hxxp://github[.]com

max time kernel
148s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13/12/2024, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://github.com

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4964	WinNuke.98 (1).exe
1004	WinNuke.98 (1).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
49	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98 (1).exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98 (1).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 125809.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98 (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 486307.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Walker.com:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 933993.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 203481.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4128	msedge.exe
4128	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
4144	identity_helper.exe
4144	identity_helper.exe
3520	msedge.exe
3520	msedge.exe
3636	msedge.exe
3636	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
4308	msedge.exe
4308	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2348	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 5084	2348	msedge.exe	77
PID 2348 wrote to memory of 5084	2348	msedge.exe	77
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4968	2348	msedge.exe	78
PID 2348 wrote to memory of 4128	2348	msedge.exe	79
PID 2348 wrote to memory of 4128	2348	msedge.exe	79
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80
PID 2348 wrote to memory of 128	2348	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://github.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd0c4e3cb8,0x7ffd0c4e3cc8,0x7ffd0c4e3cd8
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1160 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6864 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7300 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6884 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Users\Admin\Downloads\WinNuke.98 (1).exe
  "C:\Users\Admin\Downloads\WinNuke.98 (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4964
- C:\Users\Admin\Downloads\WinNuke.98 (1).exe
  "C:\Users\Admin\Downloads\WinNuke.98 (1).exe"
  2⤵
  - Executes dropped EXE
  PID:1004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1228

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x000000000000049C 0x00000000000004DC
1⤵
PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
17KB

MD5
18a9531f05f4a3662558d102349767b1

SHA1
328114b78180b5931d651669bf0b21d3a5cf8adc

SHA256
2d427df292899c50caad69f5c59737ff07f39544e52ff6b9d01f4fb82ec0d716

SHA512
b52d9f81a88694bbb16551a50fefd69a3f3dcd0ce5d3d3f3e3a2c1d7de969b5f6e27ca9fd22f7e964108f9b39eb083a44ef161ee3b8c39f61fa5939a15d21b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
9b21dc674629be97b5c7938f3674f9b6

SHA1
681cd26a5ee73f0332ba592efa5662c9dce68e8a

SHA256
617feb9a95a7877b1fb62b45c6b7eda4ac29f20245fb9adaa7783d49e40bce51

SHA512
db2e97836020216384265930159af1a26d6af0c1fb429e76081788b2d3d75ad9f00db72e64e2cc2ee788206a250824503f75b2a42e089146fb6a860e07232205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
73cfae61313bff85e51a3b676ee86c6d

SHA1
3ab033633f15b93b380a0b380a3119f98ca97b38

SHA256
b8e99d8f05643a41176113b959415629d65adcc48e26f2804df1cec612ea4e9f

SHA512
a68e3221aa202995c1d67aa7b6f6878deecbffae4747fc24decd08f10552c2fa123c09d5544c35820d557cf423a1d2a271d48316ff26598df4bb57ec7ee76b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
844B

MD5
68fb1fa3691942d0dfe99364a6f5d6af

SHA1
a1e9627d9aecc5585e1f1cb83f402baef9bc2a86

SHA256
5b9377d5a7fb412a5544d5155acc6327909b85e721ac3d76f136243356f14e11

SHA512
8251f3dc9a5fdf66250949754970d4ff646ae5960fd28548bc11eb0844874e4c7c4a9754ed493254d41a25f73fbe663f76b11e51e4eaf78dce17e090e388b65c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1014B

MD5
98a97dbd22ec9dd68776b9aa96da62f8

SHA1
df9ee87a0d24c215efd08113760ec4c80d4f7f73

SHA256
1f8d0feb39601e17df3c705c26a39db51c73c8dabd7f1f32abed79918fd31b7a

SHA512
a23d38b5a1d773c9480dc21e2df5a36b4333c98016cebf3687f1e528e7e90ceb420016c89a6f4cc7472f175edf84133596b90744a2f50c7185d36dad3427d12e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25a6571f111f737f2a693c858c3f6402

SHA1
6591e42de4df217c3e41b28e09df430d522e7264

SHA256
4391d8416aa70b223b582896d723880e8023954a6b6ca62c7ae6017cfb5722c1

SHA512
78d4e877a317dfc51baf32d97f6dc57640b6a257d846b1c59e1c370960a399207c64877ffad73155a2e87831c86cd419ac757044b365b6b03aef337bf119b8f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4b68cadcc6b669b6308e48de6ac0e3e5

SHA1
a7ec819805d679e7946ee1aea3698ef93a2540d3

SHA256
b3f915cd2ac39d0da796d21509001462f4cd0174761f18eb1abb25bb0c574a6e

SHA512
313290098dea85e9535bf9550e6de104881b113befce834f117bc2ec048e56bbf3eb6a1fb49e292c7cb74db106551406747bf65ab03d0b1d42c9dab08982dd30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7a99f298c15b1e7bbd287857faccebd2

SHA1
bbdcd56d650d81a1fada61a9c903500bd5476162

SHA256
2d80339dab1ec8609160f2dbdf660f9d06d38950ec4653a8ace09f1395faa24a

SHA512
3fed6dfd4a626857d128c1e47acdd916c038a46b2f79ea4c66b99b2858483e7095cb0244e7a21371d22640c9d28a576ca448150f0ae0dd9afde6ed5c0669d262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b8d73d4b4535befd90b45992c12f83f7

SHA1
205b17126b5f32f847e948c2b554a2214e8cbeba

SHA256
da0c2a2af0106fb850315647decabd947b384c5646f15585138d00c9f1c73edc

SHA512
611da65d060e1f82920c297e36323e895a605af9c8c3e71240d1e8eb02276e9a6f4b4cda236e7edff9d6f03a35cd1a8e6269f05a906f4a2a05f240c6cea7fd91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3c8cb77e58b356230a5f89700bd99d28

SHA1
956b1bcfd328594601ce609536bba3ca0ab9103c

SHA256
70619accb003088e83188edb4050cb2dac9c343730776b97ca58fed8ccef2450

SHA512
cf50a4aae2e51ae1fca8928fc667771896297158327a0f332bfc50fa3f2675193c575f7b64ba1876bacabab790b123a3ce5eee56d9932692d70f311b835dc5ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b8f654c78f6359510a58f1ea5659f57f

SHA1
2267af70f806a4d9d0f744a0f23050a1ce4cc044

SHA256
e87058c3ac8331fb08d7a0e499a72f354660c69ec77b467479853329d03eee1f

SHA512
742d8061eb78945beeddbc49d9a1ce64dfe92852d067d4d1089c9a970d37cdb5e8f947e68f8a5d2d874b6a727340f71c78925353212218805b5f1c0adf3d6858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
15e43d1ef54d9de416ce1b1235fd180f

SHA1
af1a0240511ff3b22f04bf482c5ceb21e61b22c2

SHA256
587d4ce9faf13ce4d3e0aa19e246caba5a76171f890d9eda9043a5987d8a1441

SHA512
9eb2875f34d0ed3caf1b91bc5bddf9d075bea857cf3d8cf98bc71d30711dc5fa439397bca3f8530df032123ef1a831aedab850cbd0f3f83dd0402dd52cd52e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ef5aaceae27c6a3ca5c0472a3ca05f2f

SHA1
42cdb29b802357a60d481184f5c8db320fd24840

SHA256
2680d5892fcd3b755203fd14a7e5ba5fd70b131a330f0c94e5c9ddb7ce9ec618

SHA512
492f16d7b836dfb1985535d7ce0c4f8c4c4449743bd462923f8337e385ea48e3ecc1c96d3031c3120ff50413f07c9ba176b851bea46aa3cb09a86ac3a7f28610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ac0bcee8941ced66e56d72d62f05afa4

SHA1
efe4a8b8a783c6a9c4c276b85dd49cb42e7939bd

SHA256
10c83dae443fcc0665d8194eac23d058093a161effd8eb8e9e645093a7c81ac3

SHA512
4568481c1c5a87489b53a57a79f4575808e75282868174b2ce397d9718acc00909656b7f88ec3f2ae56f1c68c43d8a8c9237a92a371e2f8e9eb3d0f6229d868f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2e820e04c8dff1eaa74a288475d465fc

SHA1
7f47aa47cf9472e941584a3f773fd0e77401f0e0

SHA256
8c8b092aa4574f49a5bb031fd6890c9fdfe04043efc9c8be0b35a90876994311

SHA512
23bc8b9215332361b42caada06e5021aabbff98b557f8d924db3dc1cf1070462cbf440ad07f78e0f2e494e04c129f6583eef595e425aae48471b49bc56495ec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d34e.TMP

Filesize
706B

MD5
538ab7bbdbdc1ed8cd03be1adf93560f

SHA1
43342eb9b6b98202cfc5e3604ec31a756f946007

SHA256
96dfe3096778d2840fc7801993a351158bcff6e28b35eee52a166841c3ce274e

SHA512
bb8a5edb02c0ead849f49c3fe08b65a71dabc723825a81827bfc821c26b88d20d1d75201eacdbea1037fa2f805a8aef747e93568119a12d7d2ed8656a04f8fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9c37c2b681be47f48542a3048a140f95

SHA1
64474aa5bb43d482a69ee4e0f1176513be01d363

SHA256
450019c429d5fe272fd5e66c8fb22f26595e14202d2e28e76637636c4f72ef77

SHA512
ec9c85fc0b09fb8e42ecc58bf2c6d548838984d8fec4133a23546bc9e757b485af4e54fa4f600021f5893584d30e956187b6103303a8d591df253626b475d312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f69041634d3754b84ec1a9971f4fc5fd

SHA1
8e27344c29b93e362c2840a063b30db96bdb8caa

SHA256
45ec5750989b54fb6c04f87a31e4d836f8bdfed7617cf71e92939b2a449dee1c

SHA512
bb9a3121c3737ff365250f8e5b40870e3b1154dbf49e41bfac6d43fd72c8545a16d8172ad01263eee14b922b473946f6eff9c752cf0bdf04718826092af462c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0272d7c46f82eae9bef631c4de75d55f

SHA1
e0953ca1db3ac246ee1d2e468295048999acc831

SHA256
a1016acccbf6f3e3c38680a47dd390d8baa0c471429717f431b8e5a24cc73de3

SHA512
1f4e354e2fc8644a5110c7db8c3f490ec5988f8bb068f8e353b10ccd2c120dec186dfb7bd417a06a3bffb878469c73e3c8741275daa23228df21f6715fbd488b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9eceba654b07ab184c0200605e882e4f

SHA1
c9352488fc6a0c99adb5b28bd4e2df81c2f6aad1

SHA256
6228c6ddf7a4eed9389c81f768af4415b47755739c32e4224ca6e700c4dce35e

SHA512
eb6fd31f4b9742f8ee291a4adee8e2f80a93381bd3aabb60135a78ccb1bcb2acc53deb01c56fc154a563f8b6040da3d4ac2266b5f082070f295e62bfb0e348bd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 486307.crdownload

Filesize
4KB

MD5
93ceffafe7bb69ec3f9b4a90908ece46

SHA1
14c85fa8930f8bfbe1f9102a10f4b03d24a16d02

SHA256
b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07

SHA512
c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 933993.crdownload

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
C:\Users\Admin\Downloads\Walker.com:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit