Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
23/02/2024, 09:30
240223-lgpt4aef92 123/02/2024, 09:26
240223-lekglaeb31 123/02/2024, 09:18
240223-k9y3sseb2v 10Analysis
-
max time kernel
1800s -
max time network
1684s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2024, 09:30
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/enginestein/Virus-Collection
Resource
win10v2004-20240221-en
General
-
Target
https://github.com/enginestein/Virus-Collection
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3424 msedge.exe 3424 msedge.exe 5080 msedge.exe 5080 msedge.exe 4568 identity_helper.exe 4568 identity_helper.exe 3428 msedge.exe 3428 msedge.exe 3428 msedge.exe 3428 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5080 wrote to memory of 1176 5080 msedge.exe 32 PID 5080 wrote to memory of 1176 5080 msedge.exe 32 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 5088 5080 msedge.exe 88 PID 5080 wrote to memory of 3424 5080 msedge.exe 87 PID 5080 wrote to memory of 3424 5080 msedge.exe 87 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89 PID 5080 wrote to memory of 1840 5080 msedge.exe 89
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/enginestein/Virus-Collection1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffc1c4f46f8,0x7ffc1c4f4708,0x7ffc1c4f47182⤵PID:1176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:22⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵PID:1840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:2268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:12⤵PID:64
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵PID:3104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵PID:876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,13752304064240027946,2085890437544830136,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2624 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3428
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5064
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e189354a800c436e6cec7c07e6c0feea
SHA15c84fbda33c9276736ff3cb01d30ff34b032f781
SHA256826adca1e688de79a3ec5b91c75990927fb2a33ae717f474608c68336053f427
SHA512ceb069a5e83a634503e253846fa17b8bf7aaa539c3353ce61251633d69068e24c5eadd1b496f43058790d2b513e65d2c0b0213730813d0b58bb82a00596e05e4
-
Filesize
152B
MD5b9e3e150cfe464e9ebf0a6db1aa5e7a2
SHA13cb184e2781c07ac000661bf82e3857a83601813
SHA2562325a6292907263d1fb089a09f22fbcc6bad56f4961d427efdef1abaef097bcc
SHA512f5eb1e76eb9441cf5000d8d4db9296077b61714ead5012779c084b37f4bba07614055738f5dce69b13b25975d9b7c03eab049b7685eee09b23fd8d4a7d71a039
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD53f57e7177bb9731e5c742ba02494fdef
SHA1a619f85ee79dc73cbacc20860d7fa51c853cd8c7
SHA2568c038e9468fb5c86d71540b6e8bdc525251903fb353940b358e3e6fa47e873a3
SHA512b113992c1440e65bacba2cff9010103214ab3f468475531efb0e0acbf7ca39a8dfcf4f1c138f3c3dfaba4538ee1ed280ccf1a1a1a1691d366a8d45ca3018168f
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
496B
MD5c492bad59bb1c0823974b1b57d99f25c
SHA1033c7fe77e62a181c0ffcf0763aeeadfecc652a7
SHA2567b53ba9fc9c102c58b3a5c42a499e13e0f5d3ea2622c4e6a479cfe59503b8355
SHA5121bcf8cba715ac399b4f5e9129606b07d2ed79b561310e179af9be314a4ebafea6ea0e28c30dc4383dccaff76cfc85471d2ba7b49e58aa86dfea304b1f3d34e0d
-
Filesize
6KB
MD5ce1636be0e1f90be8cdf235869edc1a9
SHA13b1b0fa02a98e603413b0228e75cb8d7b30d5d08
SHA256ef2061289524fe5690b1322fedb1e2b8af01fe3c6c8acef8ebc62e8f42d6f394
SHA512292f4b0341c553903940ca5bafc4b9d29492863b2103c972f0308aae2c1f1d43c5a49f973b26817392a1fd53fcd4c2986b20043140e0b6f299e3d6d937934795
-
Filesize
6KB
MD5ed4f70b58e940f5f416454a40eee405e
SHA10afd4b7ed7b0fc381baa647c0d3457b37a56b4a4
SHA2563c8d9223b04a29b124e3aee9d33b139cca7ea6cb97d8d9dc86447ca45a1e83f8
SHA5123096c14935be650546de62bf96715bf3e5fa395ee26528190cde4a1271d9852e123a4f444af1e00736f64c402a3f144e09a59740b17036ee9d4a903a73304f60
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD53260b6815e90f9bc5d48f92085a8abe7
SHA195349774418265d2af167eff126891c17bc3ab1f
SHA256ece87c83a49e99990a3420528ddcf820f0075a4d4cacb416c7d1155de069a3a0
SHA512739c1fc62975992fd529da8bc697beeb4d114ced6fede6d99f2253f686501ee318eccf0d8ef6a3f54fee762965b4cc97e2a15d08c46ccb389ea275de0c8a4ba1