Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
961s -
max time network
966s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
08/11/2024, 14:04
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/H3wFXmEi
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0027000000045198-196.dat family_xworm behavioral1/memory/5436-246-0x0000000000E90000-0x0000000000EAA000-memory.dmp family_xworm -
Xworm family
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
pid Process 5436 Astral Bootstrapper.exe 5788 Astral Bootstrapper.exe 6056 Astral Bootstrapper.exe 5416 Astral Bootstrapper.exe 5500 Astral Bootstrapper.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 57 ip-api.com 76 ip-api.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cef6d89a-750a-43d1-a724-e8c398d99f89.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241108140419.pma setup.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 393526.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4524 msedge.exe 4524 msedge.exe 4712 msedge.exe 4712 msedge.exe 972 identity_helper.exe 972 identity_helper.exe 5292 msedge.exe 5292 msedge.exe 5648 msedge.exe 5648 msedge.exe 5648 msedge.exe 5648 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 5436 Astral Bootstrapper.exe Token: SeDebugPrivilege 5788 Astral Bootstrapper.exe Token: SeDebugPrivilege 6056 Astral Bootstrapper.exe Token: SeDebugPrivilege 5416 Astral Bootstrapper.exe Token: SeDebugPrivilege 5500 Astral Bootstrapper.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe 4712 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4712 wrote to memory of 1312 4712 msedge.exe 83 PID 4712 wrote to memory of 1312 4712 msedge.exe 83 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 2272 4712 msedge.exe 84 PID 4712 wrote to memory of 4524 4712 msedge.exe 85 PID 4712 wrote to memory of 4524 4712 msedge.exe 85 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 PID 4712 wrote to memory of 1160 4712 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/wMfLzN1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe779546f8,0x7ffe77954708,0x7ffe779547182⤵PID:1312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵PID:2272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:12⤵PID:1516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:12⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:12⤵PID:2452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:82⤵PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:2180 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x7ff62c725460,0x7ff62c725470,0x7ff62c7254803⤵PID:768
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵PID:2764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵PID:2900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:12⤵PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:12⤵PID:3644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵PID:1320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6264 /prefetch:82⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:12⤵PID:404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6640 /prefetch:82⤵PID:1872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5292
-
-
C:\Users\Admin\Downloads\Astral Bootstrapper.exe"C:\Users\Admin\Downloads\Astral Bootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5436
-
-
C:\Users\Admin\Downloads\Astral Bootstrapper.exe"C:\Users\Admin\Downloads\Astral Bootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5788
-
-
C:\Users\Admin\Downloads\Astral Bootstrapper.exe"C:\Users\Admin\Downloads\Astral Bootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6056
-
-
C:\Users\Admin\Downloads\Astral Bootstrapper.exe"C:\Users\Admin\Downloads\Astral Bootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5416
-
-
C:\Users\Admin\Downloads\Astral Bootstrapper.exe"C:\Users\Admin\Downloads\Astral Bootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5256 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5648
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2956
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56dda6e078b56bc17505e368f3e845302
SHA145fbd981fbbd4f961bf72f0ac76308fc18306cba
SHA256591bf3493eb620a3851c0cd65bff79758a09c61e9a22ea113fa0480404a38b15
SHA5129e460013fd043cee9bdbcdaf96ac2f7e21a08e88ddb754dddbd8378ee2288d50271e66b42092d84a12e726469465185be11a6fafab6ed4236a244524bd60f502
-
Filesize
152B
MD5f6126b3cef466f7479c4f176528a9348
SHA187855913d0bfe2c4559dd3acb243d05c6d7e4908
