Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
89s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2023, 21:04
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://rb.gy/x19cz#ZGRlbGl6emFAcGVubm9ua-s5jb20=
Resource
win10v2004-20230915-en
General
-
Target
http://rb.gy/x19cz#ZGRlbGl6emFAcGVubm9ua-s5jb20=
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4504 msedge.exe 4504 msedge.exe 4936 msedge.exe 4936 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4936 wrote to memory of 116 4936 msedge.exe 39 PID 4936 wrote to memory of 116 4936 msedge.exe 39 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 5012 4936 msedge.exe 87 PID 4936 wrote to memory of 4504 4936 msedge.exe 86 PID 4936 wrote to memory of 4504 4936 msedge.exe 86 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88 PID 4936 wrote to memory of 1712 4936 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://rb.gy/x19cz#ZGRlbGl6emFAcGVubm9ua-s5jb20=1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe34b946f8,0x7ffe34b94708,0x7ffe34b947182⤵PID:116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:82⤵PID:1712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:3564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:12⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:12⤵PID:1352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:12⤵PID:2424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11590983667368177647,9457685241792208223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:12⤵PID:2980
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2668
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5bf009481892dd0d1c49db97428428ede
SHA1aee4e7e213f6332c1629a701b42335eb1a035c66
SHA25618236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize480B
MD52d84be133f6296b1c1c8b143f622087c
SHA109005961e4d2aa49ec7db2e860c89b1566d24239
SHA256f0c7f71ae06c9b715086004087d0b5e3f81e149143e5faad20f65e82272352be
SHA512657dec217362e83eab785446a67b905f6136e6007c1d8be13e4d6deaa90d3ea834142ea2ec72e50c2f828cb6baa65028ffe8ac3802966226dbf52396edb27839
-
Filesize
1KB
MD5bd5d4d47714cd416c1b8d35739203f96
SHA193f832bac3b03e77d072f2b4d3598d3a9b8ef43a
SHA2560f950fb3386d098f12f2eafd74a0d511a9976a734db9967a5857567882a6c1f5
SHA5128aedf71a6750888695fa815de989033f8ee7f44acc103124c659d4327e5ac89dfce832485b749809de9c49d95041647941ad000c9094f70ca1745908cdb62673
-
Filesize
5KB
MD5eebb2d71bd330556105582bb6fb224f7
SHA1a21bf2da257e44e8931a37493dacf203fa967bed
SHA2563780a501368e2214cc3fc683f3d22aa0488df47af9369e36d132de8b673e22fd
SHA5125452caf9fe336456fc2c0587084048e7d6dbd789a1d4270fc8782961e879d53ee4ea51438ac42e3e73312d4d0154759a4b17f7322581dfb583577be08044535a
-
Filesize
7KB
MD58e21196f8807687f0c0cf9031ed1a9b0
SHA1c8d42f0e6cd9e39072d858b604f209b995cd53fa
SHA256b80e23b57949d51b53da109430c40bf8f010e8ca22957663001c353bec47a765
SHA5127609c679edc1afc8ca67bdff70022fa1b5819e61ce76f550f4ba97383967719071a56a87252c0e488443c4845ccc867fc2a7e640eeeb9ee5361c469705409bf0
-
Filesize
24KB
MD5b690c7643af8bf5f3a96b59e33522135
SHA1204ca48a942ecba4d2f2ef844275c3f5905ed453
SHA2564577c23a112c820b430e2b16d0283f4715b06f64164e1e5bf883034a7201c695
SHA512f690f6f5cb19c2e7338feda4741c47b107e48e86db530829cff7e4a0737b813051d31625b1f3108bf8a2f496fad14767b6c255bc816a3e8a3bc43d4c2b63036d
-
Filesize
10KB
MD54add19d24844d09dd86174c64d83a433
SHA11316cb1240ef38f0017cb26d11ecdc47fc1bfb1d
SHA256b30ea638590badb918b190a9d8437879675a33a818e1bbfa3f07cfda7f017f19
SHA5120f333f5487619925bd37191eeb047cdb9d7b6136b7adc03062bfe95dd20a72801e29866cf2e8e6b40e66407bb2901dffa4050b2dfd12f9df62647b976be7043e