Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
27/05/2024, 17:48
240527-wdtnzscb2y 827/05/2024, 17:48
240527-wdp1sscb2v 127/05/2024, 17:48
240527-wdkq3sca91 127/05/2024, 17:47
240527-wc2cfadb28 127/05/2024, 17:30
240527-v2957scf68 427/05/2024, 17:30
240527-v25kqacf65 127/05/2024, 17:28
240527-v2byeacf54 8Analysis
-
max time kernel
1173s -
max time network
1177s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/05/2024, 17:48
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://arc.net
Resource
win11-20240426-en
General
-
Target
http://arc.net
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4344 msedge.exe 4344 msedge.exe 1580 msedge.exe 1580 msedge.exe 4764 msedge.exe 4764 msedge.exe 4972 identity_helper.exe 4972 identity_helper.exe 4652 msedge.exe 4652 msedge.exe 4652 msedge.exe 4652 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1580 wrote to memory of 1392 1580 msedge.exe 77 PID 1580 wrote to memory of 1392 1580 msedge.exe 77 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4448 1580 msedge.exe 78 PID 1580 wrote to memory of 4344 1580 msedge.exe 79 PID 1580 wrote to memory of 4344 1580 msedge.exe 79 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80 PID 1580 wrote to memory of 3372 1580 msedge.exe 80
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://arc.net1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffae5d03cb8,0x7ffae5d03cc8,0x7ffae5d03cd82⤵PID:1392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,3843169831483486083,3389200349281161556,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:22⤵PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,3843169831483486083,3389200349281161556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,3843169831483486083,3389200349281161556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:82⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3843169831483486083,3389200349281161556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:12⤵PID:2304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3843169831483486083,3389200349281161556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:12⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3843169831483486083,3389200349281161556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:12⤵PID:1360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,3843169831483486083,3389200349281161556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3843169831483486083,3389200349281161556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵PID:4732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3843169831483486083,3389200349281161556,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:12⤵PID:3324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,3843169831483486083,3389200349281161556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3843169831483486083,3389200349281161556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:12⤵PID:720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,3843169831483486083,3389200349281161556,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:3440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,3843169831483486083,3389200349281161556,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4928 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4652
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3056
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58e1dd984856ef51f4512d3bf2c7aef54
SHA181cb28f2153ec7ae0cbf79c04c1a445efedd125f
SHA25634afac298a256d796d20598df006222ed6900a0dafe0f8507ed3b29bfd2027d7
SHA512d1f8dfc7fdc5d0f185de88a420f2e5b364e77904cab99d2ace154407c4936c510f3c49e27eed4e74dd2fbd850ad129eb585a64127105661d5f8066448e9f201d
-
Filesize
152B
MD5ffa07b9a59daf025c30d00d26391d66f
SHA1382cb374cf0dda03fa67bd55288eeb588b9353da
SHA2567052a8294dd24294974bb11e6f53b7bf36feeb62ce8b5be0c93fbee6bc034afb
SHA51225a29d2a3ba4af0709455a9905a619c9d9375eb4042e959562af8faa087c91afafdb2476599280bbb70960af67d5bd477330f17f7345a7df729aaee997627b3a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD5c6d2405e5193f53288c0386abe47f7ab
SHA103109717226abae23cab2b6f55d8a83bded45a8e
SHA2569be0ef122626135b542340902026bbcb4ad112eb7a25e97941451892273955bc
SHA51225f7fb89a58f7611493ce0c8fb680bc2602be966e6f759f47c4fc23c30b450f1c9023ef0fc6f0f244ca23a056f29931cafb440e201a18da43d400a952d283c44
-
Filesize
175B
MD532decc01d47603f2f3c10d947a7d2e0e
SHA16cdb26fc64e1fde0ae0dba0148c515b8c0940766
SHA256965ca00b20dbe582a2cae2b3d445d4dcae032aada222ff632cc32aadadd21db9
SHA5120c439113b5a7ba8b594db36a7968ffdb2152f0dc7bfcbb9c810358700ab58142e87cc0ab1bb7e696a8a78adeaa2b4cef7386ee39e892adf9e7df107e9a74cbbb
-
Filesize
5KB
MD558fc29831fb15350c3ba0f7cfa4875ff
SHA19bd0291dfb806d2ff01624d14c760dfb29faad0f
SHA2569d757d1b022d4bd07165e3d496d5b1bbac0340a3b614204eaa04f907f82de5b2
SHA512c9895742819301bacdacf831eef9142fd006b274c9a43142fb683367ec4a7be5f8cd6174a0c98ee1430f47461f541543d40f7fdf8eae6a31517ea6b54ffd24f3
-
Filesize
6KB
MD57f25a30dc79d9e2889502a1706d4dfdc
SHA1606541a200c9b37cc22e5f20a1a2e9d2d7d52243
SHA25679dfabdd26fb44ac48b86b9ef2ba9fb89936d84c85210c646f92d75c61b3726e
SHA512a996660dd00ef55e4acb185964eec1a706da64b8f10e1317792c67906d472de7a9ab1dfe245e2c6c5f0c712efa1ebdd9fe9112888a28576059b43ab7ab72bc7b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5273a679219c413c2ce776fb5f1034119
SHA1578d7755fc1b8c02058e42f5ec0ae93b5de018e5
SHA256f942d80aa4f0513bc32162d318bb349e3fb44ff17cd44ed0f42c78bb92549748
SHA512b24a215e4edd9abef9860e771fbc75a8a270adadbafd08d32257d4d7cd260d33162aaaed1bec02b96681d81f1158e807c42a399ad3ad91d627079425231c6b9f