Analysis
-
max time kernel
126s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2024 15:19
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win10v2004-20240802-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4800 SpySheriff.exe 3888 SpySheriff.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 56 raw.githubusercontent.com 55 raw.githubusercontent.com -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SpySheriff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SpySheriff.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 11382.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 1180 msedge.exe 1180 msedge.exe 4564 msedge.exe 4564 msedge.exe 692 identity_helper.exe 692 identity_helper.exe 2840 msedge.exe 2840 msedge.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5076 taskmgr.exe Token: SeSystemProfilePrivilege 5076 taskmgr.exe Token: SeCreateGlobalPrivilege 5076 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 4564 msedge.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4564 wrote to memory of 2352 4564 msedge.exe 84 PID 4564 wrote to memory of 2352 4564 msedge.exe 84 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 4928 4564 msedge.exe 85 PID 4564 wrote to memory of 1180 4564 msedge.exe 86 PID 4564 wrote to memory of 1180 4564 msedge.exe 86 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87 PID 4564 wrote to memory of 1208 4564 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff227e46f8,0x7fff227e4708,0x7fff227e47182⤵PID:2352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:22⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵PID:1208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:4188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:82⤵PID:1124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5360 /prefetch:82⤵PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵PID:2284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6028 /prefetch:82⤵PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:12⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:12⤵PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:12⤵PID:2900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:12⤵PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
C:\Users\Admin\Downloads\SpySheriff.exe"C:\Users\Admin\Downloads\SpySheriff.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4800
-
-
C:\Users\Admin\Downloads\SpySheriff.exe"C:\Users\Admin\Downloads\SpySheriff.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,1641758097759671539,4071661539803509968,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:22⤵PID:4884
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3444
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4828
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD550061ea0bfb196128a27ac2cce847da0
SHA1bea6f7e68274d12f97b98fb65321049eea8aa0a5
SHA256bebb48b151903927c0fd53bbf81fb5bd772824e66c6165a0a63a316c7b041556
SHA512e5495b36bbfef2ef5606cd9756f2c4dc9deeae345b206d326cb64f889cf82d955337c41e6f62a6eaab9734428554d3a84844a5a8a94bbcbf85f02b77fa3bbe34
-
Filesize
579B
MD5ed5f4213c17629776cd75510648fc019
SHA1ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9
SHA256e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87
SHA51271bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627
-
Filesize
6KB
MD53a6f602dfc264bf0b8190e25026955f4
SHA1f36221a9bb133f5c2526e57d437b298ca593a55e
SHA256e34d4ffb04fb6c68145ed6c2c6e8a57079123dabc3aa355a85d3db5f194dc7b7
SHA5125ed6af3f61b1bc22c2265714ad3077e483f93f3e9185fa85cf8d4f6f00671c4517dc7d09cf2734fe044577a7fa7be8ef4b080f6dc6bb3d29160d2683b9ea2a51
-
Filesize
6KB
MD514bd2e9156c8146b642a286d3456bedb
SHA1ad6ef75b6a4fa4c2a303c0ab40fb68d5f3bacd25
SHA2561f5747dc442afa31f69a7a01048ae7d15392ff09aa3a793c263c72777cf7b875
SHA51202c5389fb31621a93b02e2e41b9c7b9166da7f04a3bef2cc54194220b5303f1520d4e9d571176a790e9b147f436f8a4ac48aac49836d962ed87fd74e359ac912
-
Filesize
6KB
MD526f98bc201f8cd0a18a18f92b833662b
SHA18d5554bee5bee65a12ac0b218af203a5e3a63206
SHA256ef18c965b165243d36e9805182a11acf68af802db2e022aad6e3fc7710ed9054
SHA5125aa66885b6eb8354a65f5461146be688788d058c323f4cda823ab15ab356bdf2bf7d0fb79653d542c6cc4350214353384eacfcbc18674de2045c4dd988414f9e
-
Filesize
1KB
MD5b4317cf18bb7c16dfacd0cebf29f9226
SHA1931f6a7b15582c7089d6b45bfc630611687a8979
SHA2566e6db98eb67a2407a49662cb02b55139405a5b6eaa6dbecbdd2b16bbeb71ea19
SHA512d18a08351e8c2abef9d6d8177775625f4e17f7963e5fb43f670d93c0fbea251ecad2001092588509202c3fe0db37bc425bb79ea21b9bb82671d4e9a7f8571ccb
-
Filesize
874B
MD5647671641ed11932a4e4ccfc4fbb49bb
SHA16ae96f0c58daae53437749a25cd9a734ca3a07c1
SHA256f7bf5c91a8c623ab171ac79cb3e739fd203c8d411244bfbbbb3cd30971bcfc75
SHA5126595fd0c660b057df7942437761b9ccb0bac1c964de372f55239d66025db67491680a032dfddc5810b6d1c9730ebf856fe8bfcd9b14dc3f47b95afd108458f3e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5ef0667eb2d95fd33086fe0b5fb9abf59
SHA1f61465e9cc2ce20c9e5eae0fd74bbc39db20e9e9
SHA25606fe3872f2ac841ff0e5bb9bce68f3c996e8f90829260c40d8c0123837f90e61
SHA512271ad04b1d739ad557fba21b73c63a7c761ce74e936152ff336177692663a3bed28c66c563fcdc1e3d20d871ce845806aca0a033b63f6ce07b5bb15bcaccf984
-
Filesize
11KB
MD5a7c2955c321baae8fde5cf50b90e3538
SHA141187c3cf117c0ae1c8aff1aa711a55cd5167c7c
SHA25655635acbc18c5d87339147d8fa7471e76e44f04ce8da985a5bb06499cdf46ae2
SHA51296c8e8d34f293fd3b915e6e566cdf408a07eb07a18bc6fe494de64014fe7a4a0b0e87cb84dfcb3c9aa773b16c7e7ed19b38490871adc06c7becc39954a85e038
-
Filesize
48KB
MD5ab3e43a60f47a98962d50f2da0507df7
SHA14177228a54c15ac42855e87854d4cd9a1722fe39
SHA2564f5f0d9a2b6ef077402a17136ff066dda4c8175ceb6086877aaa3570cabb638f
SHA5129e3365c7860c4766091183d633462f1cc8c30d28871ae2cd8a9a086ce61c0bccf457f919db6826b708f0cf4f88e90f71185420edc4756b7d70137e2096f8797f