Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
16/12/2024, 14:18
URLScan task
urlscan1
General
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 48 api.ipify.org 49 api.ipify.org -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3940 msedge.exe 3940 msedge.exe 1164 msedge.exe 1164 msedge.exe 4068 identity_helper.exe 4068 identity_helper.exe 3300 msedge.exe 3300 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe 1164 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1164 wrote to memory of 2192 1164 msedge.exe 77 PID 1164 wrote to memory of 2192 1164 msedge.exe 77 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 2064 1164 msedge.exe 78 PID 1164 wrote to memory of 3940 1164 msedge.exe 79 PID 1164 wrote to memory of 3940 1164 msedge.exe 79 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80 PID 1164 wrote to memory of 4712 1164 msedge.exe 80
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://fundingbenefit.economicsaid.com/#bWl0ZWVsaW5nQG1vbnRyb3NlLWVudi5jb20=1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffe05383cb8,0x7ffe05383cc8,0x7ffe05383cd82⤵PID:2192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,12149892686077918431,4584689270267530455,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:22⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,12149892686077918431,4584689270267530455,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,12149892686077918431,4584689270267530455,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:82⤵PID:4712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,12149892686077918431,4584689270267530455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:1292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,12149892686077918431,4584689270267530455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:1308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,12149892686077918431,4584689270267530455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:12⤵PID:1436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,12149892686077918431,4584689270267530455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵PID:3408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,12149892686077918431,4584689270267530455,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,12149892686077918431,4584689270267530455,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,12149892686077918431,4584689270267530455,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:12⤵PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,12149892686077918431,4584689270267530455,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:12⤵PID:1172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,12149892686077918431,4584689270267530455,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,12149892686077918431,4584689270267530455,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3868 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2516
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1920
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5826c7cac03e3ae47bfe2a7e50281605e
SHA1100fbea3e078edec43db48c3312fbbf83f11fca0
SHA256239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab
SHA512a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e
-
Filesize
152B
MD502a4b762e84a74f9ee8a7d8ddd34fedb
SHA14a870e3bd7fd56235062789d780610f95e3b8785
SHA256366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da
SHA51219028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD511873fef257bfbaa91e007d7ffc57f70
SHA165d0f8fbf315acca6d7738d2d5399fbb290b3528
SHA256ef466c004ff0546472258acd5bd689f614a475dfd06690058741e825c282b9af
SHA512dd8dd03ad14df4da132aeca9dee67f266e5ca16d229d8e9197da8f5f8bb523adfbb196ae7c5cafee38b43032e3f079169750e2e1cfb3250fe9799bd0e123eff0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD577f32c6eae663eb52aca7b691d4bc5be
SHA104bd2cce32b75ecd3ac65e0a5310c56ef85a7422
SHA2566534ce965db3b51d763d1dc9a7fa729d34634b200c2a9505d2ba27d068a1ed69
SHA512172e6204d26ad54f71b97454638f67e15279063532d89e34a64c6ba38243e914b1e69060661c166994007b758544a19786bfc6d9762da31105f0008f72788ce6
-
Filesize
629B
MD59ed4d27d3b27beb4ae0e47da67f4b92c
SHA1c99b2135b1bcadf2298826a5ece65402ed1790c7
SHA2569ef88e6aa258abff2cce80a2a1f1d3d413b8d6fe87fa179ec62fbc816c8e0126
SHA512bbd54b1f90a43cdb0113bcea7087b021500245fe59b42f2c2d9840b3ad87365e7c479369ebade07655201099a4d8a9b3fea063e256e4eca6c186708c55821dc6
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD5310cabdba523888d242bf999c82d0244
SHA10c85ca83c0425e8aafacfff06e526c1389c27ded
SHA25623545f85cf4c06b289e994295eccc787ebeac998c68462c84cbcbb7bfa5e7955
SHA5123bccceefcd6c6de7d8a64d465a92ba49304deb233711803a81678e0a98f759011e9a5ed0bed3f9b9bd7a37793af5748ba9afcc3626605ab51a9117ef9f255abd
-
Filesize
6KB
MD5b5937cf71ba5bb677929f430daa45840
SHA1c58fd1a4303dfbf657e09377790782355caeb0dc
SHA256d75263e198a39bec57fe96ce7ef600ef28b13de488acb850d43bf8a1493a57ec
SHA512f0b0eb40d7151cd272994b8475954fdf4b09ae156f6eff609e76dab3fa05ed8d0ecbabb02a16f83877cad8b4fe769ad2c4cc0f24e7391d03aa2bbe0c6dfbb07c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5afe106c80e9a6b3ef11a587d35ddeea1
SHA14ff1541c9412f632e3ae31700d0676dc137acb93
SHA256920592210f4b1a3f6f0f15c02812fae87f12fd23bf67bafd6055604981bf22fe
SHA512e12c90e4e2fe8bcf2823b674a954a002d74bf2d73405ffeb2958e4ac74c0127ea4e9798556aa240c5c3be34c86e5d752c8f6279755115e311a955f1d9495eb4e
-
Filesize
10KB
MD5ffaadd0c2142f7cb52384a7345baa445
SHA13fe84c1539f8e9f0b9d5119f647384b33c0976e2
SHA2566560895094c40edbc604035a5d4efffa7f163364678c4e310885e1e0db0142e6
SHA5127a1490dc5847b3df0355676e398c9f11f53034bcfb92aacf5a7286c1fc077f8b7cc1ecd148eb1b6af319aab4e8e5a27b7cc62fab5e06a02b57c69039e50387a0