hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke[.]98[.]exe

Resubmissions

22/08/2024, 00:53

240822-a8svaazcqe 8

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 00:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4180	WinNuke.98.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
75	raw.githubusercontent.com
76	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 983988.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4740	msedge.exe
4740	msedge.exe
3012	msedge.exe
3012	msedge.exe
3252	identity_helper.exe
3252	identity_helper.exe
4476	msedge.exe
4476	msedge.exe
5664	msedge.exe
5664	msedge.exe
5884	msedge.exe
5884	msedge.exe
5884	msedge.exe
5884	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 4824	3012	msedge.exe	84
PID 3012 wrote to memory of 4824	3012	msedge.exe	84
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 2344	3012	msedge.exe	85
PID 3012 wrote to memory of 4740	3012	msedge.exe	86
PID 3012 wrote to memory of 4740	3012	msedge.exe	86
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87
PID 3012 wrote to memory of 3284	3012	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7fffacb846f8,0x7fffacb84708,0x7fffacb84718
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1848 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4476
- C:\Users\Admin\Downloads\WinNuke.98.exe
  "C:\Users\Admin\Downloads\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4756 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,3824230660735115309,8557669710942235113,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6516 /prefetch:8
  2⤵
  PID:5644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb52ac829h91d7h4c9chb1efh1cf7962831d1
1⤵
PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffacb846f8,0x7fffacb84708,0x7fffacb84718
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6632148254211339903,13631380410514122288,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,6632148254211339903,13631380410514122288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c7571cbcc1448aa5246016ad0feba7b4

SHA1
36490fa23f20b45bdd8cda5f72facf47583ebb10

SHA256
8dd3ff85971dffecaac0e59a8bbb61259e9df57ccaa51ea8c316cdaaa91eedb8

SHA512
c17b5de201915e4909e3207d3ded218310e714057ec6c98e0f93fb7b75de7366bab85081cb8d8827df0123509fac176e3d201ac36db7cf25edfa649dc95d766f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7094d1def82f230728dd346f8c80edc2

SHA1
8f5fab9b64393d28b8ccb67342ccb1d3a510abe2

SHA256
851bb41d3a944d575a4ccc25bbffe44722091135202f0d10af622d40b570968b

SHA512
6cd89b5b3fcdacb774c350ff84a025cf61a7ac2a378e03b80e99d7e85bfc7ab9d6c1850a306add3b9788a9764f329be4a949f075f5a13eca71b7e9c2324858cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
65141ee7de186b38be5e1fdaddb3d501

SHA1
455647ecf2fe6d59ac8b378758eb06b9b7a4e69c

SHA256
534e5e7800ffb87965af22f5b6137df74b4cf5ab7c061b0a325bb5f62c157465

SHA512
d0625d5c88c342ebf59235de6d9ce14e2e9c054d6aa15cc3658a8f9fd913642374f817c41d594b77bdd17218b063047a572d1eaf4ff5c33f638550dfb9f14b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
09c52969ec89e8fe31eeb7523930892a

SHA1
dc83b14c94c6b72ebacf392167f209c66d67dac9

SHA256
abca31b3e90cf81d36faba6b7eee84b1de092863a88a87d21e100c575d093455

SHA512
3c491ac7440f94851e06a3f3b675b7d49444e1c14c236329ed57f8faa057a3168b13905cb4e47cbccc2e428e3868bfa42b40fedb1a531c10ff98b08c202d8405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0689d339cd0fee05150a713421cceaf7

SHA1
df7443de050531d243c6211fce810ba0d31e8dbb

SHA256
100e088930c16318fab364280962d55e43f17a8601867c80582ca8e3789705ec

SHA512
4c9116cc63986fab84c02bc2b420320db636db71d1f77e9be35970b8e9310dc49865de2010b66edd15cbbe7aae6927ad4d95e166da33d5925bf17ac3f0f34912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e2b9551c2b66199e2f703406468416e7

SHA1
4b26274da9122e03142bb0c6a7b2009c93dc63b2

SHA256
d0bd27929246bfc4575a34c49cbd441928148eb1d5e9c264384e237a607af14b

SHA512
6e881313983bba2f8be8341f6382b6d4fea30ee1cb5152cb1b2fd2b049aa4b193c58e5156c52b15cbbd4932788e9db105a8cef5ecbb2dfe3809aee20c7085334

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d7f2407a6c72962ab1ce9ca542661f6

SHA1
e848049ff361e72c144d2ee8e2187d1d3ba1f2f5

SHA256
b501daea18f123c4c7fbbb75624ee67b2ead751b1a831617b4d6c2df9c6e2d70

SHA512
6609b41ef54cf8f6ae84c6e8fdbc582c156b8da477d0230f6b933ae1fb3d30156bdd23c7fd5032e8b761e2563e79b3c945d2ace49c9dc4cb12f228b3a944c28c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1bfc141d8003249acfe7883088db20e8

SHA1
f3623aae4ab66a652e3822566bae58a63778490c

SHA256
d1c9825b0749fdf2851398c216f4b32d6f13669c42397b8c7637c9cf78a35499

SHA512
09dd3136e90c7b652acaa8ea8b8d5aaef4bc2d03fdd846c96e73b62458a177bfb96febdf377d32daeb1fd76fe783a9919967a21fd06ba886276a77345e0f9ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
3baddba9b8276a55c12ee6e79a8644a4

SHA1
c20098891a1a32a1354ecbf9ed549877ebf6efec

SHA256
2e00750cdd69c980842badb2d63abb95de8d1a07881d74f2b67ef3c72c4ea73a

SHA512
db029d6101941e9fb63eac2a5ed8c5487bf1ce29f306a9fa53e71128374c555a4b7a1653321bd792f2279f3a326ce20f9b1140aca9f97594d0dc7ec311fcba36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
447da0275192b6f2c8d971e6083dcf0a

SHA1
16417b882ce1e616db85a59bba356367d459d3f2

SHA256
d8cd5e373da9addfe1cab800256e0ef3bea140de413b7780787280193839fa3a

SHA512
fa730aa2d12e7c2ebf044cec35cb22809705ec54cab4fd687c2d9debd16776709a94b968e82dd41b5940fe4bf858a8a0a6a32bc92e75bc5f1f7a25f55405bb6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
60798ebc5daee05bc4771b2add78a99a

SHA1
b35d3032adf045d553f8abe950157d85dd714821

SHA256
df049eda221062243e31ff9f116e1ebebb7c781eb15cde6a738136897b4757e2

SHA512
28a41efedce60abe5c556620aa002738ebc9eba6fe0e0b0458540d8a694a5d51a52449c348f0b67c30f7dea26d9273fb2ed5b560428db8f0b7291318a9f63ab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d551.TMP

Filesize
874B

MD5
eadbb608d865f991f57697020437086b

SHA1
5a8125a4c786b7befc782381e75590f278994319

SHA256
f64eedc6eceda616c74441709a6cb1657cfb7a591aab23e25d4a5ae0bfe127e9

SHA512
4ca2152cd85570b8dd6a49f8b85e4b281d44d12e34e37352f476f6d02cb47a91d23c81bdbf2bf862d931a4d4db735ac094e41b756dddcf13e0ee09318f848f17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5783085f4c76b775703f55f21f2aee11

SHA1
cd287655a82682a375c7327a5fae141613bf213f

SHA256
55dc44e1b5552e35c2d2a2f14e56cc7859c7cf63a7392be29e3dce108669d197

SHA512
221b6ecbddae2f93c28204546da67741dc00a59775a41c6afdc31c54401323b9d9998ab730611a6f9001369d9ed0fb8f0ccc5914fd608fe710257c2755d9b772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a263131c6f51d53ef6604b91748a06c2

SHA1
ffe825cf146f4744a98cbf3d8fd0b7c162351f45

SHA256
344f59a14798ced12e137fc2e5fa4934727a8225db155e667bbe794983ba71af

SHA512
af61d71abc47259bf616347d6548261becfd6ff760cbc5e0f48b56ec9a3313d0fc55583e3682207394b02d4aabf81061b4c53f1311ddfae7eb810394e0b352f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
efd1abff38e3518d69de6f70377b5ca9

SHA1
1b0463a9422ad197ab5f4ef64136b2850f26f114

SHA256
5222f8b7b238870722eabf4e7ee87e4321493df9bbd42f696cb3c15aa31059f0

SHA512
bb9451b5371658437302411ef9e7b886c4f7937d269a77e4aeed68b60f77f3d4fef1251e080d40e70c413efabf604f86518ba55580ef6ec337fafb062ab495c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
74d708b7f9b7eb0302dc5a5d6dcda4d9

SHA1
7fc542f99435d29ee07640d72d311e29f72bf021

SHA256
3bd464be58172f7539dd76601d7619dbb4583179338ba77ababa8f4d9e5a00a6

SHA512
03eacbaca738ba50cbfd2e8187c500f72e7c9d5503c9e44cca96bd597b4f6f8a718c337ac19493b846f5cd53253bf8ec2bf40be1bb87ddfe2d473b319dd3ccba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6377ac38df3500e8ec501448e3d77357

SHA1
f5fdd736d4d9997a7636c1dad02ecd4c5e3f4cc7

SHA256
2d8f4ff882f39687dc66efcf3dcf5945bd170c8951ae8f480c5115c57db44e8a

SHA512
21b28a1fae77a3c1b21b5d0b54d518035c8e3d20b0890883fb170505f5b42372b5cedcd44735609c00bced5915341fb42eb7f8685516f4027a723148bf26ce36

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 983988.crdownload

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit