Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
08/02/2025, 16:34
250208-t3cqnavngw 808/02/2025, 16:34
250208-t229xsvnfy 308/02/2025, 16:33
250208-t2qacsvnft 806/02/2025, 15:35
250206-s1njpsypez 405/02/2025, 16:40
250205-t62tysvlfv 1027/01/2025, 09:56
250127-lym2tssqf1 319/12/2024, 16:24
241219-twqc6swkfr 904/12/2024, 21:04
241204-zwlb4sxjdr 730/11/2024, 20:46
241130-zkncbsyphl 310/11/2024, 21:18
241110-z5t1lsylfk 10Analysis
-
max time kernel
1153s -
max time network
1154s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/10/2024, 18:13
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://itch.io
Resource
win11-20240802-en
General
-
Target
http://itch.io
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 868 Project UroboroS.exe 584 Project UroboroS.exe 4864 MrTomatoS.exe -
Loads dropped DLL 52 IoCs
pid Process 868 Project UroboroS.exe 868 Project UroboroS.exe 868 Project UroboroS.exe 868 Project UroboroS.exe 868 Project UroboroS.exe 868 Project UroboroS.exe 868 Project UroboroS.exe 868 Project UroboroS.exe 868 Project UroboroS.exe 868 Project UroboroS.exe 868 Project UroboroS.exe 868 Project UroboroS.exe 868 Project UroboroS.exe 868 Project UroboroS.exe 868 Project UroboroS.exe 584 Project UroboroS.exe 584 Project UroboroS.exe 584 Project UroboroS.exe 584 Project UroboroS.exe 584 Project UroboroS.exe 584 Project UroboroS.exe 584 Project UroboroS.exe 584 Project UroboroS.exe 584 Project UroboroS.exe 584 Project UroboroS.exe 584 Project UroboroS.exe 584 Project UroboroS.exe 584 Project UroboroS.exe 584 Project UroboroS.exe 584 Project UroboroS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe 4864 MrTomatoS.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\Project UroboroS.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\MrTomatoS.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Project UroboroS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Project UroboroS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MrTomatoS.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Project UroboroS.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 201417.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\MrTomatoS.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 238949.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4764 msedge.exe 4764 msedge.exe 5092 msedge.exe 5092 msedge.exe 3388 identity_helper.exe 3388 identity_helper.exe 868 msedge.exe 868 msedge.exe 3092 msedge.exe 3092 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 3912 msedge.exe 3912 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 868 Project UroboroS.exe 4864 MrTomatoS.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 32 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 32 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 868 Project UroboroS.exe 584 Project UroboroS.exe 4864 MrTomatoS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5092 wrote to memory of 2848 5092 msedge.exe 79 PID 5092 wrote to memory of 2848 5092 msedge.exe 79 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 2412 5092 msedge.exe 80 PID 5092 wrote to memory of 4764 5092 msedge.exe 81 PID 5092 wrote to memory of 4764 5092 msedge.exe 81 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82 PID 5092 wrote to memory of 2324 5092 msedge.exe 82
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://itch.io1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff3ef73cb8,0x7fff3ef73cc8,0x7fff3ef73cd82⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:22⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:82⤵PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:12⤵PID:2512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:12⤵PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:12⤵PID:560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:1708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵PID:972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:12⤵PID:4704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:12⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:12⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:12⤵PID:364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵PID:1392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6704 /prefetch:82⤵PID:2904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6956 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3092
-
-
C:\Users\Admin\Downloads\Project UroboroS.exe"C:\Users\Admin\Downloads\Project UroboroS.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5012 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:12⤵PID:3264
-
-
C:\Users\Admin\Downloads\Project UroboroS.exe"C:\Users\Admin\Downloads\Project UroboroS.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:12⤵PID:1876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:12⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7124 /prefetch:82⤵PID:3116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6648 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3912
-
-
C:\Users\Admin\Downloads\MrTomatoS.exe"C:\Users\Admin\Downloads\MrTomatoS.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4864
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2020
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4432
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2180
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004C41⤵
- Suspicious use of AdjustPrivilegeToken
PID:32
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5de0eced6511467030faeca0af8959df2
SHA11d98440985dd5a5ed4ea5d89643fc3527d331e61
SHA25680e7d25f44cd922f0eb28da7124dd898d23db594dde3b954a31f1d0d6b728c1d
SHA5120f3a299833b04156d6648bd755a3e9d62b47c93157b70080cf6e211c5b03f7ccef01277c8164bf761ebfbb05ec7fe085dbeb6c9abb7251b424d29828c3cc315d
-
Filesize
152B
MD5a8276eab0f8f0c0bb325b5b8c329f64f
SHA18ce681e4056936ca8ccd6f487e7cd7cccbae538b
SHA256847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da
SHA51242f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918
-
Filesize
152B
MD5058032c530b52781582253cb245aa731
SHA17ca26280e1bfefe40e53e64345a0d795b5303fab
SHA2561c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e
SHA51277fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f
-
Filesize
95KB
MD5828f74f1489e053379a3663d4e985c0e
SHA161228bc792d5441560915af02dd841375ba80df2
SHA256c0128d4b5010e64162b73c2407deb762c938057828548f8245d29fcafd872632
SHA51229caa771645a42e0d0ae2a52ef95b627073e88dab98d1bc6dacc0b24440c5c5a643ad2ec9af4599534bdb4d9894a9835a661c9a56e7ca13f5349a7831b10837c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD59bf8e0b283deb22429bc2283b85a3775
SHA19b3ae0f310f8b42b57f695e1f3f4c8fed0efeb8c
SHA256b77f6943c9628579c714736fd22f1fe7fcf720402fed37189098068ff7439021
SHA5121b63c904ddbcbcca2c47b8ffd219bbbb51dfbe5ea9aebe16b47a8a71dd17adca727db0525e70fa2a57459ec0133f0392125a4b90f1d4ebbb414f284de2a43bb1
-
Filesize
4KB
MD5b78a5b98f69b595d1ac0a3fe58924a26
SHA11627a3bec4171e6c464ebb867533feb053148cba
SHA2568f6b8d6a78801e62c26dead48ec369f226db0968f8e4f3a66797ad8f21d71e69
SHA512fbd3be5660ddae153f111ae963ed3411b52d496d5c81ad9bc9bc8540c10441d55ea968d16dd1e8bde9bdb4d975dee53254ef44ded50f44d36e7fe71c2f35672e
-
Filesize
4KB
MD55e1b38b891346f4ef2e453fc8a189f9f
SHA1aa0beabf7da14942933234a2a1736edbac32e202
SHA256ce2dd282282b4ec34366268c6f567bec8cb88f490325bea317d3f344b1e8c8de
SHA512be95f77a0a61e6dcfb1c7fa69cd5cb626778ff0285e9bf29b5b93c455a98b5eded2df0d6f3ae11339b9fd2bc2abf229f9857115d2e79e181210d85cc30c21473
-
Filesize
4KB
MD5e3a446e6db62c113dd4ec75386ceb6ba
SHA1f1a2f30ac08f71d2e48d2bf380ed3474b4e76b9e
SHA256870056e421d23aa1055c50df79c04ed3ca2e1013e01a2433e47730c06a2c384e
SHA5123954b6c6769e9aa6a0879f47f29f0970336cba467c73f36df171da49cf4223ca35c3877dfc9f6cba19d1943a363cc94d3bf1eced44477b19492728acc1aabc80
-
Filesize
6KB
MD59f04569d28c8ce0e34c9c033f726bc1f
SHA134e7efb37b48ecb78e978b820d63f6813b64c3cb
SHA2568b2bd218c5281b8bca3ef9e9e467f1007e142ca6a2e6d0815adb8998d27ee8fa
SHA512773f3392e1eaf2d8621eeb8ba4d8b264aedaf84da8f808f66003f8cad535533f8f2335d4000c44b56cda068cc20f1f3ae78b9848730b7b9582fe42a683b5be92
-
Filesize
7KB
MD5dd693477cb62f4adbf66bc825fbb783d
SHA1cfcada4cb943e35e9aaa83df455f45f45c45968a
SHA256aa00062d1de063d146f5983c988280f29bf1acac8b7f82f189b6e665e53d0b4d
SHA5125ee5e27d2878ce257f82ad4ace810ef83c120c797024021caa1cfb763e1e0c02810b363569329d449b3151c02e2cbf5917721ace21d94863807ce07b25971081
-
Filesize
704B
MD58f8eaf89190996ef010f11e79c86d24b
SHA1926d206838fbb364a45190c6dbb60e33a0ccf569
SHA256d9c7190b5b23af2a12b350ac9689dbecd33e10f0c7c2ebeea513858e8901e45d
SHA512da17d5e847e4ebeec2cb2cbf8aece73b1d4e966bb4555c36c64cd8926c27759143a9a8a9cc75a08a3e181b564b92414e154cab35e8bf0870152a7ccb2363153a
-
Filesize
706B
MD5124650d004b792412a5f025f4757c52d
SHA147849ebbe8d7a765ed29a66d4bcce7e6528df174
SHA2569044a63b02fc26def87d76553afc95a4a841a7bddbc97e9c87b6036187b4ab52
SHA512b9bdc536fbf49a9d2e5d358264788881694b09f635f6b6119519f5225454b9c11b755b8ff6fb1447b509b63617c6786e625424f318839b7daf19a6a324559051
-
Filesize
371B
MD54f1b4c656c47869ac8ee09834f06d601
SHA19d19319ba98cf30092aad62ce7fbea90001afb89
SHA256eeb43c9f6e158d9f480d730832847f52f834114e812e05d74f8dd97732c8fb1f
SHA512a36fb9f96d4780d268a8f5c13cc78243f08537e8e6d4e24453a5cf071bae374e817c4f41bb7c3f72195af630807a9bcdbb137bbac4df59b9257b06428668c091
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a3101aa6-d22c-45f1-91a5-b2515963736a.tmp
Filesize5KB
MD528e860521635bc536cf058822f6a38fa
SHA158a044d12e1a271677db131e01e1573bda3131a5
SHA2560da3731fc50621f2e1c473523c91a67a36a345163b63b54742b1ca6c575719dd
SHA512d26e1392b369eb5059b17ec4f2cf3a0f12fcf9feda10c76702fff98629bc52f959c2701389e8a958fbb9b7bd0e498c38f1330afb0237e3473cf2f13b0d524f20
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD5060a1177cdf725562535bfcb18bd37d8
SHA14559fea2b4304552e13f31f070a46d8edcd3770f
SHA256577f55692d571a5a3f7d81b3681322fb71f54157fedd74677caf3b55876ecc2c
SHA51224703ed44325edd0892a8f633fabc0ba3eb5529f4335ce0c04f0ffe1bb5dc2030684e62e70271a24770defdc6e0dac7057da5ec610f3d0d1a454a8b50be413ac
-
Filesize
11KB
MD50421e48e2eb142fbb7bfc0c7030f97e1
SHA1dc1435bce5b7f8a46514f0e15c68207692347ffb
SHA25692cff50fcc29d5ea089a4304e67ee1ef75b6dc872a5fa8535289be7c6009149c
SHA5126f24cb9c98bae188abdc303208a1439ec00ccc5a2882b37293e22c1846dd0ae5c946425f4a46a0defc280ea5ec7616f38e4150b46c6e89cc675bef73487173b2
-
Filesize
16KB
MD546b4e07996614b78dfede54705b97091
SHA1f4634f2fb6d1e512cda68e41c89ee8c2277b59ca
SHA2566923e91a2ea3d49b9bf807ace894016a0f03c2b5aedb9b2e7da23aab58f83fc7
SHA512a90929d1dd1daa17e4d2da0934e8fa7d29f98e7681fcb840cb3b20efbb5503e3c9256290c1d4ebd02167db7706f4c33bda433729d2d65575884b232cff0fd573
-
Filesize
58KB
MD5b4507e6a8030e670b5c3b1d774826584
SHA1f252cc0f0c4f8b80073306fa3deb222fc25b7b73
SHA2564d0b438258cc4ef0043e5ef78142db6fcf8bb34197116d4440d3988d13562b4a
SHA5128eb6b82fc09d7dbbf5367ef1cf4e128854b3c225aa4acc5955f155680eb59d246c6d325c9f329c5d1d8e450c65741fd38c471c77fd8645da2f978cc514c7148b
-
C:\Users\Admin\AppData\Local\Temp\23bda4e4-22b1-4c22-9338-be12a8a850cb.FusionApp\clickteam-simple_ellipse.mvx
