remcos | 6f15d411c1fadf4dbbd4b4ed757152e3811827c37daadd52bc165e52584d88ef

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-05-2022 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CMR AND PACKINGLIST.exe
Size

1.1MB
MD5

04fb2ce6e058a87f0a13bbb214a427bf
SHA1

ae2199326c3fb6e541645820cfcbc3904dabb65d
SHA256

0591c0db7c2e5d407339e854e5c10adbd63c890c72e6709256829a2001b4f164
SHA512

09bbc925672a60aaf19ec3405ebe072896fd73f4fa65d6954d519129ed93637e0dfcd554bc42a9bf1306c36d0a8ea94f502af679155bf7eaf8d7e256e9f95dc0

Score

10^/10

remcos dreamchaser microsoft persistence phishing rat

Malware Config

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

dreamchaser

naninani11.ddns.net:7070

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
windows.exe
copy_folder
file
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-413F1M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CMR AND PACKINGLIST.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	CMR AND PACKINGLIST.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 7 IoCs

Processes:

CMR AND PACKINGLIST.exeCMR AND PACKINGLIST.exe

description	pid	process	target process
PID 4780 set thread context of 2720	4780	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 2720 set thread context of 1212	2720	CMR AND PACKINGLIST.exe	svchost.exe
PID 2720 set thread context of 2744	2720	CMR AND PACKINGLIST.exe	svchost.exe
PID 2720 set thread context of 2100	2720	CMR AND PACKINGLIST.exe	svchost.exe
PID 2720 set thread context of 4040	2720	CMR AND PACKINGLIST.exe	svchost.exe
PID 2720 set thread context of 4928	2720	CMR AND PACKINGLIST.exe	svchost.exe
PID 2720 set thread context of 4388	2720	CMR AND PACKINGLIST.exe	svchost.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\524b203c-8754-47fc-aa8e-dc32a170b96e.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220519143956.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1260 schtasks.exe

pid	process
1260	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

CMR AND PACKINGLIST.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
4780	CMR AND PACKINGLIST.exe
3992	powershell.exe
1256	powershell.exe
4780	CMR AND PACKINGLIST.exe
3992	powershell.exe
1256	powershell.exe
3732	msedge.exe
3732	msedge.exe
1344	msedge.exe
1344	msedge.exe
4468	identity_helper.exe
4468	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

msedge.exe

pid	process
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe
1344	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

CMR AND PACKINGLIST.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4780	CMR AND PACKINGLIST.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

1344 msedge.exe
1344 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CMR AND PACKINGLIST.exe

pid process

2720 CMR AND PACKINGLIST.exe

pid	process
2720	CMR AND PACKINGLIST.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CMR AND PACKINGLIST.exeCMR AND PACKINGLIST.exesvchost.exemsedge.exe

description	pid	process	target process
PID 4780 wrote to memory of 1256	4780	CMR AND PACKINGLIST.exe	powershell.exe
PID 4780 wrote to memory of 1256	4780	CMR AND PACKINGLIST.exe	powershell.exe
PID 4780 wrote to memory of 1256	4780	CMR AND PACKINGLIST.exe	powershell.exe
PID 4780 wrote to memory of 3992	4780	CMR AND PACKINGLIST.exe	powershell.exe
PID 4780 wrote to memory of 3992	4780	CMR AND PACKINGLIST.exe	powershell.exe
PID 4780 wrote to memory of 3992	4780	CMR AND PACKINGLIST.exe	powershell.exe
PID 4780 wrote to memory of 1260	4780	CMR AND PACKINGLIST.exe	schtasks.exe
PID 4780 wrote to memory of 1260	4780	CMR AND PACKINGLIST.exe	schtasks.exe
PID 4780 wrote to memory of 1260	4780	CMR AND PACKINGLIST.exe	schtasks.exe
PID 4780 wrote to memory of 2720	4780	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 4780 wrote to memory of 2720	4780	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 4780 wrote to memory of 2720	4780	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 4780 wrote to memory of 2720	4780	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 4780 wrote to memory of 2720	4780	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 4780 wrote to memory of 2720	4780	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 4780 wrote to memory of 2720	4780	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 4780 wrote to memory of 2720	4780	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 4780 wrote to memory of 2720	4780	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 4780 wrote to memory of 2720	4780	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 4780 wrote to memory of 2720	4780	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 4780 wrote to memory of 2720	4780	CMR AND PACKINGLIST.exe	CMR AND PACKINGLIST.exe
PID 2720 wrote to memory of 1212	2720	CMR AND PACKINGLIST.exe	svchost.exe
PID 2720 wrote to memory of 1212	2720	CMR AND PACKINGLIST.exe	svchost.exe
PID 2720 wrote to memory of 1212	2720	CMR AND PACKINGLIST.exe	svchost.exe
PID 2720 wrote to memory of 1212	2720	CMR AND PACKINGLIST.exe	svchost.exe
PID 2720 wrote to memory of 1212	2720	CMR AND PACKINGLIST.exe	svchost.exe
PID 2720 wrote to memory of 1212	2720	CMR AND PACKINGLIST.exe	svchost.exe
PID 2720 wrote to memory of 1212	2720	CMR AND PACKINGLIST.exe	svchost.exe
PID 2720 wrote to memory of 1212	2720	CMR AND PACKINGLIST.exe	svchost.exe
PID 1212 wrote to memory of 1344	1212	svchost.exe	msedge.exe
PID 1212 wrote to memory of 1344	1212	svchost.exe	msedge.exe
PID 1344 wrote to memory of 2640	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 2640	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe
PID 1344 wrote to memory of 1004	1344	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe
"C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mWYdFKE.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mWYdFKE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp20D6.tmp"
2⤵
- Creates scheduled task(s)
PID:1260

C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe
"C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe56134718
5⤵
PID:2640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
5⤵
PID:1004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
5⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
5⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
5⤵
PID:2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
5⤵
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
5⤵
PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 /prefetch:8
5⤵
PID:556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
5⤵
PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
5⤵
PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
5⤵
PID:2056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
5⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
5⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
5⤵
PID:4088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:1
5⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8032 /prefetch:8
5⤵
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff645835460,0x7ff645835470,0x7ff645835480
6⤵
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8032 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
5⤵
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
5⤵
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:1
5⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:1
5⤵
PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
5⤵
PID:3380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
5⤵
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
5⤵
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:1
5⤵
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
5⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
5⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
5⤵
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8052 /prefetch:1
5⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
5⤵
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3912 /prefetch:8
5⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe56134718
5⤵
PID:1316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe56134718
5⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe56134718
5⤵
PID:4788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe56134718
5⤵
PID:4220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe56134718
5⤵
PID:2756

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe56134718
5⤵
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:3836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe56134718
5⤵
PID:3232

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:2580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xfc,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe56134718
5⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe56134718
5⤵
PID:3792

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe56134718
5⤵
PID:1900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7a6b3c24152ab22eb73416ee1841a61e

SHA1
31ead2410c4906b3bda6211c96be396918302275

SHA256
d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0

SHA512
911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7a6b3c24152ab22eb73416ee1841a61e

SHA1
31ead2410c4906b3bda6211c96be396918302275

SHA256
d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0

SHA512
911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7a6b3c24152ab22eb73416ee1841a61e

SHA1
31ead2410c4906b3bda6211c96be396918302275

SHA256
d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0

SHA512
911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7a6b3c24152ab22eb73416ee1841a61e

SHA1
31ead2410c4906b3bda6211c96be396918302275

SHA256
d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0

SHA512
911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7a6b3c24152ab22eb73416ee1841a61e

SHA1
31ead2410c4906b3bda6211c96be396918302275

SHA256
d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0

SHA512
911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7a6b3c24152ab22eb73416ee1841a61e

SHA1
31ead2410c4906b3bda6211c96be396918302275

SHA256
d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0

SHA512
911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7a6b3c24152ab22eb73416ee1841a61e

SHA1
31ead2410c4906b3bda6211c96be396918302275

SHA256
d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0

SHA512
911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7a6b3c24152ab22eb73416ee1841a61e

SHA1
31ead2410c4906b3bda6211c96be396918302275

SHA256
d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0

SHA512
911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7a6b3c24152ab22eb73416ee1841a61e

SHA1
31ead2410c4906b3bda6211c96be396918302275

SHA256
d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0

SHA512
911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7a6b3c24152ab22eb73416ee1841a61e

SHA1
31ead2410c4906b3bda6211c96be396918302275

SHA256
d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0

SHA512
911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
3a6aea2b0a23d4f17cb06468594e3c18

SHA1
f6ced0bd3bc4c8d678c8cecce57742ea6d02399c

SHA256
75bfebc4576097ef4b4ce097f4aa5638c40b5de8c6937930e884898368fe8213

SHA512
83e4a20f7394722fd8e2a197e1aa48b564e2702211766f0d9015e6478caf84caa92df287c9c36646ba54bedf76864ce64535aceb33a7c15fc567e7ff9004c614

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp20D6.tmp
Filesize
1KB

MD5
f09987669cb375652e445100adb97ef1

SHA1
899f6be8b5efc3804f7266f1015e1c8a0d975551

SHA256
883e3970b8b2d90101dd30fa1e337dc0d261f108354c3a3aa093e8872655d564

SHA512
731aa6b30c5b8497838e1883d94a5966b77445bf845548a400ef76e73b52d023b13cae8767baa0017af141eb0765214b47f27b939311c9fd7358d2c8a61b4216

Download Submit
\??\pipe\LOCAL\crashpad_1344_QBZYWPVQTQKIASXJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/228-253-0x0000000000000000-mapping.dmp

Download
memory/384-254-0x0000000000000000-mapping.dmp

Download
memory/556-182-0x0000000000000000-mapping.dmp

Download
memory/636-262-0x0000000000000000-mapping.dmp

Download
memory/1004-168-0x0000000000000000-mapping.dmp

Download
memory/1036-180-0x0000000000000000-mapping.dmp

Download
memory/1040-219-0x0000000000000000-mapping.dmp

Download
memory/1040-178-0x0000000000000000-mapping.dmp

Download
memory/1048-201-0x0000000000000000-mapping.dmp

Download
memory/1212-148-0x0000000000000000-mapping.dmp

Download
memory/1256-160-0x0000000006FD0000-0x0000000006FDE000-memory.dmp

Filesize
56KB

Download
memory/1256-156-0x00000000073F0000-0x0000000007A6A000-memory.dmp

Filesize
6.5MB

Download
memory/1256-155-0x0000000006040000-0x000000000605E000-memory.dmp

Filesize
120KB

Download
memory/1256-158-0x0000000006E20000-0x0000000006E2A000-memory.dmp

Filesize
40KB

Download
memory/1256-136-0x0000000000000000-mapping.dmp

Download
memory/1256-142-0x0000000004AC0000-0x0000000004AE2000-memory.dmp

Filesize
136KB

Download
memory/1256-138-0x0000000002160000-0x0000000002196000-memory.dmp

Filesize
216KB

Download
memory/1256-163-0x00000000070C0000-0x00000000070C8000-memory.dmp

Filesize
32KB

Download
memory/1256-153-0x0000000071E90000-0x0000000071EDC000-memory.dmp

Filesize
304KB

Download
memory/1256-140-0x0000000004C40000-0x0000000005268000-memory.dmp

Filesize
6.2MB

Download
memory/1256-143-0x00000000052E0000-0x0000000005346000-memory.dmp

Filesize
408KB

Download
memory/1260-139-0x0000000000000000-mapping.dmp

Download
memory/1316-184-0x0000000000000000-mapping.dmp

Download
memory/1344-161-0x0000000000000000-mapping.dmp

Download
memory/1592-195-0x0000000000000000-mapping.dmp

Download
memory/1612-210-0x0000000000000000-mapping.dmp

Download
memory/1660-172-0x0000000000000000-mapping.dmp

Download
memory/1880-191-0x0000000000000000-mapping.dmp

Download
memory/1900-246-0x0000000000000000-mapping.dmp

Download
memory/1900-266-0x0000000000000000-mapping.dmp

Download
memory/1996-265-0x0000000000000000-mapping.dmp

Download
memory/2020-244-0x0000000000000000-mapping.dmp

Download
memory/2056-193-0x0000000000000000-mapping.dmp

Download
memory/2100-203-0x0000000000000000-mapping.dmp

Download
memory/2212-174-0x0000000000000000-mapping.dmp

Download
memory/2324-189-0x0000000000000000-mapping.dmp

Download
memory/2424-226-0x0000000000000000-mapping.dmp

Download
memory/2460-211-0x0000000000000000-mapping.dmp

Download
memory/2580-247-0x0000000000000000-mapping.dmp

Download
memory/2636-176-0x0000000000000000-mapping.dmp

Download
memory/2640-164-0x0000000000000000-mapping.dmp

Download
memory/2720-146-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2720-145-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2720-144-0x0000000000000000-mapping.dmp

Download
memory/2720-147-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2720-151-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2744-186-0x0000000000000000-mapping.dmp

Download
memory/2756-221-0x0000000000000000-mapping.dmp

Download
memory/2756-200-0x0000000000000000-mapping.dmp

Download
memory/2996-235-0x0000000000000000-mapping.dmp

Download
memory/3176-213-0x0000000000000000-mapping.dmp

Download
memory/3232-237-0x0000000000000000-mapping.dmp

Download
memory/3352-251-0x0000000000000000-mapping.dmp

Download
memory/3380-233-0x0000000000000000-mapping.dmp

Download
memory/3400-217-0x0000000000000000-mapping.dmp

Download
memory/3732-169-0x0000000000000000-mapping.dmp

Download
memory/3792-255-0x0000000000000000-mapping.dmp

Download
memory/3836-236-0x0000000000000000-mapping.dmp

Download
memory/3992-159-0x00000000071B0000-0x0000000007246000-memory.dmp

Filesize
600KB

Download
memory/3992-152-0x00000000061F0000-0x0000000006222000-memory.dmp

Filesize
200KB

Download
memory/3992-150-0x0000000005C20000-0x0000000005C3E000-memory.dmp

Filesize
120KB

Download
memory/3992-154-0x0000000071E90000-0x0000000071EDC000-memory.dmp

Filesize
304KB

Download
memory/3992-157-0x0000000006F30000-0x0000000006F4A000-memory.dmp

Filesize
104KB

Download
memory/3992-162-0x0000000007270000-0x000000000728A000-memory.dmp

Filesize
104KB

Download
memory/3992-137-0x0000000000000000-mapping.dmp

Download
memory/4004-242-0x0000000000000000-mapping.dmp

Download
memory/4040-222-0x0000000000000000-mapping.dmp

Download
memory/4088-207-0x0000000000000000-mapping.dmp

Download
memory/4220-214-0x0000000000000000-mapping.dmp

Download
memory/4388-256-0x0000000000000000-mapping.dmp

Download
memory/4400-194-0x0000000000000000-mapping.dmp

Download
memory/4468-212-0x0000000000000000-mapping.dmp

Download
memory/4484-220-0x0000000000000000-mapping.dmp

Download
memory/4528-228-0x0000000000000000-mapping.dmp

Download
memory/4612-248-0x0000000000000000-mapping.dmp

Download
memory/4780-134-0x00000000086F0000-0x000000000878C000-memory.dmp

Filesize
624KB

Download
memory/4780-131-0x0000000005070000-0x0000000005614000-memory.dmp

Filesize
5.6MB

Download
memory/4780-130-0x0000000000070000-0x0000000000192000-memory.dmp

Filesize
1.1MB

Download
memory/4780-132-0x0000000004B60000-0x0000000004BF2000-memory.dmp

Filesize
584KB

Download
memory/4780-135-0x0000000009280000-0x00000000092E6000-memory.dmp

Filesize
408KB

Download
memory/4780-133-0x0000000004B40000-0x0000000004B4A000-memory.dmp

Filesize
40KB

Download
memory/4784-183-0x0000000000000000-mapping.dmp

Download
memory/4788-202-0x0000000000000000-mapping.dmp

Download
memory/4820-229-0x0000000000000000-mapping.dmp

Download
memory/4928-238-0x0000000000000000-mapping.dmp

Download
memory/4964-264-0x0000000000000000-mapping.dmp

Download
memory/4976-198-0x0000000000000000-mapping.dmp

Download
memory/4988-230-0x0000000000000000-mapping.dmp

Download
memory/4992-209-0x0000000000000000-mapping.dmp

Download
memory/5008-260-0x0000000000000000-mapping.dmp

Download