SHA256588138bf57e937e1dec203a5073c3edb1e921c066779e893342e79e3d160e0b4
SHA512ef622b26c8cee1f767def355b2d7bffb2b28e7a653c09b7e2d33f6468a453fff39fd120cacbffd79ce35722592af0f3fb7d5054e2dca06310e44dc460533f3d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD582776c85889873297de32df7350f6b7c
SHA1a9d33fa9c2bc47aa9ce17c3e1d28ce4bed0aea27
SHA2563dbabaff95c994cc8cd708d3a95824dfa5eec64b52130a2cdd3d7928150b5813
SHA512aa0d8f5cc4601ecc6800757cbf92f3e582b75cc47d98a9099d63ba43558f0f6941cb7d4eab94c6bc6d5d8a726ab9cd8ba7405630f0d1fd2d1eb9fc99ecac651a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57c757.TMP
Filesize48B
MD572c0226f57b43d627e4100a9aa74d014
SHA177617f7d552501e90a2960aa2956b5ffe6a1ab0e
SHA256d21d4ae1ff7c35bf90340ee6a62401241d84af5795698c13e49bea39103f34c7
SHA5125ba6e09d4c502f04f755dda79bc8264373250891268e88c02951aa322ffbd9af1ed47e302c7faf2c28601bec93a7aabf2518a5442eb65e0fc6f6e89493c9babd
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
391B
MD55f05b26e0caccbee54089cb0044220cc
SHA1e76ead734684a93a820d05c76824d5445f28f584
SHA256256bcc760870f0a18774ed0999652be257776a2049eba989bda8f359b1507dcc
SHA51229ecfa0586aaf62f2e6a90d2623fb01c7bb156993f2ed00085d8dcc97026b48aad69f27855cf3231d6f3d5c388a81367ec9e27ea47cefd50c530d08862292dd7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58878a.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD55d097684337c3b9975a70677479c7c52
SHA1b1865c5f2ad6c04e67f39cd265339889b1902c73
SHA2560d9338fd054c206995b48e05f3b1dcb17babdeb74a936b9aca5ce14aa4713c69
SHA5120a6fc5dc7fcd179dcb7e11f1cf93b1efe71354a5e6eb3ef06465a4082708f277dcdbec13cad214d5762af0343ff2aaeceff05a91c05bbe8454b4bdf4513f2918
-
Filesize
5KB
MD5ac6cec68cefe0d5a504163f02eef2aa7
SHA16c27cb38bbaec7fc9c082a8eefeb60bc41d9df92
SHA25696c104a82440ea5a479eac608f9876da7f526551bb7ac6c1b499a75ac11334eb
SHA512cc9cd4d6d552987fb2f78613612ca919f7f184560d55d07b32d0051ad80c7fb43f36e9b745172da2219080dbdc89ffa87ae4a214082079978dff7411e424188f
-
Filesize
5KB
MD5fc890cf89e1b545b2bad29effe30a6c7
SHA15b1b407a34796da1cdc85dee407032adcced5455
SHA2562a8c1d72b35d43da3c66a9073a5d6f1d50c5f4f904819f729c0687ef0ac73f10
SHA5120ea516bbc437038bad7493ac487ce42e32367a3139fdee2cffc639467e91c5c26f171eafff5a3b0086ce95aa340de09780496d08b5bddba98ace2caf88871c40
-
Filesize
24KB
MD590cc75707c7f427e9bbc8e0553500b46
SHA19034bdd7e7259406811ec8b5b7ce77317b6a2b7e
SHA256f5d76f8630779de1fe82f8802d6d144861e3487171e4b32e3f8fffd2a57725fb
SHA5127ad692bce11aee08bf65bb7c578b89a4a3024211ee1deaf671c925d65cc016943f2caad3d57b365e16d1764c78c36cae35c3c45cef0928dd611a565b0313e511
-
Filesize
24KB
MD50d8c8c98295f59eade1d8c5b0527a5c2
SHA1038269c6a2c432c6ecb5b236d08804502e29cde0
SHA2569148e2a2ba2a3b765c088dc8a1bdcc9b07b129e5e48729a61ebc321cb7b8b721
SHA512885a734a97a6f8c4a8fb5f0efa9fe55742f0685210472ed376466e67f928e82ddf91ba1211389d9c55dd1e03dc064aa7a81d1fca3cf429fbaf8f60db8b1348c6
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
10KB
MD588ec4e3f975f8505b9c7056d99c81f53
SHA130b71a1b399e0b1b596cdbdbeba89576eb2eeecf
SHA2564d3a81b34d1f2e43235e6bf1bc81eec2fd119fd4be30aed1eefdfd31213d00e8
SHA51249b67442f83bd364da80311b2e26a4b937123c496d56a46d2921312fd9360f0a083ba08cc61701cc3e91a2d6f4c79ddf52555ba47208b3d9d2381aed2c7de897
-
Filesize
8KB
MD55cdd4867e859823100ec1d83d53e4c27
SHA10839c7b085088f2c1ebbba2ac3b1c1c1a432c36f
SHA25672c65155e9736ab0ae681e8487703fd28e5e84354fc4bfdb30661cbfc67e77f3
SHA5120da84a058514e21af00d24e67001fadaf30519f0f510fc907791c209a2dfe1b2889adb9da2e5ab624fe5128645d774ed07d4f0b3f22ae39287944557785bcf3a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD51fa8591ac7e4f14de64a54d5ebf39d89
SHA1438aab650dfb3d324fb2f0a22ab264fb62d042b4
SHA256b2f0a6534544187e724ff1dc093ab50981136401264f9233f68a2a77c244a1e3
SHA512e4ce70dec47603f2991d7a40aca3f5fa24f9e375b6e666e0d51608a44345ae91651daadb309052c0bfb82a106431cdb901cd11bc568b3f045c6db8941221844c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD57d53b4232ea9841e9aa75e619448cddb
SHA165373f192a4f0faed092f2a0b2bff92696c49711
SHA256dc1948f4a9b217f3e357401432faae1e55fea22d074cc1b1458461d8b9598464
SHA512a9eeb7d22fd9c9d2f26dd87e908111d3fa25c96d32e3e45215a9eaa5e21c5b3de16b5dbcf2783c818570abf69358944932c9217bcbabbbc1109b30e9f5c43313
-
Filesize
81KB
MD5bb6822575ef720c98f81d53f4b45f220
SHA14f55c68001af7a0e1607807c1bf545a5feaa928c
SHA2567be3d4d8c3c2c09ada6939db1df54586aed1a3e39d60ceb384104af039555b71
SHA512321669e1674befea05d5a69a77032e351e9c1a80e7a24af1448cac08fb9c757195185d55021099996691871e13a24e15f7bf01c932cfbd630cae2adace49a66b