remcos | 553574d4bbf87048d5ecedc4290ff5a056c8472e786bf377d8fb14ba02b20bf2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1evAkYZpwDV0N4v.exe
Size

1.0MB
MD5

01366b2e0ca4523828110da357d12653
SHA1

80a4c110832923d56d4b86a10adf357e1839c7b8
SHA256

f977974b2df2bece2382b3c31b24382b629d18144c1fd56901900b1d1aba6024
SHA512

b4e21bb81c0134eec03a37ad171a73c6a501891717656a590ac94e2defe255f4fcc13a65b2e69d6652d6ba8f2264f883472be56c548c2e8cc15c132de88a567d
SSDEEP

24576:X1azvpEnO/9uGgmyB7KMXEHB036bTTOz9Rs:X1kpEg9uBOsEHbsS

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.3.64.152:2559

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZFXG9Y
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2956	powershell.exe
4272	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	1evAkYZpwDV0N4v.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4764 set thread context of 2092	4764	1evAkYZpwDV0N4v.exe	97
PID 2092 set thread context of 4232	2092	1evAkYZpwDV0N4v.exe	98

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1evAkYZpwDV0N4v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1evAkYZpwDV0N4v.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4764	1evAkYZpwDV0N4v.exe
4764	1evAkYZpwDV0N4v.exe
4764	1evAkYZpwDV0N4v.exe
4764	1evAkYZpwDV0N4v.exe
4764	1evAkYZpwDV0N4v.exe
4764	1evAkYZpwDV0N4v.exe
4764	1evAkYZpwDV0N4v.exe
4764	1evAkYZpwDV0N4v.exe
4764	1evAkYZpwDV0N4v.exe
4272	powershell.exe
2956	powershell.exe
4764	1evAkYZpwDV0N4v.exe
2092	1evAkYZpwDV0N4v.exe
2092	1evAkYZpwDV0N4v.exe
4272	powershell.exe
2956	powershell.exe
1160	msedge.exe
1160	msedge.exe
1992	msedge.exe
1992	msedge.exe
4788	identity_helper.exe
4788	identity_helper.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2092	1evAkYZpwDV0N4v.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4764	1evAkYZpwDV0N4v.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 2956	4764	1evAkYZpwDV0N4v.exe	91
PID 4764 wrote to memory of 2956	4764	1evAkYZpwDV0N4v.exe	91
PID 4764 wrote to memory of 2956	4764	1evAkYZpwDV0N4v.exe	91
PID 4764 wrote to memory of 4272	4764	1evAkYZpwDV0N4v.exe	93
PID 4764 wrote to memory of 4272	4764	1evAkYZpwDV0N4v.exe	93
PID 4764 wrote to memory of 4272	4764	1evAkYZpwDV0N4v.exe	93
PID 4764 wrote to memory of 2364	4764	1evAkYZpwDV0N4v.exe	95
PID 4764 wrote to memory of 2364	4764	1evAkYZpwDV0N4v.exe	95
PID 4764 wrote to memory of 2364	4764	1evAkYZpwDV0N4v.exe	95
PID 4764 wrote to memory of 2092	4764	1evAkYZpwDV0N4v.exe	97
PID 4764 wrote to memory of 2092	4764	1evAkYZpwDV0N4v.exe	97
PID 4764 wrote to memory of 2092	4764	1evAkYZpwDV0N4v.exe	97
PID 4764 wrote to memory of 2092	4764	1evAkYZpwDV0N4v.exe	97
PID 4764 wrote to memory of 2092	4764	1evAkYZpwDV0N4v.exe	97
PID 4764 wrote to memory of 2092	4764	1evAkYZpwDV0N4v.exe	97
PID 4764 wrote to memory of 2092	4764	1evAkYZpwDV0N4v.exe	97
PID 4764 wrote to memory of 2092	4764	1evAkYZpwDV0N4v.exe	97
PID 4764 wrote to memory of 2092	4764	1evAkYZpwDV0N4v.exe	97
PID 4764 wrote to memory of 2092	4764	1evAkYZpwDV0N4v.exe	97
PID 4764 wrote to memory of 2092	4764	1evAkYZpwDV0N4v.exe	97
PID 4764 wrote to memory of 2092	4764	1evAkYZpwDV0N4v.exe	97
PID 2092 wrote to memory of 4232	2092	1evAkYZpwDV0N4v.exe	98
PID 2092 wrote to memory of 4232	2092	1evAkYZpwDV0N4v.exe	98
PID 2092 wrote to memory of 4232	2092	1evAkYZpwDV0N4v.exe	98
PID 2092 wrote to memory of 4232	2092	1evAkYZpwDV0N4v.exe	98
PID 4232 wrote to memory of 1992	4232	iexplore.exe	100
PID 4232 wrote to memory of 1992	4232	iexplore.exe	100
PID 1992 wrote to memory of 2692	1992	msedge.exe	101
PID 1992 wrote to memory of 2692	1992	msedge.exe	101
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102
PID 1992 wrote to memory of 4668	1992	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe
"C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gorfVgTf.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gorfVgTf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF92.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2364
- C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe
  "C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2092
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0e9b46f8,0x7ffc0e9b4708,0x7ffc0e9b4718
        5⤵
        
        PID:2692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7281576595777412957,13870448219956985916,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        5⤵
        
        PID:4668
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,7281576595777412957,13870448219956985916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,7281576595777412957,13870448219956985916,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
        5⤵
        
        PID:1392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7281576595777412957,13870448219956985916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
        5⤵
        
        PID:384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7281576595777412957,13870448219956985916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
        5⤵
        
        PID:3236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7281576595777412957,13870448219956985916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
        5⤵
        
        PID:4344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7281576595777412957,13870448219956985916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
        5⤵
        
        PID:4784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7281576595777412957,13870448219956985916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4788
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7281576595777412957,13870448219956985916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
        5⤵
        
        PID:2364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7281576595777412957,13870448219956985916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
        5⤵
        
        PID:3044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7281576595777412957,13870448219956985916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
        5⤵
        
        PID:1924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7281576595777412957,13870448219956985916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
        5⤵
        
        PID:4012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7281576595777412957,13870448219956985916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
        5⤵
        
        PID:2196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7281576595777412957,13870448219956985916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
        5⤵
        
        PID:440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:3992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0e9b46f8,0x7ffc0e9b4708,0x7ffc0e9b4718
        5⤵
        
        PID:3740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
2f7df32e3cc58d92863ebab23c4855f7

SHA1
de23b1551306b09a584a42386fde2dbccc646b9f

SHA256
a134c2d9899b0e7b7e2bc11cb4758d6c978833c407fab7424070e3b44105b718

SHA512
ab7446795a0261b198fd7e085901618e58932dc2594b7ba6d22239a951f166607409d86f0994c5a24419fef12b5f7a6a563d9d565c4e8fa16408af143d47add5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4328de8a85ff6b8c9362e73a60d6cc39

SHA1
9329cf9977a96b0e05112c804f4ef330966880d7

SHA256
5bcd1a02fc4c1c59409c73fbfe53611d9e5dc76b33d71157ca7808cf9c097abd

SHA512
ad3c836b3215f00c94a06787940f78c603c16e61f120a362d32a2730f0ea76e78696348135650e6849026391a0b65a47b582d9519ce0dc27c6db1446911a2e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a8c174a5c4b0a4c7f008f50c814b8cb4

SHA1
5a3c7be57787e7882721f1d385a2455129975d2f

SHA256
33b481be9894942aadf213e7f97f233fbc4da2e263bb5486104f7db4029f58d3

SHA512
eb94af13ffe65c9d3ad9f7d998108eb7d9ebaec255b5ad50b89e43da836cc9d1479608995fc9361b07bc001f51953109c1c1f558ad29f66404201cb9da6de385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
145e438b43357510fa4f89c2eea4c23d

SHA1
36f3a089e798888bf2c28eb4fc373edfeba38f10

SHA256
c0254d873e81511fdf5669d901e0b848c4dbd5c7f030be0d336f1b1b8110d5b0

SHA512
c319519fc0286fdfbe127097f6bbd332432356d0b4ee61692b14b86ac4effb25176226114e0e690af725d2c97260fab234876cc93009eb6320b219d5196714b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
d88ed858f044ad6872807d4ee7379dcc

SHA1
ac67eb050259ed0fded69c6a00bd974d35c51eef

SHA256
284b3b0c6eac31022a822c00aee46224b92bff3750b9cb01559de98e178967f1

SHA512
d905762f13cff27ee250ed5ff3bdbcd10e3845db07dc068c760e297a35fefbf8fc37068c423d743eeb21c875e9a89fb4c52897fda3f88b5a94a1e28e6b09e0e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584fa2.TMP

Filesize
371B

MD5
b2d5481c8d08d3bac538e2b670dcbf0b

SHA1
e4d65498c5408699c3c89a19463692db6893ffc3

SHA256
4b2f8a81bc4f8a46797368c1d0af3de028db8399397bb5aab471b668951e2467

SHA512
0cf03d3986fc51ee1c46cfa5c06991f056374d41dff4a5361a987f6c116e5d1b06324806d8244b7c66262a338e2040c76f3948ab465e504243c7c56309e8187e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ef392b61d13627b384aa1a43850eaed9

SHA1
cdd7e24378de57ef8a18a1e2a41147e970ab86f2

SHA256
54ecb7d2cb11e392cb4805122f9d8ae0a0e23b2f84154a23a3a8916ef8eaae43

SHA512
9d5e067253695a8efb104e1bdd9619e5aa5cef02ca0ee8268a53b81f5ac7633ba0e5306aa38ee1b399159530d5db2489b21e96756d0c8d1c0d35e1991539cfe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cc88089d73cd0530ba21f819d2353969

