remcos | 94a9d476fd9df518316104ed58195552129690fd9d8a9ce46da0552041d77f48

Analysis

max time kernel
177s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41589419116464448286035679864158972845276735013687.exe
Size

2.7MB
MD5

b00ececc12e8dedbe256613f1b945b23
SHA1

97cb8249006a80e0773bb3aaba631171715ffcd4
SHA256

87768a35d6a9b73f30d4d4adcd96b8c4cca695dec762fe7962859972fbd75e56
SHA512

afd4ea1986da088c3f4c2757baeb4b21b14bd4b5e22e00260eca7e719c8fc78d803443b9dfc457799ab7b2d7d306395fbd48bf9d1bde260106a7ad3038c93d97
SSDEEP

49152:9wREDDM04bCaLjmFy1nOFPG/3E1/4BtkMgHeXDREnz+d:9wREsbCaLaeO2EJSkTs0+d

Score

10^/10

remcos dropboxf discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

DropBoxF

cubalibreu6obyau6j8.duckdns.org:2020

Attributes

audio_path
%UserProfile%
audio_record_time
5
connect_delay
0
connect_interval
1
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
flof
keylog_flag
false
keylog_folder
tlof
keylog_path
%AppData%
mouse_option
false
mutex
fMXJEdWdidHdX-6WDMJ4
screenshot_crypt
false
screenshot_flag
false
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Executes dropped EXE 2 IoCs

Processes:

41589419116464448286035679864158972845276735013687.tmp41589419116464448286035679864158972845276735013687.tmp

pid process

1372 41589419116464448286035679864158972845276735013687.tmp
3068 41589419116464448286035679864158972845276735013687.tmp
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

pid process

2292 regsvr32.exe
2872 regsvr32.exe
1496 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to execute payload.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1908 powershell.exe
4992 powershell.exe
3588 powershell.exe
2396 powershell.exe
1908 powershell.exe

pid	process
1372	41589419116464448286035679864158972845276735013687.tmp
3068	41589419116464448286035679864158972845276735013687.tmp

pid	process
2292	regsvr32.exe
2872	regsvr32.exe
1496	regsvr32.exe

pid	process
1908	powershell.exe
4992	powershell.exe
3588	powershell.exe
2396	powershell.exe
1908	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

41589419116464448286035679864158972845276735013687.exetimeout.exe41589419116464448286035679864158972845276735013687.exeregsvr32.exepowershell.exeAcroRd32.exeRdrCEF.exeregsvr32.exe41589419116464448286035679864158972845276735013687.tmppowershell.exeexplorer.exeRdrCEF.exeRdrCEF.exeregsvr32.exepowershell.exe41589419116464448286035679864158972845276735013687.tmpcmd.exeRdrCEF.exeRdrCEF.exeRdrCEF.exepowershell.exeRdrCEF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41589419116464448286035679864158972845276735013687.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41589419116464448286035679864158972845276735013687.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41589419116464448286035679864158972845276735013687.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41589419116464448286035679864158972845276735013687.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

756 timeout.exe

pid	process
756	timeout.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

41589419116464448286035679864158972845276735013687.tmpregsvr32.exepowershell.exepowershell.exeAcroRd32.exeregsvr32.exepowershell.exeregsvr32.exepowershell.exe

