Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
27/05/2024, 17:48
240527-wdtnzscb2y 827/05/2024, 17:48
240527-wdp1sscb2v 127/05/2024, 17:48
240527-wdkq3sca91 127/05/2024, 17:47
240527-wc2cfadb28 127/05/2024, 17:30
240527-v2957scf68 427/05/2024, 17:30
240527-v25kqacf65 127/05/2024, 17:28
240527-v2byeacf54 8Analysis
-
max time kernel
480s -
max time network
486s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/05/2024, 17:47
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://arc.net
Resource
win11-20240508-en
General
-
Target
http://arc.net
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3756 msedge.exe 3756 msedge.exe 2832 msedge.exe 2832 msedge.exe 3664 msedge.exe 3664 msedge.exe 4032 identity_helper.exe 4032 identity_helper.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2832 wrote to memory of 4896 2832 msedge.exe 79 PID 2832 wrote to memory of 4896 2832 msedge.exe 79 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 4708 2832 msedge.exe 81 PID 2832 wrote to memory of 3756 2832 msedge.exe 82 PID 2832 wrote to memory of 3756 2832 msedge.exe 82 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83 PID 2832 wrote to memory of 964 2832 msedge.exe 83
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://arc.net1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5c833cb8,0x7fff5c833cc8,0x7fff5c833cd82⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1776,5717381420331487702,10948177360968725011,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1776,5717381420331487702,10948177360968725011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1776,5717381420331487702,10948177360968725011,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:82⤵PID:964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1776,5717381420331487702,10948177360968725011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:1452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1776,5717381420331487702,10948177360968725011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:4936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1776,5717381420331487702,10948177360968725011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:12⤵PID:4164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1776,5717381420331487702,10948177360968725011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1776,5717381420331487702,10948177360968725011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1776,5717381420331487702,10948177360968725011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵PID:3884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1776,5717381420331487702,10948177360968725011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1776,5717381420331487702,10948177360968725011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1776,5717381420331487702,10948177360968725011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵PID:476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1776,5717381420331487702,10948177360968725011,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1260 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3580
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d56e8f308a28ac4183257a7950ab5c89
SHA1044969c58cef041a073c2d132fa66ccc1ee553fe
SHA2560bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae
SHA512fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189
-
Filesize
152B
MD58f2eb94e31cadfb6eb07e6bbe61ef7ae
SHA13f42b0d5a90408689e7f7941f8db72a67d5a2eab
SHA256d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de
SHA5129f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD5260f43dd2994e2fb2497b812096a42ec
SHA139859a8c998e06bde1b598eb7a7fecc26aa50f71
SHA25689fc4a6a55903a8187073a6605bc8cb7ec4694c94d33e7dc949c00490d2949ad
SHA51224c7be107ddaa488a18a5ce6e514d8cffa1f401ad29940fd1d19086b6140aec9dd10c13cf6f5245475f2e9851860c9350548cdd15e5887a40da210e843ef3ed7
-
Filesize
175B
MD532decc01d47603f2f3c10d947a7d2e0e
SHA16cdb26fc64e1fde0ae0dba0148c515b8c0940766
SHA256965ca00b20dbe582a2cae2b3d445d4dcae032aada222ff632cc32aadadd21db9
SHA5120c439113b5a7ba8b594db36a7968ffdb2152f0dc7bfcbb9c810358700ab58142e87cc0ab1bb7e696a8a78adeaa2b4cef7386ee39e892adf9e7df107e9a74cbbb
-
Filesize
5KB
MD50eda44c1d48406a82105be4f159592c4
SHA1eeb6dd1b3f24b1a4d6be28f4bfa0e7beb481ad0d
SHA2563ec70a957e99e8c7bf27d40daae783572cb31d827842d6bc358acfb90584d0ed
SHA51213696069d106e27405fc0bcbb88867e66549f6eda78f102aa235bd81f538cf48f2e07880ef3990fe0b5aca06ea60f4a746cce03bd02fd14940b258ca6b3016d9
-
Filesize
6KB
MD57037accec57dc92ae912b44a906e7f8e
SHA16d6b95398073452109c43b36efedd2dc9c02a3bb
SHA256b52a5d4885ef787d61720a30d06e7264ea4ad8bf22295c8f394670bfe6e78c48
SHA5126f985268fdaa5735a43af5e9daca887b8599d67dbfea97e09487aabdd22b4fab4e3d6302b1d1896c2321e6d7874f155eb272aee92a3568def8c3b4fdf2c54e00
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5ae958a97ecacb7f839b6dce5ad9b98ec
SHA11e2b4b9e342e538fa9424d8bb86b5032bfc59f8c
SHA256f9c05d5ee9d6b8efcc9bea2331c513d1f49f8ca1986d2dc741d779d9aff9a27c
SHA512f0b2bb9dbb2424d2c1ffaa44799c1af0c270dab504529e3d1162b053732aee6280ade8873bff0c1869f6da1890b5d4a1374f4b1bc55edb928479e3fe4d924786