Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-05-2022 12:38
Static task
static1
Behavioral task
behavioral1
Sample
CMR AND PACKINGLIST.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
CMR AND PACKINGLIST.exe
Resource
win10v2004-20220414-en
General
-
Target
CMR AND PACKINGLIST.exe
-
Size
1.1MB
-
MD5
04fb2ce6e058a87f0a13bbb214a427bf
-
SHA1
ae2199326c3fb6e541645820cfcbc3904dabb65d
-
SHA256
0591c0db7c2e5d407339e854e5c10adbd63c890c72e6709256829a2001b4f164
-
SHA512
09bbc925672a60aaf19ec3405ebe072896fd73f4fa65d6954d519129ed93637e0dfcd554bc42a9bf1306c36d0a8ea94f502af679155bf7eaf8d7e256e9f95dc0
Malware Config
Extracted
remcos
3.3.2 Pro
dreamchaser
naninani11.ddns.net:7070
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
windows.exe
-
copy_folder
file
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-413F1M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CMR AND PACKINGLIST.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation CMR AND PACKINGLIST.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
CMR AND PACKINGLIST.exeCMR AND PACKINGLIST.exedescription pid process target process PID 4780 set thread context of 2720 4780 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 2720 set thread context of 1212 2720 CMR AND PACKINGLIST.exe svchost.exe PID 2720 set thread context of 2744 2720 CMR AND PACKINGLIST.exe svchost.exe PID 2720 set thread context of 2100 2720 CMR AND PACKINGLIST.exe svchost.exe PID 2720 set thread context of 4040 2720 CMR AND PACKINGLIST.exe svchost.exe PID 2720 set thread context of 4928 2720 CMR AND PACKINGLIST.exe svchost.exe PID 2720 set thread context of 4388 2720 CMR AND PACKINGLIST.exe svchost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\524b203c-8754-47fc-aa8e-dc32a170b96e.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220519143956.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
CMR AND PACKINGLIST.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exepid process 4780 CMR AND PACKINGLIST.exe 3992 powershell.exe 1256 powershell.exe 4780 CMR AND PACKINGLIST.exe 3992 powershell.exe 1256 powershell.exe 3732 msedge.exe 3732 msedge.exe 1344 msedge.exe 1344 msedge.exe 4468 identity_helper.exe 4468 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
Processes:
msedge.exepid process 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
CMR AND PACKINGLIST.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4780 CMR AND PACKINGLIST.exe Token: SeDebugPrivilege 1256 powershell.exe Token: SeDebugPrivilege 3992 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 1344 msedge.exe 1344 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CMR AND PACKINGLIST.exepid process 2720 CMR AND PACKINGLIST.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
CMR AND PACKINGLIST.exeCMR AND PACKINGLIST.exesvchost.exemsedge.exedescription pid process target process PID 4780 wrote to memory of 1256 4780 CMR AND PACKINGLIST.exe powershell.exe PID 4780 wrote to memory of 1256 4780 CMR AND PACKINGLIST.exe powershell.exe PID 4780 wrote to memory of 1256 4780 CMR AND PACKINGLIST.exe powershell.exe PID 4780 wrote to memory of 3992 4780 CMR AND PACKINGLIST.exe powershell.exe PID 4780 wrote to memory of 3992 4780 CMR AND PACKINGLIST.exe powershell.exe PID 4780 wrote to memory of 3992 4780 CMR AND PACKINGLIST.exe powershell.exe PID 4780 wrote to memory of 1260 4780 CMR AND PACKINGLIST.exe schtasks.exe PID 4780 wrote to memory of 1260 4780 CMR AND PACKINGLIST.exe schtasks.exe PID 4780 wrote to memory of 1260 4780 CMR AND PACKINGLIST.exe schtasks.exe PID 4780 wrote to memory of 2720 4780 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 4780 wrote to memory of 2720 4780 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 4780 wrote to memory of 2720 4780 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 4780 wrote to memory of 2720 4780 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 4780 wrote to memory of 2720 4780 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 4780 wrote to memory of 2720 4780 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 4780 wrote to memory of 2720 4780 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 4780 wrote to memory of 2720 4780 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 4780 wrote to memory of 2720 4780 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 4780 wrote to memory of 2720 4780 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 4780 wrote to memory of 2720 4780 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 4780 wrote to memory of 2720 4780 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 2720 wrote to memory of 1212 2720 CMR AND PACKINGLIST.exe svchost.exe PID 2720 wrote to memory of 1212 2720 CMR AND PACKINGLIST.exe svchost.exe PID 2720 wrote to memory of 1212 2720 CMR AND PACKINGLIST.exe svchost.exe PID 2720 wrote to memory of 1212 2720 CMR AND PACKINGLIST.exe svchost.exe PID 2720 wrote to memory of 1212 2720 CMR AND PACKINGLIST.exe svchost.exe PID 2720 wrote to memory of 1212 2720 CMR AND PACKINGLIST.exe svchost.exe PID 2720 wrote to memory of 1212 2720 CMR AND PACKINGLIST.exe svchost.exe PID 2720 wrote to memory of 1212 2720 CMR AND PACKINGLIST.exe svchost.exe PID 1212 wrote to memory of 1344 1212 svchost.exe msedge.exe PID 1212 wrote to memory of 1344 1212 svchost.exe msedge.exe PID 1344 wrote to memory of 2640 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 2640 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 1004 1344 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mWYdFKE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mWYdFKE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp20D6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe561347185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8032 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff645835460,0x7ff645835470,0x7ff6458354806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8032 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8052 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,9016301421375977738,16270036505700138351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3912 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe561347185⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe561347185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe561347185⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe561347185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe561347185⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe561347185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe561347185⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xfc,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe561347185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe561347185⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe561346f8,0x7ffe56134708,0x7ffe561347185⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57a6b3c24152ab22eb73416ee1841a61e
SHA131ead2410c4906b3bda6211c96be396918302275
SHA256d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0
SHA512911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57a6b3c24152ab22eb73416ee1841a61e
SHA131ead2410c4906b3bda6211c96be396918302275
SHA256d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0
SHA512911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57a6b3c24152ab22eb73416ee1841a61e
SHA131ead2410c4906b3bda6211c96be396918302275
SHA256d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0
SHA512911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57a6b3c24152ab22eb73416ee1841a61e
SHA131ead2410c4906b3bda6211c96be396918302275
SHA256d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0
SHA512911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57a6b3c24152ab22eb73416ee1841a61e
SHA131ead2410c4906b3bda6211c96be396918302275
SHA256d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0
SHA512911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57a6b3c24152ab22eb73416ee1841a61e
SHA131ead2410c4906b3bda6211c96be396918302275
SHA256d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0
SHA512911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57a6b3c24152ab22eb73416ee1841a61e
SHA131ead2410c4906b3bda6211c96be396918302275
SHA256d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0
SHA512911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57a6b3c24152ab22eb73416ee1841a61e
SHA131ead2410c4906b3bda6211c96be396918302275
SHA256d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0
SHA512911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57a6b3c24152ab22eb73416ee1841a61e
SHA131ead2410c4906b3bda6211c96be396918302275
SHA256d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0
SHA512911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57a6b3c24152ab22eb73416ee1841a61e
SHA131ead2410c4906b3bda6211c96be396918302275
SHA256d85c0ea9ff2a87866b07970ac8a2e0ee6322d8a5ec94aa9e460b7891674c73d0
SHA512911cb398690ff7dad4e64fc97278bdb74215b119cbf8222805cd19200757f9bea3beb06fcb3eb1b23677e0c095b898f034b300a75e0aa913756a68a42f980a13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD53a6aea2b0a23d4f17cb06468594e3c18
SHA1f6ced0bd3bc4c8d678c8cecce57742ea6d02399c
SHA25675bfebc4576097ef4b4ce097f4aa5638c40b5de8c6937930e884898368fe8213
SHA51283e4a20f7394722fd8e2a197e1aa48b564e2702211766f0d9015e6478caf84caa92df287c9c36646ba54bedf76864ce64535aceb33a7c15fc567e7ff9004c614
-
C:\Users\Admin\AppData\Local\Temp\tmp20D6.tmpFilesize
1KB
MD5f09987669cb375652e445100adb97ef1
SHA1899f6be8b5efc3804f7266f1015e1c8a0d975551
SHA256883e3970b8b2d90101dd30fa1e337dc0d261f108354c3a3aa093e8872655d564
SHA512731aa6b30c5b8497838e1883d94a5966b77445bf845548a400ef76e73b52d023b13cae8767baa0017af141eb0765214b47f27b939311c9fd7358d2c8a61b4216
-
\??\pipe\LOCAL\crashpad_1344_QBZYWPVQTQKIASXJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/228-253-0x0000000000000000-mapping.dmp
-
memory/384-254-0x0000000000000000-mapping.dmp
-
memory/556-182-0x0000000000000000-mapping.dmp
-
memory/636-262-0x0000000000000000-mapping.dmp
-
memory/1004-168-0x0000000000000000-mapping.dmp
-
memory/1036-180-0x0000000000000000-mapping.dmp
-
memory/1040-219-0x0000000000000000-mapping.dmp
-
memory/1040-178-0x0000000000000000-mapping.dmp
-
memory/1048-201-0x0000000000000000-mapping.dmp
-
memory/1212-148-0x0000000000000000-mapping.dmp
-
memory/1256-160-0x0000000006FD0000-0x0000000006FDE000-memory.dmpFilesize
56KB
-
memory/1256-156-0x00000000073F0000-0x0000000007A6A000-memory.dmpFilesize
6.5MB
-
memory/1256-155-0x0000000006040000-0x000000000605E000-memory.dmpFilesize
120KB
-
memory/1256-158-0x0000000006E20000-0x0000000006E2A000-memory.dmpFilesize
40KB
-
memory/1256-136-0x0000000000000000-mapping.dmp
-
memory/1256-142-0x0000000004AC0000-0x0000000004AE2000-memory.dmpFilesize
136KB
-
memory/1256-138-0x0000000002160000-0x0000000002196000-memory.dmpFilesize
216KB
-
memory/1256-163-0x00000000070C0000-0x00000000070C8000-memory.dmpFilesize
32KB
-
memory/1256-153-0x0000000071E90000-0x0000000071EDC000-memory.dmpFilesize
304KB
-
memory/1256-140-0x0000000004C40000-0x0000000005268000-memory.dmpFilesize
6.2MB
-
memory/1256-143-0x00000000052E0000-0x0000000005346000-memory.dmpFilesize
408KB
-
memory/1260-139-0x0000000000000000-mapping.dmp
-
memory/1316-184-0x0000000000000000-mapping.dmp
-
memory/1344-161-0x0000000000000000-mapping.dmp
-
memory/1592-195-0x0000000000000000-mapping.dmp
-
memory/1612-210-0x0000000000000000-mapping.dmp
-
memory/1660-172-0x0000000000000000-mapping.dmp
-
memory/1880-191-0x0000000000000000-mapping.dmp
-
memory/1900-246-0x0000000000000000-mapping.dmp
-
memory/1900-266-0x0000000000000000-mapping.dmp
-
memory/1996-265-0x0000000000000000-mapping.dmp
-
memory/2020-244-0x0000000000000000-mapping.dmp
-
memory/2056-193-0x0000000000000000-mapping.dmp
-
memory/2100-203-0x0000000000000000-mapping.dmp
-
memory/2212-174-0x0000000000000000-mapping.dmp
-
memory/2324-189-0x0000000000000000-mapping.dmp
-
memory/2424-226-0x0000000000000000-mapping.dmp
-
memory/2460-211-0x0000000000000000-mapping.dmp
-
memory/2580-247-0x0000000000000000-mapping.dmp
-
memory/2636-176-0x0000000000000000-mapping.dmp
-
memory/2640-164-0x0000000000000000-mapping.dmp
-
memory/2720-146-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2720-145-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2720-144-0x0000000000000000-mapping.dmp
-
memory/2720-147-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2720-151-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2744-186-0x0000000000000000-mapping.dmp
-
memory/2756-221-0x0000000000000000-mapping.dmp
-
memory/2756-200-0x0000000000000000-mapping.dmp
-
memory/2996-235-0x0000000000000000-mapping.dmp
-
memory/3176-213-0x0000000000000000-mapping.dmp
-
memory/3232-237-0x0000000000000000-mapping.dmp
-
memory/3352-251-0x0000000000000000-mapping.dmp
-
memory/3380-233-0x0000000000000000-mapping.dmp
-
memory/3400-217-0x0000000000000000-mapping.dmp
-
memory/3732-169-0x0000000000000000-mapping.dmp
-
memory/3792-255-0x0000000000000000-mapping.dmp
-
memory/3836-236-0x0000000000000000-mapping.dmp
-
memory/3992-159-0x00000000071B0000-0x0000000007246000-memory.dmpFilesize
600KB
-
memory/3992-152-0x00000000061F0000-0x0000000006222000-memory.dmpFilesize
200KB
-
memory/3992-150-0x0000000005C20000-0x0000000005C3E000-memory.dmpFilesize
120KB
-
memory/3992-154-0x0000000071E90000-0x0000000071EDC000-memory.dmpFilesize
304KB
-
memory/3992-157-0x0000000006F30000-0x0000000006F4A000-memory.dmpFilesize
104KB
-
memory/3992-162-0x0000000007270000-0x000000000728A000-memory.dmpFilesize
104KB
-
memory/3992-137-0x0000000000000000-mapping.dmp
-
memory/4004-242-0x0000000000000000-mapping.dmp
-
memory/4040-222-0x0000000000000000-mapping.dmp
-
memory/4088-207-0x0000000000000000-mapping.dmp
-
memory/4220-214-0x0000000000000000-mapping.dmp
-
memory/4388-256-0x0000000000000000-mapping.dmp
-
memory/4400-194-0x0000000000000000-mapping.dmp
-
memory/4468-212-0x0000000000000000-mapping.dmp
-
memory/4484-220-0x0000000000000000-mapping.dmp
-
memory/4528-228-0x0000000000000000-mapping.dmp
-
memory/4612-248-0x0000000000000000-mapping.dmp
-
memory/4780-134-0x00000000086F0000-0x000000000878C000-memory.dmpFilesize
624KB
-
memory/4780-131-0x0000000005070000-0x0000000005614000-memory.dmpFilesize
5.6MB
-
memory/4780-130-0x0000000000070000-0x0000000000192000-memory.dmpFilesize
1.1MB
-
memory/4780-132-0x0000000004B60000-0x0000000004BF2000-memory.dmpFilesize
584KB
-
memory/4780-135-0x0000000009280000-0x00000000092E6000-memory.dmpFilesize
408KB
-
memory/4780-133-0x0000000004B40000-0x0000000004B4A000-memory.dmpFilesize
40KB
-
memory/4784-183-0x0000000000000000-mapping.dmp
-
memory/4788-202-0x0000000000000000-mapping.dmp
-
memory/4820-229-0x0000000000000000-mapping.dmp
-
memory/4928-238-0x0000000000000000-mapping.dmp
-
memory/4964-264-0x0000000000000000-mapping.dmp
-
memory/4976-198-0x0000000000000000-mapping.dmp
-
memory/4988-230-0x0000000000000000-mapping.dmp
-
memory/4992-209-0x0000000000000000-mapping.dmp
-
memory/5008-260-0x0000000000000000-mapping.dmp