remcos | 9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe
Size

321KB
MD5

efd7d49d7985282a6049b308965c1888
SHA1

308ccb6f12c0f3c456c57051f691e929edf13a9e
SHA256

9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d
SHA512

8ca78873323ed7d56b6f610227bb40d30883db1ba3dbee7a322872ab091a21b58dd52e762d00ea3d4eee7416c24400cac07743e21597d61bff5e83c1a7cacc21
SSDEEP

6144:BrJOumSn1I+U5F5WTLErZ0ySwNNZFnKZ8+0nAbSfOL/+H0mjYawdF1Ust:KumSnm+U5F5WTLErZ0PwnySmL/+UmjY4

Score

10^/10

remcos remotehost defense_evasion discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

2.4.7 Pro

Botnet

RemoteHost

okkkk1.ddns.net:4444

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-9WWA88
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	render.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe\:Zone.Identifier:$DATA	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe:Zone.Identifier	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3276	render.exe
1976	render.exe
1648	render.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\render.exe -boot"	render.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3276 set thread context of 1648	3276	render.exe	105
PID 1648 set thread context of 2832	1648	render.exe	107

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe:Zone.Identifier	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	render.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	render.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2064	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
2528	msedge.exe
2528	msedge.exe
4624	identity_helper.exe
4624	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe
Token: SeDebugPrivilege	3276	render.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 1480	4044	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe	89
PID 4044 wrote to memory of 1480	4044	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe	89
PID 4044 wrote to memory of 1480	4044	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe	89
PID 4044 wrote to memory of 3888	4044	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe	91
PID 4044 wrote to memory of 3888	4044	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe	91
PID 4044 wrote to memory of 3888	4044	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe	91
PID 4044 wrote to memory of 3456	4044	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe	93
PID 4044 wrote to memory of 3456	4044	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe	93
PID 4044 wrote to memory of 3456	4044	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe	93
PID 4044 wrote to memory of 3896	4044	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe	96
PID 4044 wrote to memory of 3896	4044	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe	96
PID 4044 wrote to memory of 3896	4044	efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe	96
PID 3896 wrote to memory of 3276	3896	cmd.exe	98
PID 3896 wrote to memory of 3276	3896	cmd.exe	98
PID 3896 wrote to memory of 3276	3896	cmd.exe	98
PID 3276 wrote to memory of 3884	3276	render.exe	100
PID 3276 wrote to memory of 3884	3276	render.exe	100
PID 3276 wrote to memory of 3884	3276	render.exe	100
PID 3276 wrote to memory of 1708	3276	render.exe	102
PID 3276 wrote to memory of 1708	3276	render.exe	102
PID 3276 wrote to memory of 1708	3276	render.exe	102
PID 3276 wrote to memory of 1976	3276	render.exe	104
PID 3276 wrote to memory of 1976	3276	render.exe	104
PID 3276 wrote to memory of 1976	3276	render.exe	104
PID 3276 wrote to memory of 1648	3276	render.exe	105
PID 3276 wrote to memory of 1648	3276	render.exe	105
PID 3276 wrote to memory of 1648	3276	render.exe	105
PID 3276 wrote to memory of 1648	3276	render.exe	105
PID 3276 wrote to memory of 1648	3276	render.exe	105
PID 3276 wrote to memory of 1648	3276	render.exe	105
PID 3276 wrote to memory of 1648	3276	render.exe	105
PID 3276 wrote to memory of 1648	3276	render.exe	105
PID 3276 wrote to memory of 1648	3276	render.exe	105
PID 3276 wrote to memory of 1648	3276	render.exe	105
PID 1648 wrote to memory of 1560	1648	render.exe	106
PID 1648 wrote to memory of 1560	1648	render.exe	106
PID 1648 wrote to memory of 1560	1648	render.exe	106
PID 1648 wrote to memory of 2832	1648	render.exe	107
PID 1648 wrote to memory of 2832	1648	render.exe	107
PID 1648 wrote to memory of 2832	1648	render.exe	107
PID 1648 wrote to memory of 2832	1648	render.exe	107
PID 1648 wrote to memory of 2832	1648	render.exe	107
PID 1648 wrote to memory of 2832	1648	render.exe	107
PID 1648 wrote to memory of 2832	1648	render.exe	107
PID 1648 wrote to memory of 2832	1648	render.exe	107
PID 1560 wrote to memory of 2064	1560	cmd.exe	109
PID 1560 wrote to memory of 2064	1560	cmd.exe	109
PID 1560 wrote to memory of 2064	1560	cmd.exe	109
PID 2832 wrote to memory of 2528	2832	iexplore.exe	110
PID 2832 wrote to memory of 2528	2832	iexplore.exe	110
PID 2528 wrote to memory of 4180	2528	msedge.exe	111
PID 2528 wrote to memory of 4180	2528	msedge.exe	111
PID 2528 wrote to memory of 4960	2528	msedge.exe	112
PID 2528 wrote to memory of 4960	2528	msedge.exe	112
PID 2528 wrote to memory of 4960	2528	msedge.exe	112
PID 2528 wrote to memory of 4960	2528	msedge.exe	112
PID 2528 wrote to memory of 4960	2528	msedge.exe	112
PID 2528 wrote to memory of 4960	2528	msedge.exe	112
PID 2528 wrote to memory of 4960	2528	msedge.exe	112
PID 2528 wrote to memory of 4960	2528	msedge.exe	112
PID 2528 wrote to memory of 4960	2528	msedge.exe	112
PID 2528 wrote to memory of 4960	2528	msedge.exe	112
PID 2528 wrote to memory of 4960	2528	msedge.exe	112
PID 2528 wrote to memory of 4960	2528	msedge.exe	112

