Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/12/2024, 09:28
Static task
static1
Behavioral task
behavioral1
Sample
1evAkYZpwDV0N4v.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1evAkYZpwDV0N4v.exe
Resource
win10v2004-20241007-en
General
-
Target
1evAkYZpwDV0N4v.exe
-
Size
1.0MB
-
MD5
01366b2e0ca4523828110da357d12653
-
SHA1
80a4c110832923d56d4b86a10adf357e1839c7b8
-
SHA256
f977974b2df2bece2382b3c31b24382b629d18144c1fd56901900b1d1aba6024
-
SHA512
b4e21bb81c0134eec03a37ad171a73c6a501891717656a590ac94e2defe255f4fcc13a65b2e69d6652d6ba8f2264f883472be56c548c2e8cc15c132de88a567d
-
SSDEEP
24576:X1azvpEnO/9uGgmyB7KMXEHB036bTTOz9Rs:X1kpEg9uBOsEHbsS
Malware Config
Extracted
remcos
RemoteHost
192.3.64.152:2559
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-ZFXG9Y
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1584 powershell.exe 1044 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 1evAkYZpwDV0N4v.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 628 set thread context of 1596 628 1evAkYZpwDV0N4v.exe 103 PID 1596 set thread context of 1812 1596 1evAkYZpwDV0N4v.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1evAkYZpwDV0N4v.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1evAkYZpwDV0N4v.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2432 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 628 1evAkYZpwDV0N4v.exe 628 1evAkYZpwDV0N4v.exe 628 1evAkYZpwDV0N4v.exe 628 1evAkYZpwDV0N4v.exe 628 1evAkYZpwDV0N4v.exe 628 1evAkYZpwDV0N4v.exe 628 1evAkYZpwDV0N4v.exe 628 1evAkYZpwDV0N4v.exe 628 1evAkYZpwDV0N4v.exe 1584 powershell.exe 1044 powershell.exe 628 1evAkYZpwDV0N4v.exe 628 1evAkYZpwDV0N4v.exe 628 1evAkYZpwDV0N4v.exe 1584 powershell.exe 1596 1evAkYZpwDV0N4v.exe 1596 1evAkYZpwDV0N4v.exe 1044 powershell.exe 4656 msedge.exe 4656 msedge.exe 884 msedge.exe 884 msedge.exe 2568 identity_helper.exe 2568 identity_helper.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1596 1evAkYZpwDV0N4v.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 628 1evAkYZpwDV0N4v.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 1044 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 628 wrote to memory of 1584 628 1evAkYZpwDV0N4v.exe 96 PID 628 wrote to memory of 1584 628 1evAkYZpwDV0N4v.exe 96 PID 628 wrote to memory of 1584 628 1evAkYZpwDV0N4v.exe 96 PID 628 wrote to memory of 1044 628 1evAkYZpwDV0N4v.exe 98 PID 628 wrote to memory of 1044 628 1evAkYZpwDV0N4v.exe 98 PID 628 wrote to memory of 1044 628 1evAkYZpwDV0N4v.exe 98 PID 628 wrote to memory of 2432 628 1evAkYZpwDV0N4v.exe 100 PID 628 wrote to memory of 2432 628 1evAkYZpwDV0N4v.exe 100 PID 628 wrote to memory of 2432 628 1evAkYZpwDV0N4v.exe 100 PID 628 wrote to memory of 3208 628 1evAkYZpwDV0N4v.exe 102 PID 628 wrote to memory of 3208 628 1evAkYZpwDV0N4v.exe 102 PID 628 wrote to memory of 3208 628 1evAkYZpwDV0N4v.exe 102 PID 628 wrote to memory of 1596 628 1evAkYZpwDV0N4v.exe 103 PID 628 wrote to memory of 1596 628 1evAkYZpwDV0N4v.exe 103 PID 628 wrote to memory of 1596 628 1evAkYZpwDV0N4v.exe 103 PID 628 wrote to memory of 1596 628 1evAkYZpwDV0N4v.exe 103 PID 628 wrote to memory of 1596 628 1evAkYZpwDV0N4v.exe 103 PID 628 wrote to memory of 1596 628 1evAkYZpwDV0N4v.exe 103 PID 628 wrote to memory of 1596 628 1evAkYZpwDV0N4v.exe 103 PID 628 wrote to memory of 1596 628 1evAkYZpwDV0N4v.exe 103 PID 628 wrote to memory of 1596 628 1evAkYZpwDV0N4v.exe 103 PID 628 wrote to memory of 1596 628 1evAkYZpwDV0N4v.exe 103 PID 628 wrote to memory of 1596 628 1evAkYZpwDV0N4v.exe 103 PID 628 wrote to memory of 1596 628 1evAkYZpwDV0N4v.exe 103 PID 1596 wrote to memory of 1812 1596 1evAkYZpwDV0N4v.exe 104 PID 1596 wrote to memory of 1812 1596 1evAkYZpwDV0N4v.exe 104 PID 1596 wrote to memory of 1812 1596 1evAkYZpwDV0N4v.exe 104 PID 1596 wrote to memory of 1812 1596 1evAkYZpwDV0N4v.exe 104 PID 1812 wrote to memory of 884 1812 iexplore.exe 107 PID 1812 wrote to memory of 884 1812 iexplore.exe 107 PID 884 wrote to memory of 4308 884 msedge.exe 108 PID 884 wrote to memory of 4308 884 msedge.exe 108 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109 PID 884 wrote to memory of 1356 884 msedge.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe"C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gorfVgTf.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gorfVgTf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCCD5.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2432
-
-
C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe"C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe"2⤵PID:3208
-
-
C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe"C:\Users\Admin\AppData\Local\Temp\1evAkYZpwDV0N4v.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef09446f8,0x7ffef0944708,0x7ffef09447185⤵PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:25⤵PID:1356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:15⤵PID:1464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:15⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3276 /prefetch:85⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:15⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:85⤵PID:744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:2568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:15⤵PID:1648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:15⤵PID:4992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:15⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:15⤵PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:15⤵PID:4224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11683162801750538162,6667491901541459862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:15⤵PID:2628
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵PID:3804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef09446f8,0x7ffef0944708,0x7ffef09447185⤵PID:2520
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4976
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD554c2c8dd0315b63cceb3509a7c7de36b
SHA19af182c0c26b2aa42a930380f139b8e89082e397
SHA2562b51329e33c25d52018ccaa2de91a1c8ee801cf92ef9900b6a088eae2f8944df
SHA51289053d75c980344e69057ff673a7d24ef99f8d123cffdcfc0c85150c6d375d50e8f8d5e4388892f4e99193a59b920877013b9c2cb22367b7fd91119f157ab682
-
Filesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
Filesize
6KB
MD5f5b5450db7353e3a4222d54e01a6ec2e
SHA106f9a1d2510db7b05713ad9ebf29450fd8c67b18
SHA2561946bc0aa3e5de2a056c1fb904693b40e8ec33f657fac121a605633bd7d317ca
SHA5125365eb8a9945bacb8062cbb09c8842ee1af9bf7ef4c2bb9c2ad6d2577827c7a552aa8c8cb28086175f1c58f3a443ebac27c4e4d0070e42276f1c163a9bf5a54b
-
Filesize
6KB
MD57db35e89026ec0c74ef2b0666feb04cc
SHA12796206fa7a3be0f229ebfbb9a53b3882ac64654
SHA25659e6cf8cdea11b2d43fddd422b5810d0b1cf4481ec4585b950d4ed7944fcf642
SHA5123471a9bbccb3f1e1a936540f1a38f94a54b4f2b3345617d8f83863df2302ef2adffeea8f52b7b087489cc3a45f5c66554421459a095040bf800388ba10c0e9ea
-
Filesize
5KB
MD548bc645f03858b38b2e4f9ec7b6f5563
SHA15d5cc8cef45ad889b24c26fdfb78e559cf21ceb1
SHA2561fc647719fc58e9fc5e0324a34ade69c7533ff066f518c1b6315308458439ef6
SHA5128583fb02d451da1e5fc6847a18a3c27dd206f9859bd943d49d4fa6991bf352c96adff22e947e842e687041aed427eec3fc3c8e6e72219392f1661189e6deb9ff
-
Filesize
371B
MD59955557a66d5df4237181509829dcbda
SHA169aa10fd581f7bd86485e7208e0d565da939a6e0
SHA25689c5f1ebff7dc5e78a30b703ee7528ad42f1844b5279ced63a681adead4f1c33
SHA512caeba1f675e5ab388eea8e8fd58f4cfc28bcad9fcdc58f06a17916b3473377730e112d3246df1a9bb3c5a13cb2001690044afdba3c972cfda8eaad4ef1aee9e4
-
Filesize
371B
MD51b46cc2c1da9ebba1ef4f232f160f488
SHA15bbc3883dae76f352a58fe975d50c8dab3838a93
SHA256ee6d8198e73eaa100aa475fdc7f6feaec0ad13bc9710b668e5ee1760409f9bfe
SHA512acd1f0d074b47f46bbbaefb0c82bbfe91d2f7d18b9e3f927f931eec3b3d1fd93eaaafad355ae340ee36a939a1955a4f7440b3f0786392ec82ca5745b1943a4d0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD51b01eaf6c428e004b10588f783c8ecfe
SHA1299c2fb042c9fd419c095ea9fe872545b988c976
SHA256ef32ab8671cc12396254f700129c14e86444763a4d7f770664fa9b37f9e6166d
SHA5124d1e68434c70321661f0be6afe1db8ec26df2b9ed29d1f67099b7e920b204a79d1321a24913bf32643c9a6187d427832bfc1b1c00aac6cfa61ffdabc5036be44
-
Filesize
18KB
MD5d40844ab7fb09ded72f5d53ca36c3355
SHA1d0792595ffc358feba1f5fa2031042e7c61fe98b
SHA2566ef7c9b62cfbba9358f128f9a99f73619d833b0b35a5b6d553bfc9d8c91270bd
SHA51289e009f722ca304d02e57258befee439918ef1b198ba178001976f7c7d63b4b242daae8f19cd6b8247fa1010a041bcdbff4c635dc68a6bdca1dc959a28ed2f83
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5aa8556245078dd2c702ebfb2216173b5
SHA1a53cf8b1a01b11ca2e76699e8babef1781670f4d
SHA25682ecb7e0701625f72f5ec379ef1efabfb3704600f927ed0337943f35116854cf
SHA5121715f43dbe62bf7aece60a737c6a47947299f2627e51a0055628c01f11319c69f72e7dcff713d227c9b97ba24cefda1d2e3ec90ae6eda8d05e8108dc6e3e3b17