remcos | f977974b2df2bece2382b3c31b24382b629d18144c1fd56901900b1d1aba6024

Analysis

max time kernel
144s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1evAkYZpwDV0N4v.exe
Size

1.0MB
MD5

01366b2e0ca4523828110da357d12653
SHA1

80a4c110832923d56d4b86a10adf357e1839c7b8
SHA256

f977974b2df2bece2382b3c31b24382b629d18144c1fd56901900b1d1aba6024
SHA512

b4e21bb81c0134eec03a37ad171a73c6a501891717656a590ac94e2defe255f4fcc13a65b2e69d6652d6ba8f2264f883472be56c548c2e8cc15c132de88a567d
SSDEEP

24576:X1azvpEnO/9uGgmyB7KMXEHB036bTTOz9Rs:X1kpEg9uBOsEHbsS

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.3.64.152:2559

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZFXG9Y
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1584	powershell.exe
1044	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	1evAkYZpwDV0N4v.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 628 set thread context of 1596	628	1evAkYZpwDV0N4v.exe	103
PID 1596 set thread context of 1812	1596	1evAkYZpwDV0N4v.exe	104

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1evAkYZpwDV0N4v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1evAkYZpwDV0N4v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
628	1evAkYZpwDV0N4v.exe
628	1evAkYZpwDV0N4v.exe
628	1evAkYZpwDV0N4v.exe
628	1evAkYZpwDV0N4v.exe
628	1evAkYZpwDV0N4v.exe
628	1evAkYZpwDV0N4v.exe
628	1evAkYZpwDV0N4v.exe
628	1evAkYZpwDV0N4v.exe
628	1evAkYZpwDV0N4v.exe
1584	powershell.exe
1044	powershell.exe
628	1evAkYZpwDV0N4v.exe
628	1evAkYZpwDV0N4v.exe
628	1evAkYZpwDV0N4v.exe
1584	powershell.exe
1596	1evAkYZpwDV0N4v.exe
1596	1evAkYZpwDV0N4v.exe
1044	powershell.exe
4656	msedge.exe
4656	msedge.exe
884	msedge.exe
884	msedge.exe
2568	identity_helper.exe
2568	identity_helper.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1596	1evAkYZpwDV0N4v.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	1evAkYZpwDV0N4v.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 1584	628	1evAkYZpwDV0N4v.exe	96
PID 628 wrote to memory of 1584	628	1evAkYZpwDV0N4v.exe	96
PID 628 wrote to memory of 1584	628	1evAkYZpwDV0N4v.exe	96
PID 628 wrote to memory of 1044	628	1evAkYZpwDV0N4v.exe	98
PID 628 wrote to memory of 1044	628	1evAkYZpwDV0N4v.exe	98
PID 628 wrote to memory of 1044	628	1evAkYZpwDV0N4v.exe	98
PID 628 wrote to memory of 2432	628	1evAkYZpwDV0N4v.exe	100
PID 628 wrote to memory of 2432	628	1evAkYZpwDV0N4v.exe	100
PID 628 wrote to memory of 2432	628	1evAkYZpwDV0N4v.exe	100
PID 628 wrote to memory of 3208	628	1evAkYZpwDV0N4v.exe	102
PID 628 wrote to memory of 3208	628	1evAkYZpwDV0N4v.exe	102
PID 628 wrote to memory of 3208	628	1evAkYZpwDV0N4v.exe	102
PID 628 wrote to memory of 1596	628	1evAkYZpwDV0N4v.exe	103
PID 628 wrote to memory of 1596	628	1evAkYZpwDV0N4v.exe	103
PID 628 wrote to memory of 1596	628	1evAkYZpwDV0N4v.exe	103
PID 628 wrote to memory of 1596	628	1evAkYZpwDV0N4v.exe	103
PID 628 wrote to memory of 1596	628	1evAkYZpwDV0N4v.exe	103
PID 628 wrote to memory of 1596	628	1evAkYZpwDV0N4v.exe	103
PID 628 wrote to memory of 1596	628	1evAkYZpwDV0N4v.exe	103
PID 628 wrote to memory of 1596	628	1evAkYZpwDV0N4v.exe	103
PID 628 wrote to memory of 1596	628	1evAkYZpwDV0N4v.exe	103
PID 628 wrote to memory of 1596	628	1evAkYZpwDV0N4v.exe	103
PID 628 wrote to memory of 1596	628	1evAkYZpwDV0N4v.exe	103
PID 628 wrote to memory of 1596	628	1evAkYZpwDV0N4v.exe	103
PID 1596 wrote to memory of 1812	1596	1evAkYZpwDV0N4v.exe	104
PID 1596 wrote to memory of 1812	1596	1evAkYZpwDV0N4v.exe	104
PID 1596 wrote to memory of 1812	1596	1evAkYZpwDV0N4v.exe	104
PID 1596 wrote to memory of 1812	1596	1evAkYZpwDV0N4v.exe	104
PID 1812 wrote to memory of 884	1812	iexplore.exe	107
PID 1812 wrote to memory of 884	1812	iexplore.exe	107
PID 884 wrote to memory of 4308	884	msedge.exe	108
PID 884 wrote to memory of 4308	884	msedge.exe	108
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109
PID 884 wrote to memory of 1356	884	msedge.exe	109

C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe
"C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gorfVgTf.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gorfVgTf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCCD5.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe
  "C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe"
  2⤵
  PID:3208
- C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe
  "C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1596
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef09446f8,0x7ffef0944708,0x7ffef0944718
        5⤵
        
        PID:4308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
        5⤵
        
        PID:1356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
        5⤵
        
        PID:1464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:1
        5⤵
        
        PID:4628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3276 /prefetch:8
        5⤵
        
        PID:1556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
        5⤵
        
        PID:4636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
        5⤵
        
        PID:744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
        5⤵
        
        PID:1648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
        5⤵
        
        PID:4992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
        5⤵
        
        PID:4648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
        5⤵
        
        PID:4692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
        5⤵
        
        PID:4224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
        5⤵
        
        PID:2628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:3804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef09446f8,0x7ffef0944708,0x7ffef0944718
        5⤵
        
        PID:2520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
54c2c8dd0315b63cceb3509a7c7de36b

SHA1
9af182c0c26b2aa42a930380f139b8e89082e397

SHA256
2b51329e33c25d52018ccaa2de91a1c8ee801cf92ef9900b6a088eae2f8944df

SHA512
89053d75c980344e69057ff673a7d24ef99f8d123cffdcfc0c85150c6d375d50e8f8d5e4388892f4e99193a59b920877013b9c2cb22367b7fd91119f157ab682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f5b5450db7353e3a4222d54e01a6ec2e

SHA1
06f9a1d2510db7b05713ad9ebf29450fd8c67b18

SHA256
1946bc0aa3e5de2a056c1fb904693b40e8ec33f657fac121a605633bd7d317ca

SHA512
5365eb8a9945bacb8062cbb09c8842ee1af9bf7ef4c2bb9c2ad6d2577827c7a552aa8c8cb28086175f1c58f3a443ebac27c4e4d0070e42276f1c163a9bf5a54b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7db35e89026ec0c74ef2b0666feb04cc

SHA1
2796206fa7a3be0f229ebfbb9a53b3882ac64654

SHA256
59e6cf8cdea11b2d43fddd422b5810d0b1cf4481ec4585b950d4ed7944fcf642

SHA512
3471a9bbccb3f1e1a936540f1a38f94a54b4f2b3345617d8f83863df2302ef2adffeea8f52b7b087489cc3a45f5c66554421459a095040bf800388ba10c0e9ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
48bc645f03858b38b2e4f9ec7b6f5563

SHA1
5d5cc8cef45ad889b24c26fdfb78e559cf21ceb1

SHA256
1fc647719fc58e9fc5e0324a34ade69c7533ff066f518c1b6315308458439ef6

SHA512
8583fb02d451da1e5fc6847a18a3c27dd206f9859bd943d49d4fa6991bf352c96adff22e947e842e687041aed427eec3fc3c8e6e72219392f1661189e6deb9ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
9955557a66d5df4237181509829dcbda

SHA1
69aa10fd581f7bd86485e7208e0d565da939a6e0

SHA256
89c5f1ebff7dc5e78a30b703ee7528ad42f1844b5279ced63a681adead4f1c33

SHA512
caeba1f675e5ab388eea8e8fd58f4cfc28bcad9fcdc58f06a17916b3473377730e112d3246df1a9bb3c5a13cb2001690044afdba3c972cfda8eaad4ef1aee9e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5835d0.TMP

Filesize
371B

MD5
1b46cc2c1da9ebba1ef4f232f160f488

SHA1
5bbc3883dae76f352a58fe975d50c8dab3838a93

SHA256
ee6d8198e73eaa100aa475fdc7f6feaec0ad13bc9710b668e5ee1760409f9bfe

SHA512
acd1f0d074b47f46bbbaefb0c82bbfe91d2f7d18b9e3f927f931eec3b3d1fd93eaaafad355ae340ee36a939a1955a4f7440b3f0786392ec82ca5745b1943a4d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1b01eaf6c428e004b10588f783c8ecfe

SHA1
299c2fb042c9fd419c095ea9fe872545b988c976

SHA256
ef32ab8671cc12396254f700129c14e86444763a4d7f770664fa9b37f9e6166d

SHA512
4d1e68434c70321661f0be6afe1db8ec26df2b9ed29d1f67099b7e920b204a79d1321a24913bf32643c9a6187d427832bfc1b1c00aac6cfa61ffdabc5036be44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d40844ab7fb09ded72f5d53ca36c3355

SHA1
d0792595ffc358feba1f5fa2031042e7c61fe98b

SHA256
6ef7c9b62cfbba9358f128f9a99f73619d833b0b35a5b6d553bfc9d8c91270bd

SHA512
89e009f722ca304d02e57258befee439918ef1b198ba178001976f7c7d63b4b242daae8f19cd6b8247fa1010a041bcdbff4c635dc68a6bdca1dc959a28ed2f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gewhdfjw.2it.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCCD5.tmp

Filesize
1KB

MD5
aa8556245078dd2c702ebfb2216173b5

SHA1
a53cf8b1a01b11ca2e76699e8babef1781670f4d

SHA256
82ecb7e0701625f72f5ec379ef1efabfb3704600f927ed0337943f35116854cf

SHA512
1715f43dbe62bf7aece60a737c6a47947299f2627e51a0055628c01f11319c69f72e7dcff713d227c9b97ba24cefda1d2e3ec90ae6eda8d05e8108dc6e3e3b17

Download Submit
memory/628-10-0x0000000008D40000-0x0000000008E04000-memory.dmp

Filesize
784KB

Download
memory/628-9-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/628-8-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/628-7-0x00000000077F0000-0x0000000007808000-memory.dmp

Filesize
96KB

Download
memory/628-6-0x0000000007830000-0x00000000078CC000-memory.dmp

Filesize
624KB

Download
memory/628-5-0x0000000004780000-0x000000000478A000-memory.dmp

Filesize
40KB

Download
memory/628-4-0x00000000075D0000-0x0000000007662000-memory.dmp

Filesize
584KB

Download
memory/628-3-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/628-49-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/628-2-0x0000000007960000-0x0000000007F04000-memory.dmp

Filesize
5.6MB

Download
memory/628-1-0x00000000003A0000-0x00000000004A6000-memory.dmp

Filesize
1.0MB

Download
memory/628-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/1044-53-0x000000006EDD0000-0x000000006EE1C000-memory.dmp

Filesize
304KB

Download
memory/1044-79-0x0000000007610000-0x0000000007621000-memory.dmp

Filesize
68KB

Download
memory/1044-19-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1044-64-0x0000000007060000-0x000000000707E000-memory.dmp

Filesize
120KB

Download
memory/1044-46-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1044-52-0x00000000070A0000-0x00000000070D2000-memory.dmp

Filesize
200KB

Download
memory/1044-86-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1044-81-0x0000000007650000-0x0000000007664000-memory.dmp

Filesize
80KB

Download
memory/1044-23-0x0000000005AF0000-0x0000000005E44000-memory.dmp

Filesize
3.3MB

Download
memory/1044-80-0x0000000007640000-0x000000000764E000-memory.dmp

Filesize
56KB

Download
memory/1584-76-0x0000000007500000-0x000000000751A000-memory.dmp

Filesize
104KB

Download
memory/1584-20-0x0000000005320000-0x0000000005342000-memory.dmp

Filesize
136KB

Download
memory/1584-77-0x0000000007570000-0x000000000757A000-memory.dmp

Filesize
40KB

Download
memory/1584-75-0x0000000007B40000-0x00000000081BA000-memory.dmp

Filesize
6.5MB

Download
memory/1584-82-0x0000000007880000-0x000000000789A000-memory.dmp

Filesize
104KB

Download
memory/1584-83-0x0000000007860000-0x0000000007868000-memory.dmp

Filesize
32KB

Download
memory/1584-74-0x00000000071C0000-0x0000000007263000-memory.dmp

Filesize
652KB

Download
memory/1584-51-0x0000000006200000-0x000000000624C000-memory.dmp

Filesize
304KB

Download
memory/1584-50-0x00000000061E0000-0x00000000061FE000-memory.dmp

Filesize
120KB

Download
memory/1584-91-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1584-15-0x0000000004C80000-0x0000000004CB6000-memory.dmp

Filesize
216KB

Download
memory/1584-16-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1584-63-0x000000006EDD0000-0x000000006EE1C000-memory.dmp

Filesize
304KB

Download
memory/1584-17-0x0000000005440000-0x0000000005A68000-memory.dmp

Filesize
6.2MB

Download
memory/1584-22-0x0000000005A70000-0x0000000005AD6000-memory.dmp

Filesize
408KB

Download
memory/1584-21-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/1584-78-0x00000000077C0000-0x0000000007856000-memory.dmp

Filesize
600KB

Download
memory/1584-43-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1584-18-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1596-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1596-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1812-48-0x00000000011C0000-0x00000000012C6000-memory.dmp

Filesize
1.0MB

Download