Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/11/2024, 20:27
Static task
static1
Behavioral task
behavioral1
Sample
402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe
Resource
win10v2004-20241007-en
General
-
Target
402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe
-
Size
1.2MB
-
MD5
08b5fa6876e0dc8d5c226597d89e646b
-
SHA1
4b5f7b0dd2303c81427f9ab47ff9046c43718552
-
SHA256
402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361
-
SHA512
4f20a03dbcb5e16c4e934e67455eb48bf7bd9681b5fdc731bf278409c78e698527ee125ac2ed0e3f09bc1551a2684e16ba3e34613da9a1eb32bca781b85ea48c
-
SSDEEP
24576:IPMpzxWvSQVw/BSCDyBSvbSFMySqL1fjv4G4uKZ0PU:JWvxiSCWBSzsVL1fktec
Malware Config
Extracted
remcos
RemoteHost
154.216.16.54:6092
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-YJ70D0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
true
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1936 powershell.exe 2884 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation remcos.exe -
Executes dropped EXE 2 IoCs
pid Process 3300 remcos.exe 1040 remcos.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" remcos.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1980 set thread context of 4936 1980 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 93 PID 3300 set thread context of 1040 3300 remcos.exe 97 PID 1040 set thread context of 1400 1040 remcos.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1936 powershell.exe 1936 powershell.exe 1040 remcos.exe 1040 remcos.exe 2884 powershell.exe 2884 powershell.exe 1016 msedge.exe 1016 msedge.exe 3232 msedge.exe 3232 msedge.exe 1012 identity_helper.exe 1012 identity_helper.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1040 remcos.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1980 wrote to memory of 1936 1980 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 91 PID 1980 wrote to memory of 1936 1980 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 91 PID 1980 wrote to memory of 1936 1980 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 91 PID 1980 wrote to memory of 4936 1980 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 93 PID 1980 wrote to memory of 4936 1980 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 93 PID 1980 wrote to memory of 4936 1980 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 93 PID 1980 wrote to memory of 4936 1980 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 93 PID 1980 wrote to memory of 4936 1980 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 93 PID 1980 wrote to memory of 4936 1980 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 93 PID 1980 wrote to memory of 4936 1980 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 93 PID 1980 wrote to memory of 4936 1980 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 93 PID 1980 wrote to memory of 4936 1980 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 93 PID 1980 wrote to memory of 4936 1980 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 93 PID 4936 wrote to memory of 3300 4936 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 94 PID 4936 wrote to memory of 3300 4936 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 94 PID 4936 wrote to memory of 3300 4936 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe 94 PID 3300 wrote to memory of 2884 3300 remcos.exe 95 PID 3300 wrote to memory of 2884 3300 remcos.exe 95 PID 3300 wrote to memory of 2884 3300 remcos.exe 95 PID 3300 wrote to memory of 1040 3300 remcos.exe 97 PID 3300 wrote to memory of 1040 3300 remcos.exe 97 PID 3300 wrote to memory of 1040 3300 remcos.exe 97 PID 3300 wrote to memory of 1040 3300 remcos.exe 97 PID 3300 wrote to memory of 1040 3300 remcos.exe 97 PID 3300 wrote to memory of 1040 3300 remcos.exe 97 PID 3300 wrote to memory of 1040 3300 remcos.exe 97 PID 3300 wrote to memory of 1040 3300 remcos.exe 97 PID 3300 wrote to memory of 1040 3300 remcos.exe 97 PID 3300 wrote to memory of 1040 3300 remcos.exe 97 PID 1040 wrote to memory of 1400 1040 remcos.exe 98 PID 1040 wrote to memory of 1400 1040 remcos.exe 98 PID 1040 wrote to memory of 1400 1040 remcos.exe 98 PID 1040 wrote to memory of 1400 1040 remcos.exe 98 PID 1400 wrote to memory of 3232 1400 iexplore.exe 99 PID 1400 wrote to memory of 3232 1400 iexplore.exe 99 PID 3232 wrote to memory of 884 3232 msedge.exe 100 PID 3232 wrote to memory of 884 3232 msedge.exe 100 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101 PID 3232 wrote to memory of 1484 3232 msedge.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe"C:\Users\Admin\AppData\Local\Temp\402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Users\Admin\AppData\Local\Temp\402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe"C:\Users\Admin\AppData\Local\Temp\402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.06⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa99af46f8,0x7ffa99af4708,0x7ffa99af47187⤵PID:884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:27⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:87⤵PID:456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:17⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:17⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:17⤵PID:2576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:87⤵PID:4340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
PID:1012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:17⤵PID:808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:17⤵PID:1212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:17⤵PID:3472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:17⤵PID:2884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:17⤵PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:17⤵PID:112
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.06⤵PID:4800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa99af46f8,0x7ffa99af4708,0x7ffa99af47187⤵PID:1136
-
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3004
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD508b5fa6876e0dc8d5c226597d89e646b
SHA14b5f7b0dd2303c81427f9ab47ff9046c43718552
SHA256402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361
SHA5124f20a03dbcb5e16c4e934e67455eb48bf7bd9681b5fdc731bf278409c78e698527ee125ac2ed0e3f09bc1551a2684e16ba3e34613da9a1eb32bca781b85ea48c
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD51fb15b3fb92694178577243b93595866
SHA1e574ee4804271c6b6c4b173908831faa224af89a
SHA256b88c05ce2d79fe62b0b2ddcac6f5ea8811c64ca7b81113d30698480cd81e0f07
SHA51264231f339201e6338276a7e0d87ccf8630df6b10c1122cdf2b05561a9e43490049377f9a399e473b6d046b8c6668a448d1e22cd2df8697a6bb350af674ced0a8
-
Filesize
6KB
MD5b1cb8d2b12ed592d792281a8b11dfc09
SHA101bc856e686a3f20a3220229a6753e745705d357
SHA2567892b9a1ed259a5f9118deebee04a5701bce72347db465778a8236992ce2078a
SHA512c3ced513e2225c2a77189ffaeee2b6f424462958f8d8b328d9aa5dbc998fc639b663d69016e215d49e411baec8e4c139cb25ba1bd0e65eb6cbcac9d637e484aa
-
Filesize
5KB
MD5c490c1743b896ccded20122f4bd02226
SHA180d76a31c90a2a1af53c332895ec89aa4e7312c0
SHA256842ade80dcdf2df84a2984060d6a1293cf9d47339f0e557e6957d3f8cf6c198a
SHA512eb1db91e736ec1709d933157bfb17d055516b0656798049042642847b652ea5d23e4a5d4691f3bdbdc9d8e4c4521846fc73e6deddbf281c75b6a73b56302c287
-
Filesize
6KB
MD5a414ec6b777b4cfddcfe6b3ee97eb8b8
SHA114a23a8b795c194f54d06a318ff08af8aa770e6e
SHA256dfbfab6030208188e5ecd4e64529c79297d47cb3831ea65098d2803361417d18
SHA512aa36823036cf2c4f795f33b9417105869e6879f354d0758f5836390babcb2ed46637bc076456c887a570eb04e3ab19f70ccd3354fbba13f0135ed18608d74956
-
Filesize
371B
MD502eda3fe67c53991fcb1c2360b6fc362
SHA1164abbca3bcf5102cffe9c0372780f93c9ce46d3
SHA256f92ee979b1caffd706441aef7a60646bd9cfbe69ccb1ff93e18573449e6af85b
SHA5122ac71e6068a6bfcf5f746dbffd2f65bcd8509bdee0bc1927a7827190b121adb1fe5a0cdaf7343b0fc6881e7b53b139d5c1ef2343476f6d2ba649e8968691c79c
-
Filesize
371B
MD516cedd94c2cd801a353c3177c2110a5f
SHA1dc96c1fcbfe19b800d83fe1c2d464809df37022b
SHA256a47dbec9ff6bc59c620370628b86dfd4eec4e083fdcf3727615276f891692fc0
SHA5124a8ebc230c964ec14ebf907ed91d95ec66205a4b25190664561108e18ad1151244fe7b294044a167362f46413011967a0e4e72dbcf4a084e9ba44b891803cd15
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5bac8361b924604b4ca45900fafa96586
SHA1380f79e1ab8319a3588e9870f9e926abcdfe5f3b
SHA256e524291de4b088296ca650fad56f80c9d5679bb708f66d2907a93b0a6c999920
SHA5123ffcb8c5c1f66d73344dbaabf265bb9e67c928b2cf081da7ad725a5d29a36b6d40ea908a0e956d4c668e704bb77606183de31cdef8a6ded9d80efe861a921883
-
Filesize
18KB
MD597508f9479c62add88b5cedf377cef4f
SHA172fb6cb59feb8b0d428d9083d8ffb8acdb9c4bea
SHA256f3171189d643919134db90bafd23e187dff5439af435a4a4b0ac06223cfb1ccb
SHA512723afd96829a3b4492caec533d14e1ca32476cfc5513610b56716dbd4a2beda286029041476f13dd22d5c3207ee8f3ee190c0c1f0a61243979edeaa6515676f6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82