C:\Users\Admin\AppData\Local\Temp\efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe:Zone.Identifier"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:1480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe:Zone.Identifier"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:3888
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\efd7d49d7985282a6049b308965c1888_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:3456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe:Zone.Identifier"
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      PID:3884
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe:Zone.Identifier"
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      PID:1708
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe"
      4⤵
      Executes dropped EXE
      PID:1976
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2064
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe893946f8,0x7ffe89394708,0x7ffe89394718
        7⤵
        
        PID:4180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,17237119648707609408,15843194856539506421,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
        7⤵
        
        PID:4960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,17237119648707609408,15843194856539506421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,17237119648707609408,15843194856539506421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
        7⤵
        
        PID:1932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17237119648707609408,15843194856539506421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
        7⤵
        
        PID:4836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17237119648707609408,15843194856539506421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        7⤵
        
        PID:1504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17237119648707609408,15843194856539506421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
        7⤵
        
        PID:3744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,17237119648707609408,15843194856539506421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
        7⤵
        
        PID:1544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,17237119648707609408,15843194856539506421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17237119648707609408,15843194856539506421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
        7⤵
        
        PID:1096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17237119648707609408,15843194856539506421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
        7⤵
        
        PID:1648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17237119648707609408,15843194856539506421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
        7⤵
        
        PID:3840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17237119648707609408,15843194856539506421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
        7⤵
        
        PID:3596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17237119648707609408,15843194856539506421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
        7⤵
        
        PID:5060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,17237119648707609408,15843194856539506421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
        7⤵
        
        PID:3836
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe893946f8,0x7ffe89394708,0x7ffe89394718
        7⤵
        
        PID:4888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
5a2a8a9cd837a61b367edf788ab2e4af

SHA1
79aaff8bfcf33c6311500b5baf1e6862ef62d777

SHA256
4614f42bc4d867701e4a0a81776b86d35e02bb15ee33fefea0b297711cc6a2ac

SHA512
2a4af5e6e965ff629952f9b1bb1da8606791dd30e9318f98764c80956f9cc98d8480a1c292059dc3a0fea9f83d4cce57bd9f6ebdd40f910b080bdde3d2902de1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4ce92068af7e54171856080175954924

SHA1
58f044add2f17c16bea0b8f1daacb2545da6490f

SHA256
9444377416702fd2d774fa0a4070ca15509cb04c836e0e11afba27e8cb1c8cab

SHA512
5bbf0d0bd6a6cd40d4fbf929046c9e4f4e4deafb4fbb472a6630bab222f71305bd603c53d5c73ff7fcf47b0db9348a941a4791fb198bbb3e9407f4a9a84e94a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e81ae8222d21693424a962ae6facb6cc

SHA1
877ddbf8a682e563a555d3dcb8540dc98d1d26a5

SHA256
46db76d93dbd516eddbccd8ce1c16a8b63ce348f254bab586b772d5a70242cb3

SHA512
fee83b6dd9e637a96582a54eb5739e747ad1e30307c62f19350928c13ea0925bb7ab16a9b7aa943067a1d8d156308419dcee60c9fa266b646db13ffe0e11c044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a26da5425ce0abab31e5db8bd4d76bad

SHA1
443129a71dfe54c3542fe4592231593c8f3a6920

SHA256
ee7c9ce6914c9a3ab656b8890b0a0503f66fec5eca6288b776fface566f8fcda

SHA512
cc3c031fb43646491af6318529a4609ea99e351cd87f2424550c03a51ed5978eb9d0472a3d13bb8e77168da03a64c8599ca16cffd55cdface1ff5ea7f1333102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
ae0ab445232da1f6dccb81dc7b65d0f1

SHA1
897f03448f586847dfdcf9eff895b001fc4d1814

SHA256
d4c91990187d1c765e5088074f2181135e046385de586f7be77ec2b7e0470dda

SHA512
399674b6111e3b765dc4362554a282dc3b91310091785669d2c6acfd860f232f2ad79c03432b5040fc6169a08318ef51f3c4fd4c75e802670a415d7e87ec35a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591013.TMP

Filesize
371B

MD5
6f76247af8f68ec90b279bf539bc4c88

SHA1
05d4fa5db1e5358a90e360d04bb4a0bfe4335d79

SHA256
caf273662d70d617dabf899b578f34475912f351e76bb234095dfb21a45f7056

SHA512
04e237cf028ed717d9581e8f0eb1e72839879736e7e2021bed1de4a764c8eee385c2e6b2fb0ec6b954a4f071563eb778f86afc5de363f08dbbc88a00a4d1f9fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cf11be9bd6bee4cd4707122227317a3b

SHA1
f77670f7f899e05460145e4ae0c5a79b72da0fa8

SHA256
464367fae2255f3434036396fb2fd07b742d32be32eeb153f86d8a3372a05c0b

SHA512
2153cd5607fd191756d1ca038667bf3dc595b6a3b6d5e686c77f0929fc8d77a20b55530879a5bef5d00375f9d4d0ff4eb1156d06f8eca75775135d021384aeeb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe

Filesize
321KB

MD5
efd7d49d7985282a6049b308965c1888

SHA1
308ccb6f12c0f3c456c57051f691e929edf13a9e

SHA256
9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d

SHA512
8ca78873323ed7d56b6f610227bb40d30883db1ba3dbee7a322872ab091a21b58dd52e762d00ea3d4eee7416c24400cac07743e21597d61bff5e83c1a7cacc21

Download Submit
memory/1648-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1648-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3276-24-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3276-32-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3276-23-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3276-25-0x0000000006440000-0x000000000644C000-memory.dmp

Filesize
48KB

Download
memory/3276-26-0x0000000006C30000-0x0000000006CCC000-memory.dmp

Filesize
624KB

Download
memory/3276-22-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3276-21-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/4044-10-0x0000000004E10000-0x0000000004E1C000-memory.dmp

Filesize
48KB

Download
memory/4044-7-0x0000000004E20000-0x0000000004FE2000-memory.dmp

Filesize
1.8MB

Download
memory/4044-12-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/4044-11-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/4044-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/4044-9-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/4044-8-0x0000000005690000-0x0000000005698000-memory.dmp

Filesize
32KB

Download
memory/4044-17-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/4044-6-0x0000000004BB0000-0x0000000004C16000-memory.dmp

Filesize
408KB

Download
memory/4044-5-0x0000000004B00000-0x0000000004B22000-memory.dmp

Filesize
136KB

Download
memory/4044-4-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/4044-3-0x0000000004A30000-0x0000000004A5A000-memory.dmp

Filesize
168KB

Download
memory/4044-2-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/4044-1-0x0000000000130000-0x0000000000186000-memory.dmp

Filesize
344KB

Download