Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 18:33
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe
-
Size
340KB
-
MD5
aa238df9e8a7908a95bafb9d117999f0
-
SHA1
2f1810c170c3c50d7541897d044dd132602142fd
-
SHA256
eba26f206c5cc4bc8f5121381e10d058d8e58c747aeca5d385f28ae7e760a5d5
-
SHA512
b1b5f504996f6aacc766d0cf9a16207a395b45c5a2ec965cac3d2fcc557a85cf2c8fb524ce8effb603982e791a5db435f5958315c5616e83ae0184bcc54dc151
-
SSDEEP
6144:MRVQPKuV3eIY8uwJxuaIFtkxOd6HarTrjCP9sERagkL9:fKuV3eZwTZAUi663rWPzkR
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe -
Executes dropped EXE 2 IoCs
pid Process 4996 Smtray.exe 1632 Smtray.exe -
resource yara_rule behavioral2/memory/3704-4-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3704-9-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3704-14-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2508-46-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/3704-50-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1632-98-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Smapp = "C:\\Users\\Admin\\AppData\\Roaming\\SoundMAX\\Smtray.exe" reg.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1280 set thread context of 3796 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 80 PID 1280 set thread context of 3704 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 81 PID 4996 set thread context of 2868 4996 Smtray.exe 87 PID 4996 set thread context of 1632 4996 Smtray.exe 89 PID 4996 set thread context of 2508 4996 Smtray.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4304 2868 WerFault.exe 87 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe 3796 svchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe Token: SeDebugPrivilege 1632 Smtray.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe 2508 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 3796 svchost.exe 3704 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 4996 Smtray.exe 1632 Smtray.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1280 wrote to memory of 3796 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 80 PID 1280 wrote to memory of 3796 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 80 PID 1280 wrote to memory of 3796 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 80 PID 1280 wrote to memory of 3796 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 80 PID 1280 wrote to memory of 3796 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 80 PID 1280 wrote to memory of 3796 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 80 PID 1280 wrote to memory of 3796 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 80 PID 1280 wrote to memory of 3796 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 80 PID 1280 wrote to memory of 3796 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 80 PID 1280 wrote to memory of 3704 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 81 PID 1280 wrote to memory of 3704 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 81 PID 1280 wrote to memory of 3704 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 81 PID 1280 wrote to memory of 3704 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 81 PID 1280 wrote to memory of 3704 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 81 PID 1280 wrote to memory of 3704 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 81 PID 1280 wrote to memory of 3704 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 81 PID 1280 wrote to memory of 3704 1280 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 81 PID 3704 wrote to memory of 3588 3704 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 82 PID 3704 wrote to memory of 3588 3704 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 82 PID 3704 wrote to memory of 3588 3704 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 82 PID 3588 wrote to memory of 3640 3588 cmd.exe 85 PID 3588 wrote to memory of 3640 3588 cmd.exe 85 PID 3588 wrote to memory of 3640 3588 cmd.exe 85 PID 3704 wrote to memory of 4996 3704 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 86 PID 3704 wrote to memory of 4996 3704 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 86 PID 3704 wrote to memory of 4996 3704 NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe 86 PID 4996 wrote to memory of 2868 4996 Smtray.exe 87 PID 4996 wrote to memory of 2868 4996 Smtray.exe 87 PID 4996 wrote to memory of 2868 4996 Smtray.exe 87 PID 4996 wrote to memory of 2868 4996 Smtray.exe 87 PID 4996 wrote to memory of 1632 4996 Smtray.exe 89 PID 4996 wrote to memory of 1632 4996 Smtray.exe 89 PID 4996 wrote to memory of 1632 4996 Smtray.exe 89 PID 4996 wrote to memory of 1632 4996 Smtray.exe 89 PID 4996 wrote to memory of 1632 4996 Smtray.exe 89 PID 4996 wrote to memory of 1632 4996 Smtray.exe 89 PID 4996 wrote to memory of 1632 4996 Smtray.exe 89 PID 4996 wrote to memory of 1632 4996 Smtray.exe 89 PID 4996 wrote to memory of 2508 4996 Smtray.exe 90 PID 4996 wrote to memory of 2508 4996 Smtray.exe 90 PID 4996 wrote to memory of 2508 4996 Smtray.exe 90 PID 4996 wrote to memory of 2508 4996 Smtray.exe 90 PID 4996 wrote to memory of 2508 4996 Smtray.exe 90 PID 4996 wrote to memory of 2508 4996 Smtray.exe 90 PID 2508 wrote to memory of 5068 2508 msedge.exe 92 PID 2508 wrote to memory of 5068 2508 msedge.exe 92 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94 PID 2508 wrote to memory of 60 2508 msedge.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3796
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.aa238df9e8a7908a95bafb9d117999f0_JC.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSTQY.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Smapp" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SoundMAX\Smtray.exe" /f4⤵
- Adds Run key to start application
PID:3640
-
-
-
C:\Users\Admin\AppData\Roaming\SoundMAX\Smtray.exe"C:\Users\Admin\AppData\Roaming\SoundMAX\Smtray.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵PID:2868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 845⤵
- Program crash
PID:4304
-
-
-
C:\Users\Admin\AppData\Roaming\SoundMAX\Smtray.exe"C:\Users\Admin\AppData\Roaming\SoundMAX\Smtray.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff918da46f8,0x7ff918da4708,0x7ff918da47185⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,4423543385317799254,2754963747203368208,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:25⤵PID:60
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,4423543385317799254,2754963747203368208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:35⤵PID:1312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,4423543385317799254,2754963747203368208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:85⤵PID:4964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4423543385317799254,2754963747203368208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:15⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4423543385317799254,2754963747203368208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:15⤵PID:552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4423543385317799254,2754963747203368208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2440 /prefetch:15⤵PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4423543385317799254,2754963747203368208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:15⤵PID:228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4423543385317799254,2754963747203368208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:15⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4423543385317799254,2754963747203368208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:15⤵PID:2472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,4423543385317799254,2754963747203368208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:85⤵PID:4396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,4423543385317799254,2754963747203368208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:85⤵PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4423543385317799254,2754963747203368208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:15⤵PID:3380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,4423543385317799254,2754963747203368208,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=244 /prefetch:25⤵PID:1680
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2868 -ip 28681⤵PID:1596
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4660
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56276613a51dae3b747451bc05e24edfa
SHA196ff591013fc8d378a9b37ea580d8ec6e98bbde5
SHA256d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0
SHA512dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD50f5de0f2dadcf617b7ee12873f9ca101
SHA1ff6fc01a58dcfb48a040160bca799ace5001ccab
SHA256ba114a39b4216906fd8e8896e55f31e98f3499feb8ec2eb57a2c5287a5f64f3a
SHA512e778340a71a8eaea07ed0769f774437fe6e16c89fccec919497d2ef5ddff5aa5d9c324a8d3147507195e31976a6e63518639e9da3f38c696774824c3549d6d23
-
Filesize
5KB
MD502820e3935e3b90e4baae7cda17ee7ee
SHA18da75e4d59a48c1b7c718af92810e8a56b154b15
SHA2566bb0f0c3267b3bcac64e4146e38b21ed16cb3b69b41f8181bc651064c5242b3e
SHA512679c8e131bc616784901e78815cbbdefa5648bd659024e5f552b65532807f55939f112df22cd5333370b08c5d5794b6f48f36a22821285ade9acb3e18be125fe
-
Filesize
24KB
MD5f1881400134252667af6731236741098
SHA16fbc4f34542d449afdb74c9cfd4a6d20e6cdc458
SHA256d6fcec1880d69aaa0229f515403c1a5ac82787f442c37f1c0c96c82ec6c15b75
SHA51218b9ac92c396a01b6662a4a8a21b995d456716b70144a136fced761fd0a84c99e8bd0afb9585625809b87332da75727b82a07b151560ea253a3b8c241b799450
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD56043e7d46efb92fb401fdf96e451286f
SHA1d0563af50e166f9d530b46fea7767ce5bcd5af90
SHA256c63a6c7ff37ce0dcaaef394176236397dbbe607c3fe2903a6923daad01bc1519
SHA512ce1b02cfbd22830cf441e1a903f6c6faf55ac802c8c71f932cfae333c4941bab372be7e1e78556d8d37d863a263484ae19bc418a97a81baad3554891854a711f
-
Filesize
142B
MD5b4e1192aac1ae430ad3ed5f308162c58
SHA1fd18dc99cd6b0d5c4973abb4d69c30d51104ec24
SHA25640eb34eca7a66201217643f2a7afb2b3bdf5a05783a7bcc9138f084185dc8e29
SHA5127299ccdb2764616f0e7b0c80ad5220c1d57f678a8d80463ec349e2afaad131e3f640fd196556e5c8ebd7ca7fe0de2d802460d8bcd65aff1de40b603abf0bbee6
-
Filesize
142B
MD5b4e1192aac1ae430ad3ed5f308162c58
SHA1fd18dc99cd6b0d5c4973abb4d69c30d51104ec24
SHA25640eb34eca7a66201217643f2a7afb2b3bdf5a05783a7bcc9138f084185dc8e29
SHA5127299ccdb2764616f0e7b0c80ad5220c1d57f678a8d80463ec349e2afaad131e3f640fd196556e5c8ebd7ca7fe0de2d802460d8bcd65aff1de40b603abf0bbee6
-
Filesize
340KB
MD58e0c308c312bdc0c07d83f37cdcadcc5
SHA15d34729c957a81b166773f40eb4e03547c29e9b2
SHA2569b617b4e91083e1bd15fa229b2a175508396c7653fd25cbc5d58f501efbfad14
SHA5121cabe618cdd089fa10e9cb7512bed6c7326a18d0662c207a5c9c557a9e1133efe506dd3904540ebafbed2843aab8efbd9761a81f5eb4154df5f460bf1bb37729
-
Filesize
340KB
MD58e0c308c312bdc0c07d83f37cdcadcc5
SHA15d34729c957a81b166773f40eb4e03547c29e9b2
SHA2569b617b4e91083e1bd15fa229b2a175508396c7653fd25cbc5d58f501efbfad14
SHA5121cabe618cdd089fa10e9cb7512bed6c7326a18d0662c207a5c9c557a9e1133efe506dd3904540ebafbed2843aab8efbd9761a81f5eb4154df5f460bf1bb37729
-
Filesize
340KB
MD58e0c308c312bdc0c07d83f37cdcadcc5
SHA15d34729c957a81b166773f40eb4e03547c29e9b2
SHA2569b617b4e91083e1bd15fa229b2a175508396c7653fd25cbc5d58f501efbfad14
SHA5121cabe618cdd089fa10e9cb7512bed6c7326a18d0662c207a5c9c557a9e1133efe506dd3904540ebafbed2843aab8efbd9761a81f5eb4154df5f460bf1bb37729
-
Filesize
340KB
MD58e0c308c312bdc0c07d83f37cdcadcc5
SHA15d34729c957a81b166773f40eb4e03547c29e9b2
SHA2569b617b4e91083e1bd15fa229b2a175508396c7653fd25cbc5d58f501efbfad14
SHA5121cabe618cdd089fa10e9cb7512bed6c7326a18d0662c207a5c9c557a9e1133efe506dd3904540ebafbed2843aab8efbd9761a81f5eb4154df5f460bf1bb37729