Analysis
-
max time kernel
329s -
max time network
329s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-fr -
resource tags
-
submitted
23/10/2024, 09:44
General
-
Target
https://u.pcloud.com/trackmail?url=aHR0cHM6Ly90cmFuc2Zlci5wY2xvdWQuY29tL2Rvd25sb2FkLmh0bWw%2FY29kZT01WjRVQzc1WmNMdU1Jam5pRUNIWmllcTA3WkhZbGsyTHh3ODZtQ2JnM1lTMVhnYWY4akVLQVgj&token=j7yZZ7ZpkZrwc0kENluc4wtObKMPkdF8xn5b07
Malware Config
Extracted
remcos
RH18
blackrockxp.dyndns.org:28188
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
drrrrrrr
-
mouse_option
false
-
mutex
Rmc-N94NPU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Blocklisted process makes network request 5 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 58 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://u.pcloud.com/trackmail?url=aHR0cHM6Ly90cmFuc2Zlci5wY2xvdWQuY29tL2Rvd25sb2FkLmh0bWw%2FY29kZT01WjRVQzc1WmNMdU1Jam5pRUNIWmllcTA3WkhZbGsyTHh3ODZtQ2JnM1lTMVhnYWY4akVLQVgj&token=j7yZZ7ZpkZrwc0kENluc4wtObKMPkdF8xn5b071⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbcbb846f8,0x7ffbcbb84708,0x7ffbcbb847182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --service-sandbox-type=collections --mojo-platform-channel-handle=3140 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4192 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18126810559903443870,3430118521719269209,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Documents\Nouveau dossier\FACTURE+AVIS DE VIREMENT (1)\FACTURE+AVIS DE VIREMENT\DEVIS + FACTURE.exe"C:\Users\Admin\Documents\Nouveau dossier\FACTURE+AVIS DE VIREMENT (1)\FACTURE+AVIS DE VIREMENT\DEVIS + FACTURE.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Runas=Get-Content -Raw 'C:\Users\Admin\AppData\Local\Temp\halfword\Alteregoism.Gho';$Sigmaets=$Runas.SubString(54049,3);.$Sigmaets($Runas)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Fjerntrafikkerne" /t REG_EXPAND_SZ /d "%Tinsoldaters% -windowstyle 1 $Palmella=(gp -Path 'HKCU:\Software\unbillable\').Bagleaves;%Tinsoldaters% ($Palmella)"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Fjerntrafikkerne" /t REG_EXPAND_SZ /d "%Tinsoldaters% -windowstyle 1 $Palmella=(gp -Path 'HKCU:\Software\unbillable\').Bagleaves;%Tinsoldaters% ($Palmella)"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\zniuiecsubrkllpkjypdwzesswbqngq"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\bhvnjpnlqjjpnrloajcwzerjtdlzorhbth"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ljaxkh"4⤵
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ljaxkh"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\Nouveau dossier\FACTURE+AVIS DE VIREMENT (1)\FACTURE+AVIS DE VIREMENT\ORDRE_DE_VIREMENT_SIGNE.exe"C:\Users\Admin\Documents\Nouveau dossier\FACTURE+AVIS DE VIREMENT (1)\FACTURE+AVIS DE VIREMENT\ORDRE_DE_VIREMENT_SIGNE.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Medics=Get-Content -Raw 'C:\Users\Admin\AppData\Local\Temp\halfword\Slambassins.Nai';$Godmodig=$Medics.SubString(10346,3);.$Godmodig($Medics)"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Jumpersettings" /t REG_EXPAND_SZ /d "%Feriere% -windowstyle 1 $Roadbeds=(gp -Path 'HKCU:\Software\Samfundsbevidste\').Auktionsrunde;%Feriere% ($Roadbeds)"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Jumpersettings" /t REG_EXPAND_SZ /d "%Feriere% -windowstyle 1 $Roadbeds=(gp -Path 'HKCU:\Software\Samfundsbevidste\').Auktionsrunde;%Feriere% ($Roadbeds)"4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbcbb846f8,0x7ffbcbb84708,0x7ffbcbb847182⤵
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
6KB
MD58db104dca07622e1b884043ee4d17157
SHA1da5239cf124177259db39ff00eb42aa22b5bb25f
SHA25694b9dd341fd318d0ea73308f4331d1c5ad008e5a90f338be4a236881b55c92ce
SHA5122f4cdc65c05888d66fd2915c8ba5e443decfebdd70eed66c53245a1a0dde6906e6acc6eb4312e37cddca74319ce3b9160d448ff9e8303441f757257b269a6360
-
Filesize
215KB
MD50e3d96124ecfd1e2818dfd4d5f21352a
SHA1098b1aa4b26d3c77d24dc2ffd335d2f3a7aeb5d7
SHA256eef545efdb498b725fbabeedd5b80cec3c60357df9bc2943cfd7c8d5ae061dcc
SHA512c02d65d901e26d0ed28600fa739f1aa42184e00b4e9919f1e4e9623fe9d07a2e2c35b0215d4f101afc1e32fc101a200ca4244eb1d9ca846065d387144451331c
-
Filesize
672B
MD500935eb3fa7e5627485a74b2cc02d728
SHA189a6f56de654332a04ec13f6ea83f0f87009a79e
SHA256ac5e95f95cb4e1a22b5a9b0a8521ec1d01c393e05b60814ceaf4a2247ebbb1c6
SHA512887d666c9a6d9decf255052b2fc12d2d1f698140b111bb6779c5e5fcb4a21281cd762c11bff574150ba6fbc95648b00b97b0a0a6636c587e8d544e5a147c4b07
-
Filesize
1KB
MD510eb15ed9ea2c428150ac81acf8e06b4
SHA1dd0ff2b5d992f9951a46b115fbc4b5e8c673fa93
SHA256a9554abaa2fbd7a66c425392936423ed5924f7d608e99e699ecaee1c982cf575
SHA512239aa5825addbaf9fd01baf433fc332dc96a997e2bb890021d6231aa3dd357de7511d9d48874216b50c5dba85dce96572e509011553290c120d8a4c839c23131
-
Filesize
5KB
MD556c3af7d8854211215810c7900815388
SHA18fe5f4cb906c0d1f3eb8b4cb9feacf5c613aa80e
SHA25618d6263e1699465cf72d1a13826e24c9e8af38d6829a982f1e5964338874ffd1
SHA512db32b9d086965d91258ba12ab0cf7050c1c18dca2b6beea451d109d33af06fca959860b2be804ab9cddb13ac1749ff9963a1c1c27f5c7f92b0d44cb4a1073e43
-
Filesize
6KB
MD5f58c528cde2e1c41e281c2724913ea29
SHA1508f40d61ccdf0851adf53288042e2af45eebb8b
SHA2565e5d887dd53133cfe96e62f53a2ebc5b56c9febddf0c61a871013a5aba4a7867
SHA51237c2fb984eb67a188002bb9d899b3dc396a85859cbb1f7a8e8f006884d0375cd33e2b4766d438aa5b12c14f980412291d988d4b412b521cad9fabe6a3fd933f7
-
Filesize
6KB
MD5ad067f41a0e77b8b67e5abe3b13b70b9
SHA1be998575a60f2aa86b7a23007cef4a5989e1b801
SHA25658358290293b30c2d58175abf8afb4461e9d8c868e23e002b697f800f2eae004
SHA512dd51f7c2ed4d47d0de1c2475a91898fdfb8931e2a55f2947c0a06c3d173647787231ec33993aa86e9a6fe369a8ed321163cb4e96504eb1974d2362e1b9aa4d81
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD57cfed52bec1f3ca121e508be0ba8085b
SHA1f56957b506c645d8373a124a0e51a09af2c7f19b
SHA256c222eb6fde97394a9a4fa39b79cbda7869de712df104e528fc77c8b41c68d07d
SHA512e443317e78a287cdd843b3aef400600e7e294e51c0ac03c4337e9720eea6b4801cace1553cac27013c4a632951c2d27b866097226760d289204b3bbee739e974
-
Filesize
11KB
MD5836a0238aa1507914215a0dcb4ae19b6
SHA1d50f0c159b45540a7132037c87630eff7361f415
SHA25606d5dda1343b18471d20a01128fc0810c2d2be10c1d8f6ebd31fd18c3a5b021b
SHA51211101b11774192ea04ecbad6cca932f0c942b73938bdea1840167b365d5429445ec087e20934e205413c44657cb9d3be58fd88bba4fe5460a5831e554726beaf
-
Filesize
12KB
MD55e1a4680864183dfcbc66862a42ecc79
SHA19c916476b68aeda334aa24f0e089d8f62961376f
SHA256587b64926994c0e5cffa6368a27f02441db7f6108effad00c0784c871c206015
SHA512035e0feef59cfc9f718f1bbadeda76b3b8e820a552ba67a34453c366fe730800e6c3f1817160d3de1ba04a9d644f27f781896b0696105cf50c6d0d5181d314fc
-
Filesize
12KB
MD55edad501983c2e76b3219e22bb2d9237
SHA1912f8064e4d8a642a614cd0a67e23d30f05da4f9
SHA25653105f62a4385e2c4e2fd8c1bff3370df6c3d122cb074149e09b463738a39c00
SHA512b314df6e97a32243232ecbbe2dd712c33c4cfeb184c290a07dbdc8bc92cecbfc72dde6529500d3483d3ef0e05c7b72bbb2fa709c8c45731c4f0c25ead3d780f6
-
Filesize
53KB
MD501404e51f6442f60e478c306b1e6e52e
SHA137f234ccf5611b8309023410ceb9e76ad81f5678
SHA256d4356dd23aa2e811712132f9718786331661a1bd0d062c49cb76807b9563928b
SHA51294a9d843ae4055e2a9b412f03cba85e2d7b804ec3106f059d14ca50b15ae4acc6cd452f9461c2e21d1632d06848c969732c539aea17869b8b3a2f5ab93b891d7
-
Filesize
185B
MD57bf0c95e6e935cee74bc31a306c92e94
SHA1d38f67a3f0454e2a2ca1188dd2dc5045ec683fc8
SHA2562212cf5934920dd09682e98ca2ec4e34f7f1dafd04518434ea2c837c60311326
SHA512c55a92f8744b227aeef5b7e085dd08b4a042b86f9cb12d11bb4ac62fc041203015ad8b437132a841bbf57852f4d0f02002e08df83b065064cfae5fa28bcb7aec
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
52KB
MD5f286beea66c73f7209fc4c899e8be5cf
SHA1de22194dfc81db559ac76aa36cba51adf3e2720e
SHA25698fd9c7dc33ef16c00508e063c91dde457a60e48b1b15cc27cde6afa8d4da6b1
SHA512260ef75b1938337645241e4ea6010b609fde6ac64af01f11c6f488a22607966836ea7299b03efe207d10754dd8a7fe9ed31de10888c5a793f87ac2ea3daf20a5
-
Filesize
407KB
MD590dfe4e9e399586dc5d7f60d32e655f0
SHA11c38c4ff12d2abe0c53670de7d57506b1c39855d
SHA25681057b4eaf4899fc83bd6365d66203e01d3735623a8084cf6567af4af151ad12
SHA5125915c15ef19dfaa261730d9fb2d2c172f19b4dbe3d71ca38f86353eb1d519cbfbe52138517b0a0c8ded98664fc7f82a026188c5c581412fcb6879527cda8b3f2
-
Filesize
389KB
MD5b35420b8ea7e46a9d376b799832dec64
SHA141d1cf0c10e9945bf4c032f1972d59b27656cea9
SHA2565f2a93da6e915553db0bda53fce6bf31bced5d66e5537a21e88241e882f43dc2
SHA512aaf4be20157c9a88068c595bb7b8de6ffd1a286650452a4235870d1a84afdd722563f3e0a744e593c512b94b3476d49e378d75f5bcf0b1fc9176f8acf56d5c51
-
Filesize
56KB
MD5d1a48e3d1b8eb19055c3e56ef466b0c7
SHA178ecca1dd51d4789add7d9c9f79cb617e11e3d29
SHA25672bafaf8f647796c262ee2ae68b0980e857f31eb2dc430fda8b19b1117b7dfe9
SHA5127ba848b34be9a5404c62c678dfa89d2fc18641ece880655eac88c21213c48705f5a816cad48c82bca9020ae884b3b51fd85e06f7424ea9164b372b93d5224b62
-
Filesize
4KB
MD589bd62cf965a736a595ab5c9d4b82b95
SHA16e387daeec0e3bcceaa733909899101376f357b3
SHA25641a1f01e0741a2edc57937c39ea5e66497778dbf1a90be77f0eefdca8ba1ba56
SHA5125395b3254e92a586ee4669b7d2bfcffe855eb0d78fc7b738fd558810a3b8721429a0cfd08bf319f47aae16b26d2edf9ce348622bf843740947f7416f0904cafe
-
Filesize
1.2MB
MD5f0c4e498d485b22fc0795ed8f52a4e79
SHA17d2f3ac5deebaa8e4e5f6a849eb820fe40a02b47
SHA256f16f2eeaa09644479ed60ab957b920a283e669702d1a68c18a999770a5df2271
SHA512937e8cf17c542df7339e1d355280bda454598fc602f591f79f9b2e67e2da05000723b525b15145ade79876f8be0aae157710852905457bc6fb726a9ef7f8f295
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
57.9MB
-
Filesize
128KB
-
Filesize
264KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
40KB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
552KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
6.5MB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
74.6MB
-
Filesize
18.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
18.3MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB