hawkeye | 859e71388525cd23d7d84bd11d6dc2b40387e440cc15ec3aa653f19a34c5fe30

Analysis

max time kernel
927s
max time network
860s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
23-07-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

remcos_a.exe
Size

197KB
MD5

65457174406297076acf63ff9ea6b836
SHA1

6998b6941c84f09162acef6995aa9240fa304ed7
SHA256

859e71388525cd23d7d84bd11d6dc2b40387e440cc15ec3aa653f19a34c5fe30
SHA512

e863bd6c41ba69e9d0ad31d28e66d78004d22513a1b5d3df4872983bb134b54d2beed76017ea889036112a570a1f4c963cdb98482381922a4a8f9c48e1f97150
SSDEEP

3072:cgoqAnruXO+Fsw6yRZgl/HyN7BmBFbhI6kJe6qiaJCEmxiZIvIII:hovgFR6UZgRQ78D8th5iZ

Score

10^/10

hawkeye remcos remotehost discovery keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Version

5.1.0 Light

Botnet

RemoteHost

components-resort.gl.at.ply.gg:9316

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-XQF90O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

remcos_a.exe

description	ioc	Process
File opened (read-only)	\??\D:	remcos_a.exe

Drops file in System32 directory 9 IoCs

Processes:

dxdiag.exe

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_585900615f764770\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_5ab7d1c25144fcab\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_84ea762c0a90c362\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_702fdf2336d2162d\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_cc6edbde0940344f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_8207ba80cf22e40a\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_726cea1f0f349cf7\machine.PNF	dxdiag.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

curl.exeremcos_a.exedxdiag.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dxdiag.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 36 IoCs

Processes:

dxdiag.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2087971895-212656400-463594913-1000\{0A18665F-A826-481B-BF52-D86A4C45619A}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2087971895-212656400-463594913-1000\{5AAF26E2-8E3B-441F-9D4B-88A74FF708D1}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exedxdiag.exemsedge.exeremcos_a.exe

pid	Process
3456	msedge.exe
3456	msedge.exe
648	msedge.exe
648	msedge.exe
3156	msedge.exe
3156	msedge.exe
3984	identity_helper.exe
3984	identity_helper.exe
2044	dxdiag.exe
2044	dxdiag.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
2604	remcos_a.exe
2604	remcos_a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

remcos_a.exe

pid	Process
2604	remcos_a.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid	Process
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description	pid	Process
Token: 33	484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	484	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

remcos_a.exemsedge.exe

pid	Process
2604	remcos_a.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
2604	remcos_a.exe
2604	remcos_a.exe
2604	remcos_a.exe
2604	remcos_a.exe
2604	remcos_a.exe
2604	remcos_a.exe
2604	remcos_a.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

remcos_a.exemsedge.exe

pid	Process
2604	remcos_a.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dxdiag.exe

pid	Process
2044	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 3456 wrote to memory of 3592	3456	msedge.exe	82
PID 3456 wrote to memory of 3592	3456	msedge.exe	82
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 2492	3456	msedge.exe	83
PID 3456 wrote to memory of 648	3456	msedge.exe	84
PID 3456 wrote to memory of 648	3456	msedge.exe	84
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85
PID 3456 wrote to memory of 4864	3456	msedge.exe	85

C:\Users\Admin\AppData\Local\Temp\remcos_a.exe
"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2604
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:832
- - C:\Windows\SysWOW64\curl.exe
    curl ascii.live/rick
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc48f93cb8,0x7ffc48f93cc8,0x7ffc48f93cd8
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5572 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004E0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bb87c05bdde5672940b661f7cf6c188e

SHA1
476f902e4743e846c500423fb7e195151f22f3b5

SHA256
7b7f02109a9d1f4b5b57ca376fcacd34f894d2c80584630c3733f2a41dddf063

SHA512
c60d8b260d98ced6fe283ca6fed06e5f4640e9de2609bcfbfa176da1d0744b7f68acabfa66f35455e68cad8be1e2cfc9b5046463e13ae5f33bbbf87a005d1e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5478498cbfa587d1d55a9ca5598bf6b9

SHA1
82fedfb941371c42f041f891ea8eb9fe4cf7dcc8

SHA256
a4e82ce07a482da1a3a3ba11fcceee197c6b2b42608320c4f3e67f1c6a6d6606

SHA512
7641a2f3cc7321b1277c58a47dfd71be087f67f8b57dca6e72bd4e1b664f36151cd723e03ea348835581bcb773eb97911f985d5ee770d4d1b8b6f7849ce74b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bd6d8aa7b9c21bd62378b5c54183c4d4

SHA1
5b0d0984794445159677b3c373b3ac91499743e8

SHA256
3dd3ca963826f402690bb94f032b937e446ca0dbbd3d7f11bb5ca14dc296db07

SHA512
6ddc2a7fe8fc8167b3bba7cf52d01e88a32c5897d43be421c9f8df06ac06e5aae56f488d346f7d7e9aa3d4b9cd7bb0bf8490c2aa8a6d790f465e00ec0aaab971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eea0be5c4731ec9f5a7aa5526b7ad40b

SHA1
3203c6015eef7041934a74635d11643581fc7cc4

SHA256
cab513580475ed05a919019aca328e30eed04707bb736342424caf09ac0aa7f1

SHA512
7af7293d0cda518aaddbbf8ee15646b938681ca95b94a69694b4f564fdf6ac9f752de3f95cb6eae392dafaebd99119aecfedcb1d21ad17d04df8cec2ea1a270f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ca69fb8f18f3bfb251de91a2407f4041

SHA1
b80b2ae74bf24ea957f56d91b366e9b8b1021571

SHA256
71058369caf6f488d420bbeb73a9961b42cf3ace0213cced9cbad51014844ac8

SHA512
ee1ef4995e03f33bc70ecb08c8c2b3e2e047753b614f85be38ac605b1e6aae9b1e90dd9a54d7eb8d1dd23fafcc400bca3c6f092257ab69918c511745bbfdc3f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
225a6ad9b633dfe61d1455e5f90e2ae2

SHA1
97b4dc24a258d8ad94077a70496cfc9bd701f911

SHA256
f5f7da68692515194be7582ad475fcbb3e7a980a5765cd0e688b5dc249b2a96e

SHA512
6ad5b7af988a2ed3adbeeeef826e1c9ad90114b92e0587f45ce118ddc1dfb8b85f701318333837ecad785a4af977fb9400860393c971b9d657853b6e64a6f9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Filesize
84KB

MD5
4fd28ecba4c99e3007467229d5b30f35

SHA1
4086105990fc1a7ba02975a6cd8b4642d70a3e21

SHA256
4936e0a224c79c997ad1e16e27b3af02d600785f6155a60f9cc9142008f172a4

SHA512
25c5eb4cb0daf68874cda4d9045d5ac7cd9c37a7d0d8b16c5a8d8f553db5bb5ba93d42cc6e99a0f17f2275337309fc0895612b4e568cd805c15aea7594a79958

Download Submit
\??\pipe\LOCAL\crashpad_3456_LRAHAPBLJYZHZFUH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2044-147-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2044-140-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2044-146-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2044-148-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2044-149-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2044-150-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2044-151-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2044-152-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2044-142-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2044-141-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2604-108-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2604-3-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-110-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-117-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-136-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-137-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-138-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-40-0x0000000000475000-0x0000000000476000-memory.dmp

Filesize
4KB

Download
memory/2604-109-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2604-96-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-95-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-94-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-106-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2604-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-34-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-35-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-1-0x0000000000475000-0x0000000000476000-memory.dmp

Filesize
4KB

Download
memory/2604-194-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-197-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-198-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-201-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-211-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-212-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-213-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-214-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-216-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download