Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2025, 15:05

General

  • Target

    KayKit_Medieval_Hexagon_Pack_1.0_FREE/Patreon.url

  • Size

    125B

  • MD5

    6da579b0fd9fc68ac72110f56254b3c3

  • SHA1

    6b646c5d103dcb72eff216c179180f6af93f663d

  • SHA256

    93706b75e2bbfc2e6711e0d2ed035facfc2aa816c8e79510c55823b88260ae16

  • SHA512

    a758e2533a1194feb932921ceb74582aaf8243f575555e41c73aff9ad5d7cc249bd5ad46093d9f4fcf3a93d0d5ddd2803e87a7513d0e7fb398ce792849e3e2d0

Score
3/10

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\KayKit_Medieval_Hexagon_Pack_1.0_FREE\Patreon.url
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.patreon.com/kaylousberg
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa5e9646f8,0x7ffa5e964708,0x7ffa5e964718
        3⤵
          PID:4136
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
          3⤵
            PID:1624
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4268
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
            3⤵
              PID:996
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
              3⤵
                PID:2956
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
                3⤵
                  PID:5060
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
                  3⤵
                    PID:4756
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
                    3⤵
                      PID:3024
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
                      3⤵
                        PID:208
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
                        3⤵
                          PID:3860
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4012
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
                          3⤵
                            PID:2064
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
                            3⤵
                              PID:2352
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
                              3⤵
                                PID:2968
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
                                3⤵
                                  PID:5072
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5524 /prefetch:2
                                  3⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:492
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8723792822678817220,14900104558251339596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
                                  3⤵
                                    PID:3324
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:3584
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:2968

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    b8880802fc2bb880a7a869faa01315b0

                                    SHA1

                                    51d1a3fa2c272f094515675d82150bfce08ee8d3

                                    SHA256

                                    467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

                                    SHA512

                                    e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    ba6ef346187b40694d493da98d5da979

                                    SHA1

                                    643c15bec043f8673943885199bb06cd1652ee37

                                    SHA256

                                    d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

                                    SHA512

                                    2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                    Filesize

                                    120B

                                    MD5

                                    0a8426d989d423cc11588a4367887163

                                    SHA1

                                    26c1e65f2f3f15a55eb126c1ee5c81517850cb17

                                    SHA256

                                    fcb5e4ea99530adf016f51a4996820bace258c787484b95047268a9e5f38bca5

                                    SHA512

                                    1b35777b01940dd4afcae87ffcad39d876dc4f33edef8516642511467bd0d5f3faeef61034b38a89b9afe4985a3fa50e152cff7eb8d7f719561542def729f06a

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                    Filesize

                                    555B

                                    MD5

                                    c5eab11bf5e2089e4a9274e395f0032a

                                    SHA1

                                    78a87b922afb1e01bcc63c0aa28ed9b8b9817444

                                    SHA256

                                    2356a4f3de8e2ef59f632acf9b608c23c5219ee538ba686c229bd618edb6952b

                                    SHA512

                                    e13b3f0ef6f1b7335498af24f96131d9c5093aaa0a526d59fc8b1c5e94847c24c7987483d6ddafb04847cd1946c5c9802d5f59c75bb874a60382f45b2a68ca37

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    d321d57dce50a32dc262161534a6c3ca

                                    SHA1

                                    662ba858586ba6f26de57074b5f727564d5a7142

                                    SHA256

                                    67ac865d022eb8609659fba49a281fcf9fa341d6e84ae7de1f1b5d8cdd48eb73

                                    SHA512

                                    497dee3b5d50b4744f8a9e4783f9ea1b57c9ca4bb6cf6a95e37d258714cfb84f9197bb9cdeeba9721e5f07066825b08b22e0e48b6c5a17767b9fdcf13e2ffab8

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    cc62b4346be9d84be877d89d7c8be8f9

                                    SHA1

                                    da0945b9959edbbfa1f047faad893f0a16f7c508

                                    SHA256

                                    e0f8a407024feabcbbc3c53d36ff2580d21bf169751856b277dd2074cd9fe8cd

                                    SHA512

                                    939e5eb21e876d85154ca54001575789338562439b0752e58ca8e19a7a462a0e2a62007c61e8de351f63dfc1b08dfed7d7b9cf4eb516722024ccf05ecdbf2eff

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                    Filesize

                                    372B

                                    MD5

                                    03710ce423f9099269e302c044e18dc8

                                    SHA1

                                    d912a79c89ccb1ae82b2583e83217a46a7826030

                                    SHA256

                                    63f9084e7c4d23801553581dda85f2efc548f91022a19a4e1b35e5187889ca8f

                                    SHA512

                                    e6ffdb7f819114480ddaf1f3320e4c91a22d8216e8f74c80234d0e76c19327e26cdb0f57c6ea4b35744f52fdc645859ffce30022c13e057852db445895de776b

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                    Filesize

                                    372B

                                    MD5

                                    3b956424df6f5f8e483755b92e8cf95c

                                    SHA1

                                    ca6bc87c4b92f586ce9c0c9e1d97f687400c02f8

                                    SHA256

                                    decde0e9444f2eb8e1fe4ed3dab0c57d0b14d981049fcc6dbc3e15f616979dd0

                                    SHA512

                                    4d6458148035c1559dc7b92266d5023bcdf5909ca0664f3ad9113d0ece3c6b2e89b5a7425df47228273fce22ac9a4850659e8386a4c1be533db373f4286ba816

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59f582.TMP

                                    Filesize

                                    372B

                                    MD5

                                    5222d9a3b8503fe81770b3bb66968537

                                    SHA1

                                    54045e4ba50be27a72da85aa14746f81fc305255

                                    SHA256

                                    1ab7b8478671ab1274ad32fcd426e464e347ec203ce3a8302df8d57621c7f8d6

                                    SHA512

                                    0e4b18cfcf85b8ab39e17c863f634e8ae1adbf34b0032808d230b7660503cb4dfe2593f3ea0d02cf7cef70c851d07b5746585ff3cf8da4a051aaebd9e0c68c52

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    46295cac801e5d4857d09837238a6394

                                    SHA1

                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                    SHA256

                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                    SHA512

                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    206702161f94c5cd39fadd03f4014d98

                                    SHA1

                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                    SHA256

                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                    SHA512

                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    10KB

                                    MD5

                                    e21d3f96b747944412eff63305fd592f

                                    SHA1

                                    1666e835e0e074f154fc00479ed9ac1b4d42ef5d

                                    SHA256

                                    2bf74a3bf9f1f93cda31ee64ec24609f64e689397c724135b47927033dd533fe

                                    SHA512

                                    9ee999a9e8427b6575ef47fa59ee30022fabbabe61c0fae9330fce2859b8a70aedfa3110eb57e5317d1f3f2408b28dea63cef5e3b2273b12c729ddbfed62bdbf