SHA1
be67d78004c30b95ff8e7a388c4f99c90944c711

SHA256
0a2497a15e761dfceea7d74c46d240a6c8b13c45758ee1c11d84f5f06c92de48

SHA512
7c52d806d357bf8791d2fb7a7cec64e50cd8df854c6ae1ffdcffb94dd25d06c81b2341ecdb032493179e08474577fd5ae2c6f140ffa3ead98a37a24a74f40b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jjh0p2ys.bgm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF92.tmp

Filesize
1KB

MD5
a6de86b7e43724eef192cdbc66b660f4

SHA1
bb1e2bb16990d115631790e27274bf804a5f206c

SHA256
95cc44e091bf75168452d1132fa3e59b571b6ca04300f2248b749c1871a14ed2

SHA512
1bafa48959062f1a9f7791012a231c9034c0602711c5a855cf7e1824048853b8380ea851ac94d49e29b7900cec4c132f3efbc3d44ce01dbbc3be81967aa8a93f

Download Submit
memory/2092-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2956-53-0x0000000007500000-0x0000000007532000-memory.dmp

Filesize
200KB

Download
memory/2956-81-0x0000000007880000-0x000000000788E000-memory.dmp

Filesize
56KB

Download
memory/2956-30-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/2956-15-0x0000000002A40000-0x0000000002A76000-memory.dmp

Filesize
216KB

Download
memory/2956-16-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/2956-90-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/2956-18-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/2956-75-0x0000000007540000-0x00000000075E3000-memory.dmp

Filesize
652KB

Download
memory/2956-17-0x00000000054D0000-0x0000000005AF8000-memory.dmp

Filesize
6.2MB

Download
memory/2956-82-0x0000000007890000-0x00000000078A4000-memory.dmp

Filesize
80KB

Download
memory/2956-72-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/2956-76-0x0000000007CF0000-0x000000000836A000-memory.dmp

Filesize
6.5MB

Download
memory/2956-51-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/2956-54-0x00000000710F0000-0x000000007113C000-memory.dmp

Filesize
304KB

Download
memory/4232-49-0x0000000000D10000-0x0000000000E16000-memory.dmp

Filesize
1.0MB

Download
memory/4272-22-0x0000000004AA0000-0x0000000004AC2000-memory.dmp

Filesize
136KB

Download
memory/4272-79-0x0000000007010000-0x00000000070A6000-memory.dmp

Filesize
600KB

Download
memory/4272-31-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/4272-52-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download
memory/4272-77-0x0000000006D90000-0x0000000006DAA000-memory.dmp

Filesize
104KB

Download
memory/4272-21-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/4272-78-0x0000000006E00000-0x0000000006E0A000-memory.dmp

Filesize
40KB

Download
memory/4272-36-0x00000000054E0000-0x0000000005834000-memory.dmp

Filesize
3.3MB

Download
memory/4272-80-0x0000000006F90000-0x0000000006FA1000-memory.dmp

Filesize
68KB

Download
memory/4272-23-0x0000000004B40000-0x0000000004BA6000-memory.dmp

Filesize
408KB

Download
memory/4272-24-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/4272-83-0x00000000070D0000-0x00000000070EA000-memory.dmp

Filesize
104KB

Download
memory/4272-84-0x00000000070B0000-0x00000000070B8000-memory.dmp

Filesize
32KB

Download
memory/4272-55-0x00000000710F0000-0x000000007113C000-memory.dmp

Filesize
304KB

Download
memory/4272-19-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/4272-89-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/4764-50-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/4764-0-0x000000007499E000-0x000000007499F000-memory.dmp

Filesize
4KB

Download
memory/4764-10-0x0000000009130000-0x00000000091F4000-memory.dmp

Filesize
784KB

Download
memory/4764-9-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/4764-8-0x000000007499E000-0x000000007499F000-memory.dmp

Filesize
4KB

Download
memory/4764-7-0x0000000007830000-0x0000000007848000-memory.dmp

Filesize
96KB

Download
memory/4764-6-0x0000000007870000-0x000000000790C000-memory.dmp

Filesize
624KB

Download
memory/4764-5-0x0000000004850000-0x000000000485A000-memory.dmp

Filesize
40KB

Download
memory/4764-3-0x0000000007640000-0x00000000076D2000-memory.dmp

Filesize
584KB

Download
memory/4764-4-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/4764-2-0x0000000007A50000-0x0000000007FF4000-memory.dmp

Filesize
5.6MB

Download
memory/4764-1-0x00000000002C0000-0x00000000003C6000-memory.dmp

Filesize
1.0MB

Download