Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
23s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2023, 11:41
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.unknowncheats.me/forum/downloads.php?do=file&id=40908
Resource
win10v2004-20230703-en
General
-
Target
https://www.unknowncheats.me/forum/downloads.php?do=file&id=40908
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1B61A32D-1BF2-11EE-84C0-FA18DFD6C72F} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1235DEBF-1BF2-11EE-84C0-FA18DFD6C72F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1092 msedge.exe 1092 msedge.exe 4008 msedge.exe 4008 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 5048 iexplore.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 2192 iexplore.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 5048 iexplore.exe 5048 iexplore.exe 4404 IEXPLORE.EXE 4404 IEXPLORE.EXE 2192 iexplore.exe 2192 iexplore.exe 3980 IEXPLORE.EXE 3980 IEXPLORE.EXE 3980 IEXPLORE.EXE 3980 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5048 wrote to memory of 4404 5048 iexplore.exe 82 PID 5048 wrote to memory of 4404 5048 iexplore.exe 82 PID 5048 wrote to memory of 4404 5048 iexplore.exe 82 PID 4008 wrote to memory of 4600 4008 msedge.exe 86 PID 4008 wrote to memory of 4600 4008 msedge.exe 86 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 4828 4008 msedge.exe 87 PID 4008 wrote to memory of 1092 4008 msedge.exe 88 PID 4008 wrote to memory of 1092 4008 msedge.exe 88 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89 PID 4008 wrote to memory of 2484 4008 msedge.exe 89
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.unknowncheats.me/forum/downloads.php?do=file&id=409081⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5048 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea06746f8,0x7ffea0674708,0x7ffea06747182⤵PID:4600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14891103550445302464,5118751444923824443,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14891103550445302464,5118751444923824443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,14891103550445302464,5118751444923824443,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵PID:2484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14891103550445302464,5118751444923824443,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:3244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14891103550445302464,5118751444923824443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:1812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14891103550445302464,5118751444923824443,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:12⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14891103550445302464,5118751444923824443,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵PID:4952
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2248
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\CheckpointConnect.xht1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2192 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3980
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a7ad9bb1054aa03e39b3554833d0c3ec
SHA1cbd5b99ca100bc2f1292df23bf8e2a5a6f9640d9
SHA2560c3eae39386b4117ad26187afc4933e254468cd12d813271f4b7420cee73c189
SHA512d1d0b77e0bc412b4ee687e849531a7c9b70200d45d0bdbf38357b6fc59af835522e749b2fd8c2d4cde73518970568c38d73416c97381a11cc6029c14b1678276
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD535e19ad7f985473963ddef90101542fe
SHA1066852304765c9a1d928456ce37ccb9dd504a05e
SHA256a5bad0373444a7ca12ed190cad8340681eef718e13ea7b561f4bb155ca30de1b
SHA512aff89dcdac205010681915aeefc905e4b3ce8539e5f609234628ef651d7ab6c1a911dc862f2cfc459e1c17b6be47f21f2e683e152721e48b35e152e55b584d80
-
Filesize
5KB
MD5cec58958a2a830a42f14490ff798834a
SHA11c95dca8ba0cbaf20ebcb51f729be7c573f2da82
SHA25696b647f05a6f20bfb05e8cc5be5b82bac8875c3dc7da7d3fd45d7bd236a40cb6
SHA512809c387e54fb6dda9c394c03599b8b0af2e4c86331d273f95f92f344c33689b080b1d1beda9eab7f10fdb0d8980fde1c69eafe187a396de41412477eda016284
-
Filesize
24KB
MD52816b0ac86deb18ed9d903725dcae378
SHA110c507eaedc2c140aa365341a1bbf4638d16cc07
SHA256842334ac74ca1a5a0feb28c1f969434eda950a12701147fac6485fe5215b80f2
SHA512f620bbecf185b4fee3409a715774c24839b238dd84e0dda21179d4387b7c0c239411da68a77c8977e17479e556c98efde55f52ac2ff12c9fef01384184157e0c
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
12KB
MD59e20dd636304ccd7eb80d781868a5b6f
SHA10f4c3d93f0b2caa111900eec79ca60b672b7e355
SHA25687fd82ce979edaa79c16e816e913477ac2666c095106370161fd4192c1a378d1
SHA51249712687b70add9f136f85689ae775d395c6ba89445222280bf6cda987be3aa65f1142aa2b3ae53088ae1c862bc5308efa12151df50bc82b382975b6b9cfe331