pid	process
3068	41589419116464448286035679864158972845276735013687.tmp
3068	41589419116464448286035679864158972845276735013687.tmp
2292	regsvr32.exe
2292	regsvr32.exe
2292	regsvr32.exe
2292	regsvr32.exe
2292	regsvr32.exe
2292	regsvr32.exe
2396	powershell.exe
2396	powershell.exe
1908	powershell.exe
1908	powershell.exe
2292	regsvr32.exe
2292	regsvr32.exe
2292	regsvr32.exe
2292	regsvr32.exe
2292	regsvr32.exe
2292	regsvr32.exe
2292	regsvr32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
2872	regsvr32.exe
2872	regsvr32.exe
2872	regsvr32.exe
2872	regsvr32.exe
2872	regsvr32.exe
2872	regsvr32.exe
4992	powershell.exe
4992	powershell.exe
4992	powershell.exe
2872	regsvr32.exe
2872	regsvr32.exe
2872	regsvr32.exe
2872	regsvr32.exe
2872	regsvr32.exe
2872	regsvr32.exe
1496	regsvr32.exe
1496	regsvr32.exe
1496	regsvr32.exe
1496	regsvr32.exe
1496	regsvr32.exe
1496	regsvr32.exe
3588	powershell.exe
3588	powershell.exe
1496	regsvr32.exe
1496	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeIncreaseQuotaPrivilege	2396	powershell.exe
Token: SeSecurityPrivilege	2396	powershell.exe
Token: SeTakeOwnershipPrivilege	2396	powershell.exe
Token: SeLoadDriverPrivilege	2396	powershell.exe
Token: SeSystemProfilePrivilege	2396	powershell.exe
Token: SeSystemtimePrivilege	2396	powershell.exe
Token: SeProfSingleProcessPrivilege	2396	powershell.exe
Token: SeIncBasePriorityPrivilege	2396	powershell.exe
Token: SeCreatePagefilePrivilege	2396	powershell.exe
Token: SeBackupPrivilege	2396	powershell.exe
Token: SeRestorePrivilege	2396	powershell.exe
Token: SeShutdownPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeSystemEnvironmentPrivilege	2396	powershell.exe
Token: SeRemoteShutdownPrivilege	2396	powershell.exe
Token: SeUndockPrivilege	2396	powershell.exe
Token: SeManageVolumePrivilege	2396	powershell.exe
Token: 33	2396	powershell.exe
Token: 34	2396	powershell.exe
Token: 35	2396	powershell.exe
Token: 36	2396	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeIncreaseQuotaPrivilege	1908	powershell.exe
Token: SeSecurityPrivilege	1908	powershell.exe
Token: SeTakeOwnershipPrivilege	1908	powershell.exe
Token: SeLoadDriverPrivilege	1908	powershell.exe
Token: SeSystemProfilePrivilege	1908	powershell.exe
Token: SeSystemtimePrivilege	1908	powershell.exe
Token: SeProfSingleProcessPrivilege	1908	powershell.exe
Token: SeIncBasePriorityPrivilege	1908	powershell.exe
Token: SeCreatePagefilePrivilege	1908	powershell.exe
Token: SeBackupPrivilege	1908	powershell.exe
Token: SeRestorePrivilege	1908	powershell.exe
Token: SeShutdownPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeSystemEnvironmentPrivilege	1908	powershell.exe
Token: SeRemoteShutdownPrivilege	1908	powershell.exe
Token: SeUndockPrivilege	1908	powershell.exe
Token: SeManageVolumePrivilege	1908	powershell.exe
Token: 33	1908	powershell.exe
Token: 34	1908	powershell.exe
Token: 35	1908	powershell.exe
Token: 36	1908	powershell.exe
Token: SeIncreaseQuotaPrivilege	1908	powershell.exe
Token: SeSecurityPrivilege	1908	powershell.exe
Token: SeTakeOwnershipPrivilege	1908	powershell.exe
Token: SeLoadDriverPrivilege	1908	powershell.exe
Token: SeSystemProfilePrivilege	1908	powershell.exe
Token: SeSystemtimePrivilege	1908	powershell.exe
Token: SeProfSingleProcessPrivilege	1908	powershell.exe
Token: SeIncBasePriorityPrivilege	1908	powershell.exe
Token: SeCreatePagefilePrivilege	1908	powershell.exe
Token: SeBackupPrivilege	1908	powershell.exe
Token: SeRestorePrivilege	1908	powershell.exe
Token: SeShutdownPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeSystemEnvironmentPrivilege	1908	powershell.exe
Token: SeRemoteShutdownPrivilege	1908	powershell.exe
Token: SeUndockPrivilege	1908	powershell.exe
Token: SeManageVolumePrivilege	1908	powershell.exe
Token: 33	1908	powershell.exe
Token: 34	1908	powershell.exe
Token: 35	1908	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

