Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1174s -
max time network
1184s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/04/2024, 18:41
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://now.gg
Resource
win11-20240412-en
General
-
Target
http://now.gg
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 12 discord.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3516 msedge.exe 3516 msedge.exe 1852 msedge.exe 1852 msedge.exe 336 msedge.exe 336 msedge.exe 3012 identity_helper.exe 3012 identity_helper.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe 1852 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 3080 1852 msedge.exe 80 PID 1852 wrote to memory of 3080 1852 msedge.exe 80 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 4020 1852 msedge.exe 81 PID 1852 wrote to memory of 3516 1852 msedge.exe 82 PID 1852 wrote to memory of 3516 1852 msedge.exe 82 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83 PID 1852 wrote to memory of 1988 1852 msedge.exe 83
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://now.gg1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa4e6d3cb8,0x7ffa4e6d3cc8,0x7ffa4e6d3cd82⤵PID:3080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,2667611070258651793,18170644690805055138,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:22⤵PID:4020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,2667611070258651793,18170644690805055138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,2667611070258651793,18170644690805055138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:82⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2667611070258651793,18170644690805055138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:12⤵PID:3564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2667611070258651793,18170644690805055138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:12⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2667611070258651793,18170644690805055138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1992 /prefetch:12⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2667611070258651793,18170644690805055138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:12⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2667611070258651793,18170644690805055138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:2892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2667611070258651793,18170644690805055138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵PID:3076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2667611070258651793,18170644690805055138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:3992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,2667611070258651793,18170644690805055138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,2667611070258651793,18170644690805055138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,2667611070258651793,18170644690805055138,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1660 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4212
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD543379e1fd46bbf81afb4fa093257a7b9
SHA1a1aa383ab51d42dadb4d670b2f8cf3cd942b6172
SHA256ff0fb0aba84da291dd911ea4776d4e1d61d300b655644196f8c53923c39506f5
SHA5125db08aa2770fd4ed60407be5014cd602327ec66860e7c034b635c4c7a84bc8a5cae698ea807fabee1b05f36eb5759ad65958e54a8dc01a79bf908957dbbfcea8
-
Filesize
152B
MD5b3cd5e4894701b66c8551a435ee29ec2
SHA1ac29ae9a2fc83b817e559ff6391d671122d34af4
SHA25696f9e5444a3e9c3149465940f2254ba89befa89504edc3af41023a8e7a8c2640
SHA512d3979c1b7d6d4d06b575e7adb7c6843224e826263272b1c3fbcad0ee8a2f3fba257ed12bc6ed60740fe815ea2fa1373749e8b63049a92d1a173340f81d9f9fee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize528B
MD595e95869c187490a00f4a97aea647237
SHA137e0c674e59f2b6a870036a3ffebd82d669bf4df
SHA256895d244f366ed10a8768bfddd28ab14f2605f2772a9e82a68d1981fb257d1444
SHA5129a73c234857f6ddcf81be298364dbfe77fb344d4818881e3a9756fb5e952a1e563d7a33ab4eb329c1049102cd9456830c057391f006af66998b139fcdb3386b0
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD566f93648a66703334f834925d8ee902a
SHA14d627be27e37ae5c83b5419d366283c67d9b209d
SHA256bb72a95811317feea042ab430540c78a772d0799f8b5fa43df17603f906ce677
SHA5121762fe0398064358b317c1f698caeb3780082a4719f2118b18cd38e240a31bb65e226c3f2f61310c5feb23e451615c872b0ee733ff1d0f64e06bd7879e14e70f
-
Filesize
1KB
MD572dfd58c7751ff26ce58e69e803c6537
SHA1bc4f94dd8df485b73c40943e69733b5bb9e7d516
SHA256617a617c98757e35a1a60914522ffcb3f3542287f0365345b06c8fb11947d91b
SHA512956cdedbb2107185838644ca086de844b83051b57c5679aab9df1ac2901ca217011eda34efd7806221cc3648e49e4055cc759f20dd798f90546b6373924b122c
-
Filesize
5KB
MD5fad4c23342de8428303b0272f3a44c5c
SHA128d2fa09e273f9fa5fe186240f67557076eb981b
SHA256c67fa886a465d38d1a5b8c69cbcaeb784c874caa6a3233c2d5de9c6695fe6bf0
SHA5129e95a518594a2ff1f28fce13cf160cff1544d991ec7187b9a1bcf472d35764004f0872a53ca88e14c20a26dd9e48cf51b66b557585a6e2b783fb845516ab4986
-
Filesize
6KB
MD5d12f9821d7cfccd8cbcd85b96572d872
SHA19c409b4a9fe63c26a54682bcca1eb6f9369c1c29
SHA256adef702fb3ab9380acb3bec70331b2eb1f52d58688b49f77f1e03e47d8d7ab8b
SHA51251fac6e71dcf3ecedc2a1c0fea3faebcde23845a4f3556a95f8b413017f3c8d156444f40b6e72f38e0febe4afb1028ec4b3159abc0bb0333b76d92c218dded8b
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD531365ce73942ae6971d474e8c3b6a8df
SHA1d8de745bd41643c907b4bc20eb7f8b7c87ad7430
SHA256e28e377cc6ba54aeba4d54d21e9c0a5d569fa9d0ac3de4b66a33e43fdf74a25f
SHA51251435bcf877a793a1dd3060df6b4fe329daef41f9dbd9063664866f8b71ee23dd79c4d585727ab332fda537c270c43897fe78803eda31fc1efe59c5dfe2e30d4
-
Filesize
11KB
MD51494de069db17fc2d41431e3f80d0efc
SHA1c377954c0e4bbdcd401f99b4125e9addf1cba206
SHA2560487830959ed214328aa6c7f717483b508beb31c79a9df53e7c01288e2fcbc02
SHA512def6f75123032a10ba98151e042414e42f05a1e01089bd87d99aebf556aa4f7a2bca4ee55682b45dd019a4f9ab211df2fe30d15453f389b387a0c6a1cf822bd9