Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/10/2024, 08:37
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/2V4HkbjK
Resource
win10v2004-20241007-en
General
-
Target
https://mega.nz/file/2V4HkbjK
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4488 msedge.exe 4488 msedge.exe 1720 msedge.exe 1720 msedge.exe 320 identity_helper.exe 320 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4752 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4752 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe 1720 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1720 wrote to memory of 1940 1720 msedge.exe 84 PID 1720 wrote to memory of 1940 1720 msedge.exe 84 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 5088 1720 msedge.exe 85 PID 1720 wrote to memory of 4488 1720 msedge.exe 86 PID 1720 wrote to memory of 4488 1720 msedge.exe 86 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87 PID 1720 wrote to memory of 3840 1720 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/2V4HkbjK1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd5e5b46f8,0x7ffd5e5b4708,0x7ffd5e5b47182⤵PID:1940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,9563365324281483095,10062418752421626588,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,9563365324281483095,10062418752421626588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,9563365324281483095,10062418752421626588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:3840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9563365324281483095,10062418752421626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:3768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9563365324281483095,10062418752421626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:4108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,9563365324281483095,10062418752421626588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:82⤵PID:4480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,9563365324281483095,10062418752421626588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9563365324281483095,10062418752421626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:12⤵PID:4116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9563365324281483095,10062418752421626588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9563365324281483095,10062418752421626588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:12⤵PID:1836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9563365324281483095,10062418752421626588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:12⤵PID:2596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,9563365324281483095,10062418752421626588,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5564 /prefetch:82⤵PID:940
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2900
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4520
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x494 0x45c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD58e920eeb427169478654f3213625a3ec
SHA1deb28a2c84bdb097ecc4fd4b70781f1d67078be4
SHA2569058215047bfc6329ff4e3af75c2c0ef678beac693c1220f95bf99565ab79431
SHA51227ae9e317449e78468ffcaaf149285f3d5d5a4cbcea9549332bb0b3796e0e4d6dc2e7578f557b80b0129b83aa366becd278097f233b1028ef228e1bca8a5fcd2
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
6KB
MD56aee7b27a05b8bc9fff9174251d9686d
SHA1c08d9b1f39ede088d9273bad290d70d6fa7a0b6e
SHA2562378b219043f77869c8388ba4e9dc9565ee5fe2162da9479a52fd71b7a73c879
SHA51234f94644dda023d91fa082b00caf880a09ed2b1febd8ef5e619ade752f056e6f383e184147e3e7e7d6a7c9d81047a571b4630cbb241a421f14cce1a5f5bd4d66
-
Filesize
5KB
MD59206ab9a5b94191076769da50e494468
SHA14323bb8a86ee362328ab11a86c0bbb6a86474572
SHA2562c85e1e5aa98072c8606e5044f8edd9a52de26be6fdefa543068487f3bdd88f0
SHA512f0f819855f81d24d7c63e0d9a21db89736ea7995a79c5aca8be0794be84685068d481321fb22cdbed1ece82ba479232a4087beff0fced1e0f784121c30782fe7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5242ff471346259d2f28cebd706379155
SHA1ac66d14b3f7345107152fb2257f775cf17f039cd
SHA2565c055f7741fd0d94bfdb67562b5da68f71302f2d06c07da29852982dc11730ad
SHA512e597b7a03e8143dc015fca1a4ca8e57590b3aff07c269f175a1bd3e409e16fb81aa2f573e21896e707350dbc6ac143571ccf1bad4a594f10c9c6f6b049395566
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581b05.TMP
Filesize48B
MD517c8a86e0ef55a453fd80d36f2097034
SHA10708fb01aa21383512c6a6a9e9c08c6132dc2dc0
SHA256fffce2e5a7d245c2435ebcdce0b52f42cba1af357540b2ff4ac0b04a145d8520
SHA5123a4cf05ef5bd5cf3f75dd6fed2cfbf0b0649807f651def229be976acfebc0767ea332839bac184150edc1f1ef88ec59201f4afaf08e160b8013153221254a151
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5b0b413fa51099598f713b9da53fec51d
SHA1d31f1a0945fda4f2ca3177f1111197368f05ebb8
SHA256ee1532e7d289541b8d1fe8aa7d71333d82913d2528303f31e0ea3f9caeaa21de
SHA512ee4cdcf59587d33f21907b618cce9b5e70464f95e6a61baf06ab4f1b1ecfdfdcbcfdbe2f9d37f3c9a9e013e7ae9f4205a0d0319149e56cec528851dd90631c65