Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
256s -
max time network
255s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19/01/2025, 16:34
General
-
Target
https://cdn.discordapp.com/attachments/1095394818596810783/1330575945802977391/BBYeSM0WhOb.zip?ex=678e7aea&is=678d296a&hm=dc834524ee4d68970aabe416478c98f98a63ea3b6b87e9136e28b26da6bf5a68&
Malware Config
Extracted
lumma
https://deedcompetlk.cyou/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Executes dropped EXE 3 IoCs
-
Enumerates processes with tasklist 1 TTPs 6 IoCs
-
Drops file in Windows directory 12 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 37 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1095394818596810783/1330575945802977391/BBYeSM0WhOb.zip?ex=678e7aea&is=678d296a&hm=dc834524ee4d68970aabe416478c98f98a63ea3b6b87e9136e28b26da6bf5a68&1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe662046f8,0x7ffe66204708,0x7ffe662047182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5044 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\ryosa\Bootstrapper\Bootstrapper.exe"C:\Users\Admin\Downloads\ryosa\Bootstrapper\Bootstrapper.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3471573⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E National3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Cheese" Difficulties3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\347157\Folding.comFolding.com j3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\ryosa\Bootstrapper\Bootstrapper.exe"C:\Users\Admin\Downloads\ryosa\Bootstrapper\Bootstrapper.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3471573⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E National3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\347157\Folding.comFolding.com j3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ryosa\README.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Downloads\ryosa\Bootstrapper\Bootstrapper.exe"C:\Users\Admin\Downloads\ryosa\Bootstrapper\Bootstrapper.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3471573⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E National3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\347157\Folding.comFolding.com j3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=Folding.com AutoIt v3 Script (Beta) (32 bit)"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe662046f8,0x7ffe66204708,0x7ffe662047182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:32⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2440 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
152B
MD5be8842caba48dcb8a02aa560da852cae
SHA12b696279fb773b0203a23179a44d1570642418dc
SHA2562130a10cf26ee5cf50fda25e19e0ad2992bc399dea33ea7ec20dda589d53cd0e
SHA51221dfdf64b51459d0767801966b05b14b072712dd490bed18ccfc386e4da2f47dd7f4317994dd5bc84ed8daf668ce826c21d05e8ce95633f98526202d06ca7ac6
-
Filesize
152B
MD59db2a0594df297bf53c2c7a01c33cad4
SHA1d2a815ec895516ea6b7cf3bff26b77383cdc901e
SHA25633730d3aa056b2f0f6cebaa88c2082cbfe65b0a4657566140a022cd8a9b62c44
SHA512e6349846db38ea7aed3338ca32dd022cbd84e6ae40ff252301020ba7b41a984907dad63d49cac44a854d4fc2c06d9b848582df953429191b211efceefa515043
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
1KB
MD5dae777cd0384d8fba2f1a767c5d5be1d
SHA19896f0bd459da9e513069cc4977e3d863a3596e1
SHA256c6e540dc864d99deff5528be2277a7a373dc4a1b0d61a950c40a8191b9571ef9
SHA51241df9902d6d4cc482e9cf8cb0fad9ac7f8db079632038b2b332648cae42c3f76b2110355aaeebbb60d849564f8a1b3538eaa7bcb441708deca16f201783aaa9e
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
6KB
MD5e2c38593d95a8dcd0e0254f69a897943
SHA1701458f8809ce45a7bd3c40fa12a465d79550ac1
SHA256db4571a7ad1f39e28ad4a50b1ef531f28deb5feff3a481305bbc31722f8dd72f
SHA5121da55bf2f615a7bde01733d4e0f58e869481df1ad9c0468674b139a3d64f4accd13bb67bc8e2a82b5f5c50e831d07f2cef5f7541c8113e24eebe13c80e11e40a
-
Filesize
5KB
MD5849d8f4a62d5bad0ece50b0814e5bf08
SHA174876da952c98f5472bbe5bed3b4cea6defe1b3b
SHA256803e25532f8dbffb9b511890698395aa066622db0684d77ce9b6bccf869d91dc
SHA512655e6768941ee4db2e0b518212afe8485d7d2c16feb5975703b0b72c81b429ee57430ca280d1be7a800d0e4a4660cec9f1779f92fbd90ec013d6dbbea71ce8a3
-
Filesize
6KB
MD5b2074cd49fdf71e3ed93e9ff213d840a
SHA105580ded0687c6af8ce63af6605b49fcc251f1f5
SHA25607bb4eaa7daae1cf28a465811aa2bc82621bf5bb925468800191bed736d139ec
SHA51294497f7b37a0006fc14ef01e4bd3bf3bbb417d59cb7cad45956d14970337208bdd112fd58d98a4d2090b220bba838cc6e722c7c3affb75b4a861072344717f7a
-
Filesize
6KB
MD5742284d25058fb6cc6942167dfa16972
SHA19eda32de206228c17e7427dab030c5b66fecaa3f
SHA256bd9897e41016c4d88f8e77884849fa1f038b6fa929fa05f8e9f008d370c469a2
SHA512299b24d66dfd22eb62070cabe383c413be46fbbed852de02e85a9c91bb9def069e9d926c5b2e13ba540e05362cd43560f82007f8a503f959de09b2a4004edd53
-
Filesize
6KB
MD5777c631c6aa155cd2e335b81eb5b3259
SHA119cd8a0f997ca4870b3b6a3f9750ceaa2ea85fe2
SHA25670d1fffe4243858ce1bad4dd2da4798612f077c78dc673b961c7ab1b87901f1e
SHA5128efeb5a44f0b42a8ec3dca325a58bc38dcea24461fae15b358c530496f0a6afb414ff9cd409ef4485578cda0a5795e765986b3cf7af23633ba103b52eaf2563e
-
Filesize
6KB
MD5d38e637c4be1456e6c65c1e866d3a434
SHA11b5e097f8e33de0514ca1e309c4c876a243488d3
SHA256a8c03e6b6bbcb0f7763d368f0c8bdb4a462c8b0185ac4b3c3e8ac4b7c71df863
SHA512816412674bbd7e65e45c0e72ad62106b33faa91c50641b06f64d82af90aa767481a4aca819e50c5ab2661e1786f31bd519bd571507f09d3f07118440af4f2865
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
10KB
MD57e2637e5503eb4e5e6421312258a2f68
SHA13cd3d2266bc0151d055f70f7fa59ed5713acf970
SHA25663d4abb083af9c7836de61d33f0b611cd90cf60580bb0ebe3339f63eb2ce9d59
SHA51211a9d2009abfdf3e04e25fe401076afd4b6cdd180e4d5dd3c5a2978f7ed3a0f2f37ebb12f30d53889aa11fe87f30ca0592f819145230fe79b18daa52dd4dfcd3
-
Filesize
10KB
MD583d686abc10390e15434ffa6f6d94b1a
SHA1a94204b35d49066545c9c24d802a9295dc720b50
SHA2560441f88d0a5addf4f418ac2ae95d016c3caa2c7acde12dded7839692508374d4
SHA5122542057f7de45a2a65700f9db9d1bb8bf00423ee55efd5f4c3bb77462d2faa4b431a8cea0db8f7ea06c8aade05481d6bf95c6ec42686b52db58b3a3134ddcd61
-
Filesize
10KB
MD56d626425251e6766581fc260081594b1
SHA1be3e7f8cf38550a11ab599d17368d269c0c25328
SHA2566f94f1caf29193b668d4fbb4fad231e92354c1fb49202571a11a2bd168ae4b91
SHA512bd84a057671b87f81752ca1f3ee32f4cabf7d99dd21406bf3b47565335226b9114d72bc2cdf905eda746bb153aee109a46bf559e42a6e2369f88783178e9b91c
-
Filesize
11KB
MD5cab1375c976debe994b8a553878e92eb
SHA186320b4bddbdc32ecad374e55799a8b0e1afb93e
SHA2567887cb2cd511e5efa9077a39b795470602af2725db8272701f649f5891091320
SHA5126d1828a81dff6fffdf6eb4a233f65759dada1706c6562794d29eea4c49d51b3efc1846142a975388b5b0a4960351bb7c6df2087363f66e222877c2dcf1d98f2b
-
Filesize
1KB
MD5bc0c466ea461f70dc2bab92020f1e643
SHA1f17c66912508e95eac59bda2e773849600471a88
SHA256f3c6eb4b4f81b5e1aa458d46225dccd651a2d44d1367a14718b6bb76beec1de1
SHA512b1d03c359b8fcf46e7f07536004f7d11ab7bdd0cb044ca7bcfe63501428c4c93e43591e8367e5676478da8d554e4bd579cb6e37dc617f97f8a54a372361073c9
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
494KB
MD5549720d78c44a4ca96f98a02d7376be0
SHA1c18a7ddd59ea61df41acfac5544aadc72bb6acba
SHA25637204d5c24cd97f012e61ba6c4aab3f6bd8778237ecbec3080fa54bfa5dcaf67
SHA512392674f314a993f0eb2e22354a9922b006e28b01cb2abdf416a188e48b8fbbea8df93cb793cefd6e91259b7de71c502ac1e5c33273d94e1a3671ee1147cbdab4
-
Filesize
118KB
MD5539587208032af4b529a60d530f100a4
SHA1ef39ddfa82f53bde5a674e51318aa3ce9a8789b2
SHA256bcee5e27e34159419173575bf6e22e23f0dad46cf6fa6aa84a1bb01c96516662
SHA5124c261199485e6a40ce46147c98e244f1297446115ebd6c944a29e4242b361816980ccb6096286c8f9dbec00f13ea9fdfa417648980bf06721abc866630c5e53f
-
Filesize
55KB
MD5eaab0c7db38adca2364923dc1bb8bacf
SHA1182819623bdee90678ae233b8094d05e51d48d68
SHA2565a5c226453b9c7c7f7bdb980ad2a02838456f9420d182d14c7336f8264a894f0
SHA51253d2c6559e2d1e71b62f91444608f1e61a246433499b75d6e3193cfd645ac4af3c4e4e1359da02b522d1e121de31f51d0010d96e8ef435a92328cef69aba4910
-
Filesize
15KB
MD559051edf957c7f4fec5e278f07cfdaa9
SHA1409217185334c187412941583e5814753d3f670f
SHA25671cb36f1506fa645a90a6f06619b67c4f2f0e1e0140bac2e6f8a91ed1988446f
SHA512f1897fa7dcc38c845cc3862f1eb33d493ca6c09338a6a7817fac6e99a72ecd07001a84e1935eccddf58e163fd8396c3333fad4c365cd5c8ade281dbc84735aba
-
Filesize
102KB
MD5ac3b8c0b9d965801a696519bc3bce457
SHA1c2fb54f9d7ffbbea6e5db175ca214eccc0b8ee7c
SHA256fbc3b647efe255870931d9dfa77a43c7248a7d8613712bcf0663862a4e97fb66
