Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2024, 08:29
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://www.citizenm.com
Resource
win10v2004-20240412-en
General
-
Target
http://www.citizenm.com
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1056 msedge.exe 1056 msedge.exe 4656 msedge.exe 4656 msedge.exe 4744 identity_helper.exe 4744 identity_helper.exe 5312 msedge.exe 5312 msedge.exe 5312 msedge.exe 5312 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe 4656 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4656 wrote to memory of 920 4656 msedge.exe 87 PID 4656 wrote to memory of 920 4656 msedge.exe 87 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1924 4656 msedge.exe 88 PID 4656 wrote to memory of 1056 4656 msedge.exe 89 PID 4656 wrote to memory of 1056 4656 msedge.exe 89 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90 PID 4656 wrote to memory of 2944 4656 msedge.exe 90
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.citizenm.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2cb646f8,0x7fff2cb64708,0x7fff2cb647182⤵PID:920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,11095255011511747909,7061080116562010076,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:22⤵PID:1924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,11095255011511747909,7061080116562010076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,11095255011511747909,7061080116562010076,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵PID:2944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11095255011511747909,7061080116562010076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:3004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11095255011511747909,7061080116562010076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11095255011511747909,7061080116562010076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵PID:4500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,11095255011511747909,7061080116562010076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:82⤵PID:3884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,11095255011511747909,7061080116562010076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11095255011511747909,7061080116562010076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:12⤵PID:2396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11095255011511747909,7061080116562010076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:12⤵PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11095255011511747909,7061080116562010076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:12⤵PID:1960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11095255011511747909,7061080116562010076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:12⤵PID:2128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,11095255011511747909,7061080116562010076,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6028 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5312
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3376
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57b56675b54840d86d49bde5a1ff8af6a
SHA1fe70a1b85f88d60f3ba9fc7bb5f81fc41e150811
SHA25686af7213f410df65d0937f4331f783160f30eaeb088e28a9eef461713b9a3929
SHA51211fc61b83365391efee8084de5c2af7e064f0182b943a0db08d95a0f450d3877bde5b5e6a6b9f008e58b709bb1a34f7b50085c41927f091df1eea78f039402e9
-
Filesize
152B
MD548cff1baabb24706967de3b0d6869906
SHA1b0cd54f587cd4c88e60556347930cb76991e6734
SHA256f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775
SHA512fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize744B
MD52bd053e040767e09472e6e1b26101f13
SHA15a4fcb55daac80d79e8938e10ebe947c9a8b1169
SHA25688941cfa364daf07c7a9bd595426c1ddbfb651311fc53223d07219dd6eb4a45c
SHA5125e36c2c881f0941387ded7d4a73117820a1f54237f52f9670e87f108ed1e72c33184d3380d0cfb05f2dc4750220079602377089c7d74ad0198c59b4bffbaf34c
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
1KB
MD54a8b2f5ea9436b721f5ef297c835a442
SHA15f524b4f4d3017f0205e45012f93fe841c0e9b99
SHA2562549138bb3bdbd83a6a001ad7314a3433c7cdf483f2de2b2b1a44081278f4b2a
SHA5120834d06c9fff7cb9c6b1b3e2b5f3253863857cd71a7add01902b3b2695102aa431099e5d493d593e44a9bdd1246ffe906e2eda8be030092bf48bc05ae476a13a
-
Filesize
6KB
MD58eed311ad2696fcc0c32dfd7784a318e
SHA1f8060c5fc80871f4f1c29eddc77d229b158d6a22
SHA2560bd085c9dfb498bb0ab2857734f1b4e176f21cb0b35b645042cf862920198053
SHA5120164606c973a5f83492802db512a2646717f847951e459013366701b08b78519548e855970470aedafd38aaa18e89d7ac8fa23990fa77aaf68e9a1af8d0922c9
-
Filesize
7KB
MD5f08c1fa9356c540445712aa324b59319
SHA1bd0fa3abbe09f05f52d990574b1730bd15a92c50
SHA25633e24dd3720a94df75f326d4aacf04de3eb3f718921ac6d4f519fcc3c7dc5df2
SHA512c1369510b7b9c09892e6671cd4da6bf20e0edb262a38a886564b1711016e50f90c089b0ddcb9b0b33b8226d1e49b6cbbd1e83281da992c5cb7232b00ab4af802
-
Filesize
6KB
MD5d1cd77595877db280833ab35e6474445
SHA1e939820084ba241a68d0d1b21375ae253efc2d33
SHA256201252251d0ce90425a088720ca1fe90ec35e80a18fbe2fb1153cde2978a82f8
SHA5128b603473de09a5abf52c6f908ed2e4a3d8f5956cd7ff342d9925042c40633c600540ead63121a4acac45a1ec6b9cbd351223e2e3ae09f0fd84035f0b08e10d76
-
Filesize
874B
MD5b6b465a8db386c07dd02854f731a6fe3
SHA19e45be7381446e5d414db66f3347a803519dba48
SHA256aa805cc739c2976c2d4f57067f61719ac06849efb38bb2bf277a4ef9940b7b7e
SHA512ced373a9009fe9f9a95cc7e429cecd65adc0aa7b9d3a2836dc325646b9c38a459b2521a3947a95b41b1ac8f4bc85d5918258829c98dc89cee457d4adc2204cd7
-
Filesize
204B
MD59accf7a81238382ceb477f9002632aca
SHA1f700fdb650bcacd60ea086a2ef542820ea225038
SHA2569d4343fde5f7db21f6cc009ad3f70f40cf6a040523b04a681e4a3167e2f4a8cc
SHA512fab4ae94720eba52ca8cd441fa90857d86d90bd74bfe33f0e5180cf5530394700200a0318ccd492df4d23008cede022b0472b67cf579a0cde33fdb4c5033851d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b84754de-08da-430c-a7fa-2b0c5626faa1.tmp
Filesize6KB
MD565db14ee9270d719fc114e5aea76849d
SHA162e68409a1335536a38df2c8b42d63affb1828a6
SHA256ca49fb27bae8314a14a8ba85744c7612c9dc290431ad584ffcd541d058c7c051
SHA512d13f98db650512545a720a1fa20a5c0b3586fa8342a9ae8aa27d4129fa5c862caa743b7726982f4311dcc7589b91816dbb53aaf1ab5a3dd61132dacad78f71c4
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD59f17ce90984a7661962a189d5c160dcf
SHA16c015a034cf3e197e706fbc5d263d3b9791b9bc6
SHA256d52c355f09029ea3c5c0a81781964fd2bedb3467bfdfb77ca4d47dcee90019cf
SHA512bda7c3bd47b579cac5cea7bbefded3f8a1e78a38499673ec288b2206341596cc829b85b878cc646eb79304fedba7bfe29ec31325abda8536054bc119151de5f2