41589419116464448286035679864158972845276735013687.tmpAcroRd32.exe

pid process

3068 41589419116464448286035679864158972845276735013687.tmp
1036 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exeregsvr32.exe

pid process

1036 AcroRd32.exe
1036 AcroRd32.exe
1036 AcroRd32.exe
1036 AcroRd32.exe
2292 regsvr32.exe
1036 AcroRd32.exe

pid	process
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
2292	regsvr32.exe
1036	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

41589419116464448286035679864158972845276735013687.exe41589419116464448286035679864158972845276735013687.tmpcmd.exe41589419116464448286035679864158972845276735013687.exe41589419116464448286035679864158972845276735013687.tmpregsvr32.exeexplorer.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1984 wrote to memory of 1372	1984	41589419116464448286035679864158972845276735013687.exe	41589419116464448286035679864158972845276735013687.tmp
PID 1984 wrote to memory of 1372	1984	41589419116464448286035679864158972845276735013687.exe	41589419116464448286035679864158972845276735013687.tmp
PID 1984 wrote to memory of 1372	1984	41589419116464448286035679864158972845276735013687.exe	41589419116464448286035679864158972845276735013687.tmp
PID 1372 wrote to memory of 2572	1372	41589419116464448286035679864158972845276735013687.tmp	cmd.exe
PID 1372 wrote to memory of 2572	1372	41589419116464448286035679864158972845276735013687.tmp	cmd.exe
PID 1372 wrote to memory of 2572	1372	41589419116464448286035679864158972845276735013687.tmp	cmd.exe
PID 2572 wrote to memory of 756	2572	cmd.exe	timeout.exe
PID 2572 wrote to memory of 756	2572	cmd.exe	timeout.exe
PID 2572 wrote to memory of 756	2572	cmd.exe	timeout.exe
PID 2572 wrote to memory of 2304	2572	cmd.exe	41589419116464448286035679864158972845276735013687.exe
PID 2572 wrote to memory of 2304	2572	cmd.exe	41589419116464448286035679864158972845276735013687.exe
PID 2572 wrote to memory of 2304	2572	cmd.exe	41589419116464448286035679864158972845276735013687.exe
PID 2304 wrote to memory of 3068	2304	41589419116464448286035679864158972845276735013687.exe	41589419116464448286035679864158972845276735013687.tmp
PID 2304 wrote to memory of 3068	2304	41589419116464448286035679864158972845276735013687.exe	41589419116464448286035679864158972845276735013687.tmp
PID 2304 wrote to memory of 3068	2304	41589419116464448286035679864158972845276735013687.exe	41589419116464448286035679864158972845276735013687.tmp
PID 3068 wrote to memory of 2292	3068	41589419116464448286035679864158972845276735013687.tmp	regsvr32.exe
PID 3068 wrote to memory of 2292	3068	41589419116464448286035679864158972845276735013687.tmp	regsvr32.exe
PID 3068 wrote to memory of 2292	3068	41589419116464448286035679864158972845276735013687.tmp	regsvr32.exe
PID 2292 wrote to memory of 2396	2292	regsvr32.exe	powershell.exe
PID 2292 wrote to memory of 2396	2292	regsvr32.exe	powershell.exe
PID 2292 wrote to memory of 2396	2292	regsvr32.exe	powershell.exe
PID 2292 wrote to memory of 1908	2292	regsvr32.exe	powershell.exe
PID 2292 wrote to memory of 1908	2292	regsvr32.exe	powershell.exe
PID 2292 wrote to memory of 1908	2292	regsvr32.exe	powershell.exe
PID 2292 wrote to memory of 4812	2292	regsvr32.exe	explorer.exe
PID 2292 wrote to memory of 4812	2292	regsvr32.exe	explorer.exe
PID 2292 wrote to memory of 4812	2292	regsvr32.exe	explorer.exe
PID 4232 wrote to memory of 1036	4232	explorer.exe	AcroRd32.exe
PID 4232 wrote to memory of 1036	4232	explorer.exe	AcroRd32.exe
PID 4232 wrote to memory of 1036	4232	explorer.exe	AcroRd32.exe
PID 1036 wrote to memory of 5080	1036	AcroRd32.exe	RdrCEF.exe
PID 1036 wrote to memory of 5080	1036	AcroRd32.exe	RdrCEF.exe
PID 1036 wrote to memory of 5080	1036	AcroRd32.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe
PID 5080 wrote to memory of 4556	5080	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\41589419116464448286035679864158972845276735013687.exe
"C:\Users\Admin\AppData\Local\Temp\41589419116464448286035679864158972845276735013687.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\is-PVCFR.tmp\41589419116464448286035679864158972845276735013687.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PVCFR.tmp\41589419116464448286035679864158972845276735013687.tmp" /SL5="$601EE,1880700,795136,C:\Users\Admin\AppData\Local\Temp\41589419116464448286035679864158972845276735013687.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\41589419116464448286035679864158972845276735013687.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:756
  - - C:\Users\Admin\AppData\Local\Temp\41589419116464448286035679864158972845276735013687.exe
      "C:\Users\Admin\AppData\Local\Temp\41589419116464448286035679864158972845276735013687.exe" /VERYSILENT /SUPPRESSMSGBOXES
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Users\Admin\AppData\Local\Temp\is-RJT4P.tmp\41589419116464448286035679864158972845276735013687.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RJT4P.tmp\41589419116464448286035679864158972845276735013687.tmp" /SL5="$802BE,1880700,795136,C:\Users\Admin\AppData\Local\Temp\41589419116464448286035679864158972845276735013687.exe" /VERYSILENT /SUPPRESSMSGBOXES
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\CluelessStork.dll"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\CluelessStork.dll' }) { exit 0 } else { exit 1 }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\Admin\AppData\Roaming\CluelessStork.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{E263962E-192D-4CC1-9DD6-9C5E578882C5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\SysWOW64\explorer.exe
        
        "explorer" C:\Users\Admin\AppData\Roaming\new_document.pdf
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\new_document.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=13021F58A55255EAD053FD7A29ACE6A7 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4556
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7F14D8E97E7731249E6EAB2E2987E019 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7F14D8E97E7731249E6EAB2E2987E019 --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:4140
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A8EBD3F910235655D9E9C916F655ADFB --mojo-platform-channel-handle=2360 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1320
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AAC000D329E50F8AE6155A7F796CB9BD --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4924
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D00E77E656C97ABCF8F1432F776C6B33 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D00E77E656C97ABCF8F1432F776C6B33 --renderer-client-id=6 --mojo-platform-channel-handle=2376 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3360
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DD1BECB20902A9262CF02E7B60611ABE --mojo-platform-channel-handle=2448 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1548

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\CluelessStork.dll
1⤵
PID:2424
- C:\Windows\SysWOW64\regsvr32.exe
  /S /i:INSTALL C:\Users\Admin\AppData\Roaming\CluelessStork.dll
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\CluelessStork.dll' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4992

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\CluelessStork.dll
1⤵
PID:4312
- C:\Windows\SysWOW64\regsvr32.exe
  /S /i:INSTALL C:\Users\Admin\AppData\Roaming\CluelessStork.dll
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\CluelessStork.dll' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
5617411cab3a99105f85497ec94eb91b

SHA1
93db0e4086980de63d15617581c65d01b7b0cbe3

SHA256
c483129cfc053b81b5a486f34b3942fe655eec44a7c116ee8c849c22888d3f77

SHA512
dc7d28b3067948c9324c775174c1d7e36e7d7ef5c8d56e830aca247ee3ba2ae51b5983c1f5e6a0867d3c10f9cd1ad7af91365a260272cf8f80e98603100254df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
ed56fa73c77f85e68560a1e2e472fe80

SHA1
e99942ffaf542fa3e93536406472ba03b9a0eedb

SHA256
5d5299bd3c0a233cca187bd44b64c7610c85f5b75fd46f89b286d3995964a1dc

SHA512
5912da681d33feb34377bd65adf9bcaf2b1f19ca7ca5064c70659cdddd5cbbe5e865f829edbfb864423c8a6b30d713eedd929f008c0832b376afe83747c37a85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
a72efe61ed9db22d4ef7a0346d838916

SHA1
3b5655d5ae15b1b5a39a832060d9b983f5a016a4

SHA256
87315adf12692f2750e5782ac2901632365c05813a4f34a14f85ac9036789033

SHA512
aeec86adfebe5a622ea817829caf2cc01c27f64b70ea472a002a98dfba336d5e43a1dd9c897ac4cb8f1667e647cee380898693715abd16c9592e49010966572d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
0f9a85bf1d0a4ae6947aed6516662cf9

SHA1
e953ace8c2df0a3d9d31b744387283a4acb3f8f8

SHA256
49ff4f832ea05b3ce963d305a3b92f1cb9cb622bd949cf7dcd35875aaf8a0e23

SHA512
67a56a94d43f354a37a03ff565d0ef83d3eecb36fd335017c0e744c17278a21dfbc58170f8212cc4204c79ca2444ced48926b94029438dd52714f3d3d55428ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r40jr41o.0ik.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PVCFR.tmp\41589419116464448286035679864158972845276735013687.tmp

Filesize
3.1MB

MD5
e97363b64f37ee24cdd55cea14d1c564

SHA1
dd82ae5ebf33348011b0437fe8107d4d72b9e2b9

SHA256
ade1473799360f3df1cb0f8f20fa99e325009fb53e151236d0a2be6f041a8c8c

SHA512
362bdf700ddd9186e9207351f0b8879f303c8c669b4bea2327ba549e18f7a333e11f4dc07cc2721ac18fdcdee04a8362ae6b4cdbdc961d220e154fa6de32182b

Download Submit
C:\Users\Admin\AppData\Roaming\CluelessStork.dll

Filesize
2.8MB

MD5
5d12e174483a3ffe2c2c500e307fdc8a

SHA1
b32a8018e88633775bb9b6bd708ddce03699de37

SHA256
2ae1ba32a40756b38d7544aff09b77e72c6cffdcaf05758fa7d3edd2d9b21f56

SHA512
27453a456b36b8ad018dc8801cb28f08da89acc2c99b7f76f199ef9694f350810bfd404eda650e3eb889c9a7cf41e2117c66d30efb26ecfa80c094f353f4183e

Download Submit
C:\Users\Admin\AppData\Roaming\new_document.pdf

Filesize
85KB

MD5
fe3e7701f1a41cf4f92d1e6fc7efbf5c

SHA1
05fac77a598118e7fc47b70cb5f38d5b27409ae1

SHA256
c236dd48e3e528022b3205cefcd0daab16c759d0c8aea96ae2399eefecc639d0

SHA512
9df1892c71771b94560eeb9e86b0afc69d010463d34daf84bcd91ac56ab1d1ae4ca93d6791b3e70343dd09d9d63900f8ee99df73c66d5188a89b790ba3c7976f

Download Submit
memory/1372-25-0x0000000000190000-0x00000000004BF000-memory.dmp

Filesize
3.2MB

Download
memory/1372-6-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/1496-300-0x0000000073E70000-0x0000000074069000-memory.dmp

Filesize
2.0MB

Download
memory/1908-78-0x0000000074600000-0x000000007464C000-memory.dmp

Filesize
304KB

Download
memory/1908-77-0x0000000006330000-0x000000000637C000-memory.dmp

Filesize
304KB

Download
memory/1908-88-0x0000000007010000-0x00000000070B3000-memory.dmp

Filesize
652KB

Download
memory/1908-75-0x0000000005780000-0x0000000005AD4000-memory.dmp

Filesize
3.3MB

Download
memory/1908-89-0x0000000007340000-0x0000000007351000-memory.dmp

Filesize
68KB

Download
memory/1984-27-0x00000000007F0000-0x00000000008C0000-memory.dmp

Filesize
832KB

Download
memory/1984-0-0x00000000007F0000-0x00000000008C0000-memory.dmp

Filesize
832KB

Download
memory/1984-2-0x00000000007F1000-0x0000000000899000-memory.dmp

Filesize
672KB

Download
memory/2292-307-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-125-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-238-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-269-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-270-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-147-0x0000000073E70000-0x0000000074069000-memory.dmp

Filesize
2.0MB

Download
memory/2292-274-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-275-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-302-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-303-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-135-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-134-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-308-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-133-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-93-0x0000000073E70000-0x0000000074069000-memory.dmp

Filesize
2.0MB

Download
memory/2292-120-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-237-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-128-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2292-132-0x0000000003310000-0x000000000338F000-memory.dmp

Filesize
508KB

Download
memory/2304-8-0x00000000007F0000-0x00000000008C0000-memory.dmp

Filesize
832KB

Download
memory/2304-24-0x00000000007F0000-0x00000000008C0000-memory.dmp

Filesize
832KB

Download
memory/2396-43-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/2396-28-0x0000000004DA0000-0x0000000004DD6000-memory.dmp

Filesize
216KB

Download
memory/2396-61-0x0000000007920000-0x00000000079B6000-memory.dmp

Filesize
600KB

Download
memory/2396-60-0x00000000076F0000-0x00000000076FA000-memory.dmp

Filesize
40KB

Download
memory/2396-59-0x00000000076A0000-0x00000000076BA000-memory.dmp

Filesize
104KB

Download
memory/2396-58-0x0000000007CE0000-0x000000000835A000-memory.dmp

Filesize
6.5MB

Download
memory/2396-57-0x0000000007590000-0x0000000007633000-memory.dmp

Filesize
652KB

Download
memory/2396-32-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/2396-56-0x0000000006930000-0x000000000694E000-memory.dmp

Filesize
120KB

Download
memory/2396-62-0x00000000078A0000-0x00000000078B1000-memory.dmp

Filesize
68KB

Download
memory/2396-29-0x0000000005450000-0x0000000005A78000-memory.dmp

Filesize
6.2MB

Download
memory/2396-30-0x00000000053B0000-0x00000000053D2000-memory.dmp

Filesize
136KB

Download
memory/2396-31-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/2396-42-0x0000000005D50000-0x00000000060A4000-memory.dmp

Filesize
3.3MB

Download
memory/2396-46-0x00000000745B0000-0x00000000745FC000-memory.dmp

Filesize
304KB

Download
memory/2396-45-0x0000000007350000-0x0000000007382000-memory.dmp

Filesize
200KB

Download
memory/2396-44-0x00000000063F0000-0x000000000643C000-memory.dmp

Filesize
304KB

Download
memory/2872-267-0x0000000073E70000-0x0000000074069000-memory.dmp

Filesize
2.0MB

Download
memory/3068-23-0x0000000000930000-0x0000000000C5F000-memory.dmp

Filesize
3.2MB

Download
memory/3588-289-0x0000000064220000-0x000000006426C000-memory.dmp

Filesize
304KB

Download
memory/4992-265-0x0000000007ED0000-0x0000000007EE1000-memory.dmp

Filesize
68KB

Download
memory/4992-264-0x0000000007980000-0x0000000007A23000-memory.dmp

Filesize
652KB

Download
memory/4992-254-0x0000000064220000-0x000000006426C000-memory.dmp

Filesize
304KB

Download
memory/4992-253-0x0000000006A10000-0x0000000006A5C000-memory.dmp

Filesize
304KB

Download
memory/4992-247-0x00000000062C0000-0x0000000006614000-memory.dmp

Filesize
3.3MB

Download