Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/04/2024, 12:51
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://xploit.games/roblox/esp/
Resource
win11-20240419-en
General
-
Target
https://xploit.games/roblox/esp/
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1052 msedge.exe 1052 msedge.exe 4992 msedge.exe 4992 msedge.exe 2876 msedge.exe 2876 msedge.exe 2044 identity_helper.exe 2044 identity_helper.exe 2708 msedge.exe 2708 msedge.exe 2708 msedge.exe 2708 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4992 wrote to memory of 3112 4992 msedge.exe 80 PID 4992 wrote to memory of 3112 4992 msedge.exe 80 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 2832 4992 msedge.exe 81 PID 4992 wrote to memory of 1052 4992 msedge.exe 82 PID 4992 wrote to memory of 1052 4992 msedge.exe 82 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83 PID 4992 wrote to memory of 4948 4992 msedge.exe 83
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://xploit.games/roblox/esp/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd90ef3cb8,0x7ffd90ef3cc8,0x7ffd90ef3cd82⤵PID:3112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,4526133935943392468,17801851599931329302,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,4526133935943392468,17801851599931329302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,4526133935943392468,17801851599931329302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:82⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4526133935943392468,17801851599931329302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:4552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4526133935943392468,17801851599931329302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4526133935943392468,17801851599931329302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:12⤵PID:1760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4526133935943392468,17801851599931329302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:12⤵PID:756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,4526133935943392468,17801851599931329302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,4526133935943392468,17801851599931329302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4526133935943392468,17801851599931329302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:12⤵PID:3668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4526133935943392468,17801851599931329302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵PID:3972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,4526133935943392468,17801851599931329302,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5872 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2344
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50354ef8afd53bc4c27ab99144970a9c9
SHA17105316ebb6a50dc71cc5402c64bba847a7c95ae
SHA256acef151efdca7eef151e0cc9e45d5945737c4ab7cd8493e3dd9acb49d8df6020
SHA512af6d8f1010ab8181c6cbe4c64a0d72c20ddfc56257cb862570c410546ddc52d2f1a67e58b93e7548573091b0e7173f230868c28bc6ed0abb8116f850f7122893
-
Filesize
152B
MD50f25425fcda7474bc74cf6b914ce2262
SHA1541620b08eedb97ada0840960b2c59391ba9a530
SHA256b170ac8e893bcbc87746d28c5068393019160b9f798db01d364812cac69f1cbe
SHA512f4c7257d8729f6d6338872ca36ed128349944c9efe8989dee267230e5ebae8675a3fba3ac3038a88d5b70977b767eee0c2423481c526ade354fb335592d80b7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5777d1f4dfaf5acc967558ad885089846
SHA1c9179e0f6050cf67d5a7947cb0a7df33286c2d4b
SHA2561826e0ca35271b148886903f670ea5acdab29d62d538e9ccc38023ed9a1a4811
SHA512ec777be4b6816ca70bd5f477844d1b7f822288fecb286b6aaf0c86fe5fd51312951572d4a9ef3f9da4b7537473df001321643b2dda9f96ce8451192351e32df7
-
Filesize
575B
MD59225b2d965feb2fef2e4397cc5cd5a9b
SHA1f6eb6c7385041c937aae1784bcabe69d6bb9414b
SHA2566e027783dedde0bbdd0612163b6d4ab2e9910d6449e637c1b844de9e1b908b92
SHA512e1de0c1e692e22c83f0a3ea3facac0798a9970c9f01afda48ec1e76fb9bba24ecf7487850b6f074c657add27e83592a6042ed9db7185fe18f55bb1923420692b
-
Filesize
6KB
MD5081806baef395a704663e52fe02a1d81
SHA1905bdbc38eeccb5ae4cd5f498dfac61b16748524
SHA2565ce7ace147c5a9b79478bb2903c6609562568a0cc772d114dcf17d4b76b467ea
SHA512767f45b71299128e1434de17613d9ef16745035f51acb11e7d82ef1890f2d2436acbd36579a52bdd3e728977b10326ed58d7db322cbbfb8ee7d7b077acaf62ae
-
Filesize
5KB
MD550637d4e2c4bd4caaeef37cc6c18bac5
SHA1e2a695f1e7a61dff6581bae968eac0b8bd9e5e81
SHA256e9e5258c4435af3b6c6ee4a2b811e96caab6e47ccc8a950abb2bd99aea6b5eb2
SHA512b8820158eaa2aeaac7c803205af6722d80eaeb719f21d7b8a2da399288cbef8f3ed4a2703b5fc109463c4a5649f2351b4f64508969c7fefbc1c301db5ce94484
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5892eed1162d9d370aa4fc0f27aecca70
SHA1d97a9d7c348570e3e9a5389eb5945c19827fd8a5
SHA25600b73444f829720d302490346287f6594c8df9027665e73b3422a6a139872f74
SHA5128b2e8d5821224a693b2df1a6703ebaccaf42e8d1ee2b7898518846fc051a2426fc723c44b9d731bcad2ace2fcec2cc0f210828261c441127b19636dc4ac24c50