SHA5120aeeb7d05c46063a892b3aae756bfb92f245aae66c2fcd4c34610a348ad0c0904addabb99d97ca0c9c3cba3df7e8e96500f084b840487a9ed2582d1badf638c6
-
Filesize
63KB
MD544a805a4e5ba191661485ef167275506
SHA145c2594c944f02e5260bd97a185c2f21ab232182
SHA256e394dccd197c59fa4e2da7146174485a6681946d34faa3007bd5c1419d7125e0
SHA512a3a8f7283ca0a0ae16b21f2b81b9cd48b953112c50e64b99daba378cd0e098108512566208365db4bb7b78355439f94bbcace6f5169091fab0202cf7d55f1952
-
Filesize
106KB
MD57cbcc0fbb084bead6d5bbb8a00cbb997
SHA175bfaaa5232ab2cf9f2291ee1ce08f2acb076ebb
SHA256e0a98926b1e0968481640078ac6b833af96773a7f715851634346379f282795d
SHA5126b33f8afe19a28e5b300e8a32c3ec98a0365fc1594c693c4527d9b0275f46f6558c50e29417499650d9c1ea7091ea7af340c4111b90af06c5ab4277170170c9a
-
Filesize
23KB
MD5bb009bb1ab11657dd763b3a85e90f26f
SHA132fb786e48105f1574e8d345e66d2b16fc051d6e
SHA256e7b3f1da61a207080f7859d12764b1243ce5c84beaf1a7f026b3d0da5f9dec4c
SHA512ac73396967c496b93f8d4084537a286b4d5fe1315b0fd5992b03cc019521c1c25bafcb9826f85af59495a01ec711a2ec789c43af5befa46557f99224d0ce92bc
-
Filesize
56KB
MD519f399e75e91c4917cce10422db7b0fb
SHA1145fb431681a91d64a77b0ca99ba31b4ed7457b9
SHA256bbe32640a1be9b9dc5570043a2c72bd3d1da1e3480e61e41a1dc8daa42b07bd7
SHA51225b85fe872e3e9fc5e70d3dfd1647a6bbf2919d67126bb9007dcc61aae549d64a9b79fd3c05bc996202b03630420ecb4eb5b5613d0a1adeab0d2670e6a5aff6f
-
Filesize
119KB
MD587cfc9cbddca81f037640e23869fd727
SHA1e71c0a8106944e238edba3b2d6194cf5cb383168
SHA256f648aed5047fa8e5b99ce81cf85f05f4cfb193b8b349e6e5656e5c6dd0917cb2
SHA5122a3c9bbdbd222f9328b1379de025bff3f8d2c693fe68558cdb24a516ee7c9ac6615a9d1d62e4682532f8567138e67e6c26b6c7068d87b00415fc915172928e4f
-
Filesize
75KB
MD5e9ed56e42470ceb7a46263c49b9d8110
SHA113794b6f705be789af214a4f81585dee3710512b
SHA256d97494026b70f37cabc0ac614f54206ae2c5a5ab601b71888ae6491241dc2b20
SHA512ca1c0f00a68267274e9d31f3a2de0fb34ccfce0a57d67ffe76633fe1a156c05f1381b0c696f75898fd8b370cb8a6e56174bdfb43729ab2668e444ee6748d8040
-
Filesize
1KB
MD5d2ac6356ed5ed3a32e46acb2f47d68f5
SHA1e41205fe32c1ed0cc4a265e942dd472a76a22592
SHA2566b6a43352b0b87107609d9c91992b30069200b308e5a2a50ed5a931315f82bdc
SHA51247bafca4c789c7fad4db0534a93b8c7b659abb999393425f58d9b28ba553be1cc45b9001da1d5820e65b107034f48cd441c6855c7d7fc08117985d81054394a0
-
Filesize
81KB
MD535ee0a5fee1964bd57f2c66347d726df
SHA1d37bb5ba2456a310891f93d8e9ae1ad196dabcf6
SHA2569b8ab89609b074479bc9fe749e12792c34ab4799ea7ea5ac67cdd3758a1c1181
SHA5122006b993a36599a56131d744ea750a3de3d5eeb629d111d751d552e86cf3a4ea1c7d9b9dbb727e77b65ec8684cf0f22476840aed73df15186041b087476c0689
-
Filesize
91KB
MD5478eae0d2d8bc46181226c275688315d
SHA1674d1c954b6ba8bc77ea6e112912b2fbde64fbeb
SHA256aae6d5fc0e80a6033d55b81e05db13c66604f5fe453f78440de3912a44c553c1
SHA5129833ef8d0d29cbf1b1738eefd4c175a169c770f70f2699bde703092e5102439c779e7474866534bba6b58f49d160a49be0750b686c171415191ddb10469eb26d
-
Filesize
478KB
MD5f5406ccecddc6c9bd30ed30343c756ab
SHA1080ebf3593ee3c272e7e4f7c98fee6d326da45f8
SHA256a46bd5c1472f8b655ace3314ca667d39b10d989b6f8ed17b6c753b8b947a6938
SHA512a25eba5ea58855e65c529b858399b1574ccbed89038e90d50170562eceb11efba4f16242d54ad3b5232edc11f3f61109bbafc4398124c1bb45e43693657b1e81
-
Filesize
68KB
MD5355fafaeefdaaa291b3f48356e24216c
SHA1c675a50bffcf18f357966ec51e0adaf05a25b86b
SHA256d3210c22706049ab7ca2304fd17507bfa4a842af579a00b60644e09178f9fddb
SHA512f2fb4e46b4d6b24cba584e51c6a43e8ed1174a5048a69bd61a6e24e2772f389e55c2f6384d1ffe7c6f44eab8a6fe059608e39a0a60ad30f06eb63589c723ab4d
-
Filesize
86KB
MD5fc6c4e0bdb11443834c6af5b2ff6e6bb
SHA13c4bf0970e36371844c9a27a041fd09cbf65cf56
SHA256445d2c74ae1ba5af2eba4cc4a4deeabbda1ef920e272ce9f54a7d9374eb23402
SHA5129588272669bf2ecf277c83c836be28d4757a21b033e9919747fc11a7767abaf5d3af002d3379626b65e537aaa8fd2e30113994353592bcee577f3fbdd02dea5a
-
Filesize
54KB
MD57b8c4652937f053027395d23ef6c5b93
SHA13e203439da403069184a56d40d00b51e8a03a2cf
SHA256733b3e2f49984688e345d1acb07d22c9d5e44742f572fd610c114c50c04c3024
SHA51267b5aac27923f00fa7e39cefb6adc6714845cc9e3db51aa2fe8c910e09f95b2fe46ddc901257afa63ede0988792ee6245089ea419bd257e53f05c926793de929
-
Filesize
58KB
MD5110f9b2d470e415d55f8a0d78ae1f8a1
SHA1eeb9c0bf82f9a797fceed7d9725221348f45dcf1
SHA256fbafdc9359e5294e8410d3862aee050c5cc03aec557bd83345bdca27981c0138
SHA5121a8bf9fe93ff1b8cff52191bae71fed8822f4d99dd59ee6420709d037e26a185695e819535c793ffbe849e63637725e9ebdf487b57bb8f1ec3b4852e93954551
-
Filesize
50KB
MD56f3b4f30afb0c2fc164daaee95348815
SHA1c59e8d78f11d5af9aca282d52752c0846292d5e6
SHA256987fdfe4cb214563ecd4ba6d1990284e485a7701c323c1564d9d4afd3554c890
SHA512ce51ba253dc008b82ae51ac797362f93515b1ef481d6189f596f74c1172379bfa4bb86aa713ea62520a11c24281047aaee0d203d48fa1f3dcdc5121fff385809
-
Filesize
137KB
MD50fffca2125ec2d790c02b2bcd12ec8aa
SHA155883ab44b36fa0efe4747e2653786fbda5b60a5
SHA2569dc03047dec2d31586916298828447b291b3eadae317bab07f8917e4bf4dde96
SHA51253d6bb959d2d5ad5b3be4dde2b6c877eee4ae65e411f095bad980fc6ee58f49437dc8503186d544ab60aa6824cd70e616bf79cc13b713e27c5f75640db8ed70f
-
Filesize
83KB
MD59a2d8d245f55c0918e6a7e8b9e22ed25
SHA1827ace99c5e1570e3ea912e67dcf7ef6851c3ee1
SHA256e252cd74c35df37627de02488911ecfc1d57320be7dec21a7de03ccb9664d84b
SHA512076fba85e84cb31486a947e31c39464e08faacdad7b26645699f39fbe6f3d6bc6a7b926f46909f227e9c78f2ce8d9c2af0871e057db10345504db2226a2272c1
-
Filesize
1.5MB
MD577165621a4479597106e6d17565a2388
SHA13dc5ecf8051171845921e60dfa4bc6596c17744d
SHA2562579410e9f316e3eb80181813f87edab1b80724845b9c4fe3c3f2b065720d10b
SHA5121e045d4850899be53f760d87a715b13052c3cb4f8695ba4fc6badb2440039a1d938cd16c7e77ee9675309058dc7c53a07b0f7e070537d419c925c7e044d91e32
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB