa11d9c9cad3a6f22c92daa5e6f069dc455e72073266cc4

SHA512
f1f04a84d25a74bb1cf6285ef705f092a08e93d39df569f6badc45b8722d496bbbef02b4e19f76a0332e3842945506c2c12ad61fe34f339bb91f49b8d112cd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msvcr80.dll

Filesize
612KB

MD5
43143abb001d4211fab627c136124a44

SHA1
edb99760ae04bfe68aaacf34eb0287a3c10ec885

SHA256
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

SHA512
ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9f64560

Filesize
1.3MB

MD5
3affeee43f3f036f08cc45fc82d2b4e6

SHA1
aaa6909da4c0775bfb56e56ebf1f233ca845e8e0

SHA256
22e1080c7122771fa8b2515fab147def0292357358ade6dc394824142387a604

SHA512
ef5da68e4e53fa391414c513fd31f0f387d00fea6de597e95bd99ecc127abe4858282dec02b3052e104c84213df3d6d72c658d82f9c29d6fbe79a4352eec0598

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9f64560

Filesize
1.3MB

MD5
7ed350b022bb5014e8a8a6acec083f62

SHA1
f0c0afd74e7e32a5f3a6c1fbb8805641b582c395

SHA256
2e99e3f97c5153320cd6bbf2d6a2bc66f38f2b8d52993dce1119259455418ace

SHA512
1880f59585f53f15e9a3c07af490c694f31a28bff7aa0753bb6028e0170e9ac9505f3d5f8b00f2476255be0ef2eaa9859b6dc7672ce73c58faeac34e759c147e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
228B

MD5
dbd88a1f4725edc77d0e694ab5ea3269

SHA1
d80c5d0adf6e8b9b162c3425d8a71d6cc678d5ac

SHA256
8ab0fa4b9afe2b2008d554ce4a7ab9f05b17f7c4a6844bb8be7d21dc0b2ea53f

SHA512
d444b746cc5e3786768bb5c8723083a1b5025c3d0c03e731258ef747c61aa848576200a58491e2abf2f064fcb92a4683b61e380204c962b04ff4c6837bd79403

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
664B

MD5
16c847dd4c82a5d7b5464756b0c2302d

SHA1
07ef538c7d01b4b0c332bc897b601f791146bae0

SHA256
229bca948b69d32e51a1aee90ba8fce2a08cd1ed46a49e790b44213d67f7fd31

SHA512
e48eff607ee6f7d8cd2c117bd473c18cc487cebdcf9862a0abbd9d944ead8c5b8827d4b33422d8d5c0e1614f75a02a23415ee24734e9207cf9024a4137627a2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
7f5a670b099ea1d9c8086f130aaaa214

SHA1
7d43ddb1ae19534a3e669b47be1e9450f2ee9f0f

SHA256
d7f46978f226acbe25b211a55da67d0d95a725b16aadc6d221814c61160496ce

SHA512
6d9cbd9c2d9083ec255716b25b5d0e0b5d70ab964620286e7d8efdd0f4c7dc2852a0b7cc288a74e2c08eeb27004d7440aed68036d5891d5c8452d45de8901e29

Download Submit
memory/752-356-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/752-345-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/752-214-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/752-687-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/752-369-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/752-184-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/752-252-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/752-167-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/752-147-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/752-362-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/752-311-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/752-359-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/752-218-0x0000000000500000-0x0000000000582000-memory.dmp

Filesize
520KB

Download
memory/3028-115-0x00007FFCBDCF0000-0x00007FFCBDD00000-memory.dmp

Filesize
64KB

Download
memory/3028-111-0x00007FFCBDCF0000-0x00007FFCBDD00000-memory.dmp

Filesize
64KB

Download
memory/3028-113-0x00007FFCBDCF0000-0x00007FFCBDD00000-memory.dmp

Filesize
64KB

Download
memory/3028-116-0x00007FFCBB520000-0x00007FFCBB530000-memory.dmp

Filesize
64KB

Download
memory/3028-112-0x00007FFCBDCF0000-0x00007FFCBDD00000-memory.dmp

Filesize
64KB

Download
memory/3028-114-0x00007FFCBDCF0000-0x00007FFCBDD00000-memory.dmp

Filesize
64KB

Download
memory/3028-117-0x00007FFCBB520000-0x00007FFCBB530000-memory.dmp

Filesize
64KB

Download
memory/3156-330-0x00007FFCBDCF0000-0x00007FFCBDD00000-memory.dmp

Filesize
64KB

Download
memory/3156-333-0x00007FFCBDCF0000-0x00007FFCBDD00000-memory.dmp

Filesize
64KB

Download
memory/3156-332-0x00007FFCBDCF0000-0x00007FFCBDD00000-memory.dmp

Filesize
64KB

Download
memory/3156-331-0x00007FFCBDCF0000-0x00007FFCBDD00000-memory.dmp

Filesize
64KB

Download
memory/3984-209-0x0000000074A60000-0x0000000074AAF000-memory.dmp

Filesize
316KB

Download
memory/3984-208-0x00007FFCFDC70000-0x00007FFCFDE65000-memory.dmp

Filesize
2.0MB

Download
memory/4948-58-0x0000000074A60000-0x0000000074AAF000-memory.dmp

Filesize
316KB

Download
memory/4948-101-0x0000000074A74000-0x0000000074A76000-memory.dmp

Filesize
8KB

Download
memory/4948-51-0x0000000000960000-0x00000000009FE000-memory.dmp

Filesize
632KB

Download
memory/4948-55-0x0000000000A00000-0x0000000000C3D000-memory.dmp

Filesize
2.2MB

Download
memory/4948-59-0x00007FFCFDC70000-0x00007FFCFDE65000-memory.dmp

Filesize
2.0MB

Download
memory/4948-103-0x0000000074A60000-0x0000000074AAF000-memory.dmp

Filesize
316KB

Download
memory/5928-32-0x00007FFCFDC70000-0x00007FFCFDE65000-memory.dmp

Filesize
2.0MB

Download
memory/5928-24-0x0000000000AE0000-0x0000000000B7E000-memory.dmp

Filesize
632KB

Download
memory/5928-31-0x0000000074A60000-0x0000000074AAF000-memory.dmp

Filesize
316KB

Download
memory/5928-28-0x0000000000B80000-0x0000000000DBD000-memory.dmp

Filesize
2.2MB

Download