Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
603s -
max time network
607s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
09/12/2024, 00:24
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://67.191.63.138/
Resource
win10ltsc2021-20241023-en
General
-
Target
http://67.191.63.138/
Malware Config
Signatures
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7337f9e6-fd00-41d3-a0a2-f82f76ab773f.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241209002450.pma setup.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings msedge.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 2080 NOTEPAD.EXE 2700 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 232 msedge.exe 232 msedge.exe 1932 msedge.exe 1932 msedge.exe 2636 identity_helper.exe 2636 identity_helper.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 4008 msedge.exe 4008 msedge.exe 2172 msedge.exe 2172 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1932 wrote to memory of 4548 1932 msedge.exe 80 PID 1932 wrote to memory of 4548 1932 msedge.exe 80 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 4372 1932 msedge.exe 81 PID 1932 wrote to memory of 232 1932 msedge.exe 82 PID 1932 wrote to memory of 232 1932 msedge.exe 82 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 PID 1932 wrote to memory of 4212 1932 msedge.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://67.191.63.138/1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffa95b046f8,0x7ffa95b04708,0x7ffa95b047182⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:22⤵PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:82⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:4880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:82⤵PID:3368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:3308 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x7ff7d59e5460,0x7ff7d59e5470,0x7ff7d59e54803⤵PID:1216
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵PID:2444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵PID:520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:3208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:12⤵PID:2596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4948 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6332 /prefetch:82⤵PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:12⤵PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵PID:1164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\notes.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2080
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\passwords.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:12⤵PID:648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:12⤵PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:12⤵PID:3540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:12⤵PID:240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:12⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12410420124506353129,6407842430397492800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:12⤵PID:3624
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:632
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59d533e1f93a61b94eea29bf4313b0a8e
SHA196c1f0811d9e2fbf408e1b7186921b855fc891db