Filesize28KB
MD544acbfa6bc341c33bfb1be7a891b9307
SHA1fd5005905f632c3456e5bc2f141db11d9fcd67ed
SHA25673ea8b5011b1c8e18e5c3f12ee4adc33fcc28385593d1371e828d6b9237ce33c
SHA512a2ee76974cae652cb80e1e1b6ae678b6e38092fdcf813570db40a63c71cb8e07d8c234808833ed2cd1982c392d979f3adcd1b57a52a2da6239005a6e7e1073f6
-
Filesize
15KB
MD5f38352c344bd71eb21a78a1b69dcade8
SHA1eca1053fa4ce77f96752f400d4ffac8f2f158d15
SHA25638b5dba1524e47ff474d29bb0fb3d7b0476e554cdb82f2de09c4a761ab5645b1
SHA51270134d7e2d4c589fc3ca5c52e005852d07e6b3cce91db00d32bf121611480601d007ead98c3e2febfdd1ca03a0c723fa46e9b73c0f497b315a6cdcb9f15afd56
-
Filesize
114KB
MD57c0cb7fdc0d3519520cd4b8137edbd80
SHA1bd4eddd8316a51baf4a3ae68b56acfbba734f46c
SHA256d1471b2685d45956c323baa2cab11dfe479eb1021f04e2949f03557527c5fc84
SHA512601c16892bef77d5842e0778f27d4f82e19ae66333b2b75c9a34b3ba6441169946e1167ceb21ed270bddba305abfe50f2e8f8ab2e9dc410c96a31944e597034a
-
Filesize
79KB
MD52c34e977f898ab60eddb72075c4be223
SHA1adf883dd06e5ae340a03e6c22a56a4c0caf909ea
SHA256a0ada42e3a4760097c1c2f98905f12b19de47159543aa21e1c604dbcac7337f2
SHA51273402857d09e5a0e8049bb7adf3bbfdfc9ac65966217751cbf6db2bf532aa3f92ffc3a1a5dcda638e83d6ede29ebe6e760cbad74d27aa6fa006c9296607d3c37
-
Filesize
1.1MB
MD572bb9180f8905c0da95566b778cdac5e
SHA1e96145e8120514092b35f67f1f120b958997f921
SHA2563cde7a9181ab63a42cd3535d279d0ab1397b7b78fa3ddddef832757ab2024101
SHA512c2c8d8c74c53a78545e69f27a7fe1a6d1291888158962e93e16e6ec9950f86e74c68bd2eb50d04db0bff58e8dc93455aa384245991c5afe34abee36fef53710f
-
Filesize
509KB
MD598f647d1ed220e1d715aed9dcf69f387
SHA1d1d9f5361672553a394bee9afe1d30814dd0ac53
SHA2563a288448e88a296b2bceeaf093e76a22e3083e937a3c4efeb6a61565ca7e35df
SHA512e950658b0afdad722a9f243bb8ae7fbc1c541dd0513379ef9e1d99becf8b31b4098c6789204baf3f15ea26f43af665edaa9799a6617373009def81bb20f02a06
-
Filesize
24KB
MD5dadc138be9d36e6e4b8e4bf9ef2de4bc
SHA12758db786c544ec7889f26edf9bc4634c9240af0
SHA256ddeafda7b28bf7545e3ba164aa4a74219eb961c36bb974e0f5085a07daf18f44
SHA51263a21c5eda225c7fb8a67595c3180d4fdc1bc37d3b45f839e1b562ef946bf5b2237a9ff17c3f6f5de489779bbb9652ac2a1a74b83f153883bd436756acf249e1
-
Filesize
8KB
MD557ea61dd14314ef155e80c6a0be8a664
SHA1963b0ef2fe976ff77044a821fe1e29be4a8cf8a7
SHA25692a5053cf5973a6aa228c738d55387f12f1dfa8a837d7b938c60f05b6b56b3ad
SHA512cc23cb30d76d22500c3ed7ce9ee0388588309d0779441b95559fce25a42f1eff52ca285c347655f8b33c15b75f9d2067738a151f81f605d3b563799a3a06c9a9
-
Filesize
287KB
MD50572d03da13e13cecdccff2e64f9f4f5
SHA1a1fcc08ac261edeb3c2b95f007c93fe1398583c7
SHA256c4507e348be20dacff1caf80047009924a7dafde2f6d4fcd3a119e36c3b0a259
SHA51268790d0a9b0ccac5389e551408c10bcb2430daa28162bf8de29fe327c78c72bc61181366d6e0f61ba661977daa825aa865255b71ba4cd0ecbc0f403d608d71d0
-
Filesize
32B
MD554040a6a70fd243646e5123cd9a432d8
SHA10b6f9e6f565bf666aa636b2cd7294fd3477167ba
SHA2566799156695e927ff205958bfbe8ccdb416408881d18fc7f7f999a29a4f5f4990
SHA5121602dbbf4581e55ce38daf85670f6b7136e3df26ab5b3d9a8b7e2856e0341fd6a7df251c2dd609695a8b0668bfb1d1441a2ad9a624237586a8a4174a6f06da73
-
Filesize
32B
MD511822677f818ac903f7941fb8463d048
SHA1d6c52c515c94354ebb4a7ad35dcf1b71ff2a3340
SHA256a61cc720b2cfc04b93504969bc2c64fdddefe849c7227d3e62fdc858db7f10aa
SHA512d8e1f39bd8c3a49c9e12557b82a09806ff13b1f21501990de2ea41f72cd1756beaeda886ed8528c2a629a056e3525acc79d124a2be9911c48d4226abdb0594d4
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
8.5MB
MD507d1f1241c250f48987f9e930efc2d52
SHA19d576d38d22188616685c96ee370e18d173256b4
SHA256968b48ed1b85ac728f604f06206d02bc719f43d7ed5c135c0fbb9f4b2eaa6207
SHA512f522311838106b95f3ec0f5c1eee4a85a80d4a91f3cdd6f7a6fe3004a630dd47283aba4b10389a031a36bf8f33c4107df046168f19dc15897f5a2970eaa806a9