Analysis
-
max time kernel
208s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 18:02
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://workdrive-externaltaxdrivedocument.online/mytaxdocument/Pamelataxdocument/v0SJfhiow/wjM4V/33q1ytzv/ItTP77pSD1cGFtZWxhQHBhbWVsYXRheGRvY3VtZW50LmNvbQ~lg=pamelataxdocument.pdf
Resource
win10v2004-20240226-en
General
-
Target
https://workdrive-externaltaxdrivedocument.online/mytaxdocument/Pamelataxdocument/v0SJfhiow/wjM4V/33q1ytzv/ItTP77pSD1cGFtZWxhQHBhbWVsYXRheGRvY3VtZW50LmNvbQ~lg=pamelataxdocument.pdf
Malware Config
Extracted
remcos
RemoteHost
clepdhunt.duckdns.org:4047
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-RRZV2R
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*Chrome = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\VIVA_01.dll,EntryPoint" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Pamelas 2023 1040 W2s Tax DocumentsPDF.exepid Process 468 Pamelas 2023 1040 W2s Tax DocumentsPDF.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exepid Process 4620 msedge.exe 4620 msedge.exe 1224 msedge.exe 1224 msedge.exe 3024 identity_helper.exe 3024 identity_helper.exe 1728 msedge.exe 1728 msedge.exe 2252 msedge.exe 2252 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid Process 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid Process 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid Process 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 1224 wrote to memory of 2992 1224 msedge.exe 85 PID 1224 wrote to memory of 2992 1224 msedge.exe 85 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 1272 1224 msedge.exe 86 PID 1224 wrote to memory of 4620 1224 msedge.exe 87 PID 1224 wrote to memory of 4620 1224 msedge.exe 87 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88 PID 1224 wrote to memory of 2288 1224 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://workdrive-externaltaxdrivedocument.online/mytaxdocument/Pamelataxdocument/v0SJfhiow/wjM4V/33q1ytzv/ItTP77pSD1cGFtZWxhQHBhbWVsYXRheGRvY3VtZW50LmNvbQ~lg=pamelataxdocument.pdf1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3a0e46f8,0x7ffd3a0e4708,0x7ffd3a0e47182⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵PID:1272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:82⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:1808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:12⤵PID:2264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:82⤵PID:2664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5572 /prefetch:82⤵PID:2896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:1768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:12⤵PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:12⤵PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:12⤵PID:4568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:12⤵PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,1097480155501080480,12748574428087047512,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3012 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2212
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1176
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4240
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2832
-
C:\Users\Admin\Downloads\Pamelas 2023 Tax Documents\Pamelas 2023 1040 W2s Tax DocumentsPDF.exe"C:\Users\Admin\Downloads\Pamelas 2023 Tax Documents\Pamelas 2023 1040 W2s Tax DocumentsPDF.exe"1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:468 -
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit2⤵PID:2072
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f3⤵
- Adds Run key to start application
PID:2264
-
-
-
C:\Users\Admin\Downloads\Pamelas 2023 Tax Documents\Pamelas 2023 1040 W2s Tax DocumentsPDF.exe"C:\Users\Admin\Downloads\Pamelas 2023 Tax Documents\Pamelas 2023 1040 W2s Tax DocumentsPDF.exe"2⤵PID:808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
Filesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD595a56ed11de889edacc169530e0507b4
SHA1591a1833a6bab5a770c73d01fcce04d5f7292ffb
SHA2565132a34be2e37b00383f900080353fe3354d012ac3b2790625bacdbc76976d58
SHA5126ada8510674047210c5b684061eb75c9961befb7de3a2c030b090db3760736dcc22de1e4bfe5eefc3c55a533a4e2a18c7696ecd47eb2d0ee3e261839844f7fdb
-
Filesize
369B
MD53ee5abf0fd354723cdfeb455a237382d
SHA1268718abcce0ee91792bc1bfeeb2744ccd0684c8
SHA2566a8604dac5ddf147be33d96b917824da60430fa0d7c16a32770055ec6be1af2b
SHA5120a9cc0e8cd4b1385cb04ab3ee0c913c6b534d2526fb72738cd168765ce633a429ad5cdf9e34d4a862f25b8ebc2c2f7adf443db90aed6c7120f43383c4794a535
-
Filesize
6KB
MD5abd6905a050505a7b96b8f39af7f5ca0
SHA18ba7ba24839e0a6fd6dcd2add687355d5461e50f
SHA2566f5efb2d88bc7417de91a748bb7cf2e81d14272d88e09d1e7f96bcd1d337d1dd
SHA5127ef8c3dba8aa623b67ebdaa8ca25c46380c048fb72565398b2083d199b4e17d229e1716ac12803a92831ca32312b207ac5c7cc6a9df88c98251503025d4f61b4
-
Filesize
6KB
MD5c9c3b4dbdbfa4fb9c7173ac70b5fc8bb
SHA16f3fa38b382e842e7d115a3f10ff460a16b77108
SHA256b92df0b40895dd5e86c754fcd2c9c807def2062eba27bd4b1ec6297ebef26f0b
SHA51252ada1ca7da456e348067b92081df1da7fee642d35e0e362642dc959bd53added425fbcb4cd69825b8e5bd8dfdbb908feaf436cff85a897588a20dbcd9aec53f
-
Filesize
6KB
MD5e9354d1ba552b5f436cb873630aa71d5
SHA11f4ce826468f74f2d20d88bb6d318cc0ad39bc78
SHA256c6b73a7d7aded6ec72518cb33a957b3f1176ae93a2b0100b90f745888168ae8a
SHA512a45ec9c95760433a39ccd24f9259cdc80d2e1d95ca8819942104d49a91bb91d391e0a7d0e40f4fe587978745448dd2d74c17cfb8bbdb4d29c7a810af391b50a0
-
Filesize
6KB
MD5359d35cf453d47cf1eb8bc53e7315569
SHA12967fe325af4b9758d57449ac1ad47e4ba04d3dc
SHA25661ca069d293dc1644e89cfd2440a62d1656494e55bd051d36d94dbbd26018433
SHA5126847000480e8ceca566a3771b780f91669d44328b168daff763c747e14b097c10546ef7676b5eb60cdb3e9a3bb38e0cc908c831ac0fa09ed2399e9a91f64cb5d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\0d1b3475c13b09689e6ef0b556d68af79b7b3495\813ee0fe-e5f0-4a14-b55e-fbb2fd3d30c9\index-dir\the-real-index
Filesize192B
MD5140a8f9ea5dba80e18fa1cdb892a6908
SHA131724f62f92582effc26740c1dc594e958a2d6aa
SHA256c9fb227ca24db334e256a41351aec45cfb70858c86cf1c348b11863d8e488466
SHA5125ab5d414a02b86bbe4e7db39b22a87f2267661a3c0c8a16606177d4d7c215f40cbb01bcc6de669ae3e280d2d2fc9a2c778c0340fb672538aa4da40b39a773eb7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\0d1b3475c13b09689e6ef0b556d68af79b7b3495\813ee0fe-e5f0-4a14-b55e-fbb2fd3d30c9\index-dir\the-real-index~RFe57a671.TMP
Filesize48B
MD5f7c750d370b5c2e74a122e5b76a8ae57
SHA1a4ab6309c2e20153dc809c28f03008ea93295291
SHA25606042b42c47414fcee23ac555f75dc80a44d2b025acef76156b44f3935fe5411
SHA5128ca416537ee4a4ebeeb72c3b5aaeeae86a181ed925c57c21d749920cbaa7dd1638290bc5c9506111873d263b157f5697b307b34f42fb442bebd0033ceac01c20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\0d1b3475c13b09689e6ef0b556d68af79b7b3495\index.txt
Filesize112B
MD523f29718d868007774e59f89dad2a81f
SHA1b3965763e55d2827bfe285904ee2363ceb365fa2
SHA2565f8fa1a979cf6d03287535133ccf430dae4a1ca7cfbbcf2a04e383c330acb632
SHA512b9606e3a2fe52f5575fa5e7bbbec8df95fbb34894569eccfea43bf508b4ee936bbf0813023c1d5050650c9e1591f8bba1fb2142ac6965dbaea979e5620dfdab0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\0d1b3475c13b09689e6ef0b556d68af79b7b3495\index.txt
Filesize107B
MD5a9151c3ec7115af99cee1e01e0277ca0
SHA17f3bddb7cb0be43bd198d88f53e0c3dc126e3629
SHA256d49c4c4a69c175fc56e6f0c5688be89f99445f15de7dfe2630b3c1fcf547371f
SHA512d3fcc1f6731a2849126547a541401ac355532bda7d13937a63cd1e95388b3175a3c14fbc39e2b0dba2c7b17e6b98de96a53ebbff51b71e5314004cd0f948a340
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5ed81f95b5be1955ab92f877d411f7a64
SHA1e76076611ec090474236d7a04129292aa4b33837
SHA256e981192090afdd980bbe217129ab199fd9dbf9e57142b895951741ef404c6614
SHA512df3f2bc210888f1c7959f78bffe8b5e714ac610d0afbb124affbee6b25347238910e45bbde1e6e63e0fc9e6a638c90a4d94441633ec38efe3020b3b8b1855f76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a671.TMP
Filesize48B
MD5bb46b1c83afa85e74468ea7f15880cfe
SHA17aaa3451d04397358485c2b4a2f9061ff72f91ea
SHA25683fe29504d6c0388cbeb0714be2592c1b9a0634877151e2633d7ad5012fe326b
SHA512bbd545864639d42a923e7f9b097bc93291ca910bb6759b349e21620408983b40c9ece3ba0d8392a736974c48332812cec5dcb16bec16ed0e685df94e05eb8fb6
-
Filesize
534B
MD577a854295e3ba87e5019dcfc0c479c9a
SHA17e7465d86fb82cbc75eea4c8e0b9e10fc89f5caa
SHA2567cc8ec070142182b10f3ddfaf18b913f7c9cdc1298a1d280e7b61323848188a6
SHA512a1c08e882bf09d9f6fff2be72bfb109cf1ca6ea83c15150a424032f32db4a8abfb19fca47560a866c568bf0976796b344de68e5e6bdeb37f9c80614d63b6ed1e
-
Filesize
534B
MD5428abd634f15d1527aee60b13e92138b
SHA1ab8a5ce3fe5413c064b0522a880cf8455f075cb8
SHA256bfbb4366aea6fa4dd2d30e1ed533ac8d546984d28089ee7fd5cc28d5f42aa7c4
SHA5126597d0ef51851dd931b2697fd7e1c34221d561d9f7abf418bb61a44d4099504ff30932fae463e87c8b594b524eb57ff65eaf0e32b13ea4829552d6fd14e84f2c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
9KB
MD508498d41e869b9b5094b6f60a7e43f71
SHA1d7de688ba531cce78d8c9aacd3b646ec42b5c78e
SHA256f4db17b3ee1f6614dbf88fcc9f29e8faf5a10be06305a05d631670a53e30bdb3
SHA51262a5eb0dd79e618842c8158a283d49e30b3dd826b2df3b58820e8bbe8e2aa46700bfb6b42501c4b4b838824b30fb3707b2c51e1a3368c6f031a36d690a02f782
-
Filesize
8KB
MD5b6c29ce4956cc1f3de9ad91583136199
SHA1035273b7edd028103f0ae269b3301c6f6c298dea
SHA256e6944f304d404841f0393bc5ab4f2f79ac4653610454f69a6f0118342f4377e8
SHA5120d681bed5b43806b1281bf4eca5af8fb857dcef2ec1815f4bdd4d80027747a41b966050659588b72a83358ecc87535be535bc321e6cdc1770053b48a07c7af5d
-
Filesize
8KB
MD5ef28046cd23c3b7a40856c3c832a9757
SHA1474ea84cb4dc66c8cd5e7cedb5ccdf616969605c
SHA256ee26ee136d4d24d943b0da25d8a184985486807e9940f2603c8c40cdf4838991
SHA512da09af9216480894da2d41bf32954b6fde28675f118f59c68e8de08bd18c81d022400ba62c29985f5ecf78b4abfc6ea81a0b86e7e15fc96daaab8918ca8fdd67
-
Filesize
113.9MB
MD520ed592d9f0de74064d47efea045de9e
SHA17799642c21888dfdcf01a2e453b54a61ffd6b426
SHA2567d24984bc73adaeeeb2cdaf9da6562799b58524f2ef55770d274d66d438cd1a9
SHA51218a6a458c4975e840161f788709d1db83331bea71f4d7ea949d87998b4dcd34773128017fe9f45b71d656ae5a5a8cbd2f2213c702f578307123909f1c0abcc8c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e