SHA256ae95a7d192b6dfed1a8a5611850df994c63ba2038018901d59ef4dae64b74ed3
SHA512b10de657d0cef4255e96daa1b6ad0c99c70b16c13b8e86790ea226e37e9ded1a8f8bed1e137f976d86ebc3ea9a4b5eb67ce2f5b0200025d35dc8e94c947ff3f5
-
Filesize
152B
MD5fccab8a2a3330ebd702a08d6cc6c1aee
SHA12d0ea7fa697cb1723d240ebf3c0781ce56273cf7
SHA256fa39b46c6f11977f5a2e6f4cd495db424063320fbac26a2eae7466e82ffeb712
SHA5125339b52bad5dff926b66044067aa3e1a6147c389a27ebd89b0f16e1267621d7ce7af9810010bee81cba7b08c77a33ede8ef4675fe049b9fb2ed510fcaef93d6e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4941873e-4c4b-4332-82d4-c60e13883ade.tmp
Filesize24KB
MD5ed659b1d7a51e558246bd24f62fff931
SHA184685d6f04379c290e4261ff04e9e1879d54d42c
SHA25623fafd9073812d5ff8b523b84bc981e4cb410bebbf3675db2b29cfac0dae9690
SHA5121c3203328583241895db9fb165fcfd595f642e218ee3a453ab6873cbac10ddab693cd2f913bab15c8bb7b5a12c5768b3dfcb278aad754dec1fbffe66b81843cc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5c88ec96a590fccb9d3913bc399733035
SHA1017d013063c71e5360a83ff8e8bdf7265180f988
SHA256a40ea54d635b4e6964683f4560d24550a462fb08a8fce082a15bfc547e1504e2
SHA51213a5be54a00777dfd78b7fe7a3797738fea3d0816b8f2fd7a3db257c3458416ee5ae219e15b3a48fb192e362125022393e6a69964342458823f2ee39b97db55b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5e2ce9163a495a35d810fe830f4b22b7d
SHA1f8a731c98102bd158f1da48168da980a118e9baa
SHA2561a81c27391be735694f28c5151c2c90292f6b98d5df019e71a11ed2a260feefc
SHA512cb489ec02051059decef5306201e428a93c84e42a31d76b2a66eef657645cda95ec6ded46cea54cd0334928e8a788d9e73e10bf4431e9a083d4d21d3719d5fc6
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
818B
MD511b83c3a3b4fa9acde3a30b2eba66478
SHA1465df19d41ddb5306e1a2879a19a2888199356a0
SHA256d85f3d7ff90790d7ed0df29e5452d354fe91f8da7b9325550ac05edad41ccc2e
SHA51255cbfa0ad6dc29d702e5249ac78044100226b85b44402af22ab66cec2aa90cb5725eaba9d723225fdb47c1ea0ee3d5a4dc1409dc56ae17888785145c5aa7608f
-
Filesize
5KB
MD5e1d135550131f9e5eafd1b76992ed122
SHA19ca37199c09db9bc243b0c4aa88fcf5b51aa5943
SHA256c394531dfa1e06fde01b824e0aefab722159010402d962486f230e940b30bb6b
SHA512501191da2ffb7d27b9ac4b387d304d3f3b3bdefdb8f2ea87fd94f912eb8fa9fabb9775ec212f0c1193d725ac4394550cbf265569a803771e98aea13d97a7d221
-
Filesize
5KB
MD56e9c0548f334471ebc90ac268e3f3ab0
SHA1e1624df862a07ab58f015ea6bae08206989b9cf7
SHA256370cee650504c2cb110f85fe152250851b2d5c77aa219623263e632ddcd0b637
SHA512d1e1ee9251752af7e9b54dcf44bc9c8de918c600acedb5ab385a3d9b15fc45b9ca3d0de370daa35ecad19e65c177fbeb4e5a515a0b524196d3b883d3d7c76d0c
-
Filesize
6KB
MD52a15695c726aaca0fff5a87a92a41883
SHA1fd271835387728bc10f57403093d28d5c5ef708c
SHA25633ce61ac7571c381e972e875688c4bc7dd0ddf2a5628562f6c237d11f6ae0332
SHA51219f2d23bc0219643fe89eecd57c6d074cb0d3453970db2b19d73943666f25a59384dc31c0055c9fbf47ce5e9b0cfba5a77d6976d39c402867e175d0ab38b287b
-
Filesize
5KB
MD5fc775d9f06031f9540152ca3e271081b
SHA1aade2a034bfcac47d67da8908b7f25fdd9f49b3a
SHA256ab2cdf3f76add37757a5342954f87472c385f7a4ca7f7aea4a062b786a485e5f
SHA512c0f005743c802305a9cc4e2311bc763f5c8a81c516ffc9411c07caea9e2eece3667952f2c42b73adc00ddf74b7baf9a38d0349892027344233d030b152aee73a
-
Filesize
5KB
MD5d299ae2cb1a72db85fff8bf2233a28c9
SHA16ea26427efa31db227ce2c71f6a4a0e2ae6155f7
SHA256811029218e6224c64def14b681d416db8a42755e08b503ad57105a16b0eba15a
SHA51228d7492e5f2ad8009b0180b5654524758bf64e5fffe52e03e28a947a80a8a65d19c1b36c69b266ed7ec0a4c724d9cb7ba8abefc2c717ee94e17a9ed249f30526
-
Filesize
24KB
MD57ec09c7cbd7cb0b8a777b3a9e2a1892e
SHA13b07979e57b6c93be7d5a6cd8fa954dee91bd8dd
SHA256a623633f34a241b0dbc9fd26f34446d716955f94e90b2ff9ac8b9df801bdae5e
SHA5125fff0a38a3b6e4b29d402eef2650011e4d9df514e0624767c84ea31cb73cbba10c7e0b5711cb487976d637f0f60a85c431cf0db54b519411245684c116c07b7b
-
Filesize
1KB
MD5f288733635513f6dcdbd2cfc812d6839
SHA1ee366db03f377739056c521e50488b87ddc2e2aa
SHA256092a107ba27959134b0fabe93093df1d696597d5b094c356301ad5505efb00c9
SHA512318f479336fe7f6a968d373a253262e844e1994a965b40f057b53e5d3fcb22a523c0c47f18dcfda0a9d8f91fa29b942422e4f551fb600cfe6b77f2b7fca17642
-
Filesize
1KB
MD5a4862b62880d1cc0934ec28a56cbca8a
SHA1e14075badedcca296a83852750c6e2bc6011ff3b
SHA2565f1d0b4bcdd71f8ae6b3cd1b64c08fbc8e8d20838429cb324c2e52261237696a
SHA512d05ca4d250d74a05f75d5f4a474791f0c92bcc678dcd98d9c4ec489145b4c9423888a52c61ff35454398b17bfd210a0f85a2472da22c872c9ce0e37c2c608429
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD56bfcca7675e5ffd73e388c65703ee3a3
SHA155354ad69d84de176983dc345b14fc51fbc34f55
SHA25648240b511a869c092e82a879ae5da4e85afa053755e077ddc2cdcb8601ee215c
SHA512ec8a4940ff97d931744318c87ff2fd9afad2e05d2ad72b9bd15099e9d29c98a38746b1374dcbe6c0a64412aa2f1d4a45a8ff823eb840110d5ddfc840823ca827
-
Filesize
11KB
MD52bed590250abfafb68a7c6b751cc0d8f
SHA181fe151a432c46ef6c4fb117cafa85f3d0532c9d
SHA25698b2bafd958e983a41da58265b9bd832996866da6e384874501865fc5d2ce739
SHA512d6439de0fc068738744de59f65d4352bc560528f3d3d6be2318dfab809b9fba48205cf7e9c8345a23745a38b4c2d93f3d351f0e3f26d7deb2a1ad2617a4f9503
-
Filesize
8KB
MD5103e909e468a307b56532b875b854bb7
SHA115c0f81e33a33b95bd16dcbc5eb5d1b95a7a0e93
SHA256e273f69b5f56066d7b3e03913f55f3b31064b3646d48b5bb76d8306f8dfa6b8b
SHA512a10c348b30efc1d03ffea4443520b9af972f40be5bc00503692aee59da51f669bd2d7b6f4ca3b2511bbffbffcbfe04e5f7f8868ac11e04e4ca1dffecf1a7fbbd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD53eaf2da5445673f28668729892557dd4
SHA15072f2b4abff5613dd488564981f4ba8412e6666
SHA2567a8e7d5f94574a7063a10392ecbef718ce9b2ffbdc12040c28227d6645bf24cf
SHA51205393cf0380c0c78d707d7df5954767a1add9c394f5749dda21ee17926f1a81974a6ac94e87487704552885fc978ce8de1938aeccb9a49e5b7241a0df6af3d47
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5be3e8ef6983770b5d323c505de332ae4
SHA1a8bef2889715fbd2653657f71aa7d68bbbd79c48
SHA256dc936bce79ff122c9c0d59920a16bd5734f6804ed436c0e023802fe47d574998
SHA5122594f3e6ed0bb9527f3d0359c3d1edac96c903ec56278bc94c6b46c64ccf239db688a4c8d90a72b5012ca6156c6eb8208caefc16597cb54a93234d4c46e3005f
-
Filesize
67B
MD5bd1e6e84fe2a36c1520a2c1f08533b56
SHA10358085f9296482331f3ab54797415bb4ed5f4ab
SHA2563b514590b5404a17f90ba7276198cfba7f0332f492ed431e8e99ad39231c3c1b
SHA512dd675b63ada9fb8209408241049a406c7155adee3542e93fb8ed7bda47fccd3b559e0d27ba74e4aebd6cb0886b724d31b803321f9a38ff52223ef0f2c4c38cf5
-
Filesize
178B
MD5f0f572d18f8fab2998f9eb1cffc6d980
SHA1005f5876ccf90d1684eb8b7e72114c44131ee062
SHA256f9c611d51086b4222bc9115a5eb6ebf5c73b9bffeb90f1eac9436cab62643b1d
SHA512c797175e69b371748c7440287b30224b727d4ab0ae944256b118f34b4a4ffe2f8264578a24afa5c8da4a145ad09c07a6b96c515f0c6f82eb393de575aa713235