Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
13/12/2024, 18:20
241213-wy6jaaxjh1 613/12/2024, 18:17
241213-wxfw8sxjfs 1013/12/2024, 18:14
241213-wvrwqaymam 813/12/2024, 18:11
241213-ws1qvawrex 1013/12/2024, 18:08
241213-wra4sswraw 813/12/2024, 18:05
241213-wpj9paykdl 1013/12/2024, 18:01
241213-wmcrtsyjfr 813/12/2024, 17:59
241213-wkpcvayjbn 613/12/2024, 17:56
241213-wjh5faxrgq 8Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
13/12/2024, 18:08
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://github.com
Resource
win11-20241007-en
General
-
Target
http://github.com
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4964 WinNuke.98 (1).exe 1004 WinNuke.98 (1).exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 22 raw.githubusercontent.com 49 raw.githubusercontent.com -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\WinNuke.98 (1).exe:Zone.Identifier msedge.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinNuke.98 (1).exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 125809.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\WinNuke.98 (1).exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 486307.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Walker.com:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 933993.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 203481.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 4128 msedge.exe 4128 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 4144 identity_helper.exe 4144 identity_helper.exe 3520 msedge.exe 3520 msedge.exe 3636 msedge.exe 3636 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 4308 msedge.exe 4308 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2348 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 5084 2348 msedge.exe 77 PID 2348 wrote to memory of 5084 2348 msedge.exe 77 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4968 2348 msedge.exe 78 PID 2348 wrote to memory of 4128 2348 msedge.exe 79 PID 2348 wrote to memory of 4128 2348 msedge.exe 79 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80 PID 2348 wrote to memory of 128 2348 msedge.exe 80
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://github.com1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd0c4e3cb8,0x7ffd0c4e3cc8,0x7ffd0c4e3cd82⤵PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:22⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:82⤵PID:128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:12⤵PID:1748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:12⤵PID:1488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:12⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:82⤵PID:2984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:12⤵PID:2436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵PID:4284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵PID:1248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵PID:412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵PID:4008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3504 /prefetch:82⤵PID:416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:12⤵PID:1608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1160 /prefetch:12⤵PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:12⤵PID:2308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:12⤵PID:3684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:12⤵PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6864 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:12⤵PID:1116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:12⤵PID:4556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵PID:2372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:12⤵PID:3844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7300 /prefetch:82⤵PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6884 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6420 /prefetch:82⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,3012193047786892560,4454185279686482459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6652 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4308
-
-
C:\Users\Admin\Downloads\WinNuke.98 (1).exe"C:\Users\Admin\Downloads\WinNuke.98 (1).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964
-
-
C:\Users\Admin\Downloads\WinNuke.98 (1).exe"C:\Users\Admin\Downloads\WinNuke.98 (1).exe"2⤵
- Executes dropped EXE
PID:1004
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4056
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1228
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x000000000000049C 0x00000000000004DC1⤵PID:644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e9a2c784e6d797d91d4b8612e14d51bd
SHA125e2b07c396ee82e4404af09424f747fc05f04c2
SHA25618ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6
SHA512fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1
-
Filesize
152B
MD51fc959921446fa3ab5813f75ca4d0235
SHA10aeef3ba7ba2aa1f725fca09432d384b06995e2a
SHA2561b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c
SHA512899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06
-
Filesize
17KB
MD518a9531f05f4a3662558d102349767b1
SHA1328114b78180b5931d651669bf0b21d3a5cf8adc
SHA2562d427df292899c50caad69f5c59737ff07f39544e52ff6b9d01f4fb82ec0d716
SHA512b52d9f81a88694bbb16551a50fefd69a3f3dcd0ce5d3d3f3e3a2c1d7de969b5f6e27ca9fd22f7e964108f9b39eb083a44ef161ee3b8c39f61fa5939a15d21b2f
-
Filesize
3KB
MD59b21dc674629be97b5c7938f3674f9b6
SHA1681cd26a5ee73f0332ba592efa5662c9dce68e8a
SHA256617feb9a95a7877b1fb62b45c6b7eda4ac29f20245fb9adaa7783d49e40bce51
SHA512db2e97836020216384265930159af1a26d6af0c1fb429e76081788b2d3d75ad9f00db72e64e2cc2ee788206a250824503f75b2a42e089146fb6a860e07232205
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD573cfae61313bff85e51a3b676ee86c6d
SHA13ab033633f15b93b380a0b380a3119f98ca97b38
SHA256b8e99d8f05643a41176113b959415629d65adcc48e26f2804df1cec612ea4e9f
SHA512a68e3221aa202995c1d67aa7b6f6878deecbffae4747fc24decd08f10552c2fa123c09d5544c35820d557cf423a1d2a271d48316ff26598df4bb57ec7ee76b2c
-
Filesize
844B
MD568fb1fa3691942d0dfe99364a6f5d6af
SHA1a1e9627d9aecc5585e1f1cb83f402baef9bc2a86
SHA2565b9377d5a7fb412a5544d5155acc6327909b85e721ac3d76f136243356f14e11
SHA5128251f3dc9a5fdf66250949754970d4ff646ae5960fd28548bc11eb0844874e4c7c4a9754ed493254d41a25f73fbe663f76b11e51e4eaf78dce17e090e388b65c
-
Filesize
1014B
MD598a97dbd22ec9dd68776b9aa96da62f8
SHA1df9ee87a0d24c215efd08113760ec4c80d4f7f73
SHA2561f8d0feb39601e17df3c705c26a39db51c73c8dabd7f1f32abed79918fd31b7a
SHA512a23d38b5a1d773c9480dc21e2df5a36b4333c98016cebf3687f1e528e7e90ceb420016c89a6f4cc7472f175edf84133596b90744a2f50c7185d36dad3427d12e
-
Filesize
6KB
MD525a6571f111f737f2a693c858c3f6402
SHA16591e42de4df217c3e41b28e09df430d522e7264
SHA2564391d8416aa70b223b582896d723880e8023954a6b6ca62c7ae6017cfb5722c1
SHA51278d4e877a317dfc51baf32d97f6dc57640b6a257d846b1c59e1c370960a399207c64877ffad73155a2e87831c86cd419ac757044b365b6b03aef337bf119b8f4
-
Filesize
5KB
MD54b68cadcc6b669b6308e48de6ac0e3e5
SHA1a7ec819805d679e7946ee1aea3698ef93a2540d3
SHA256b3f915cd2ac39d0da796d21509001462f4cd0174761f18eb1abb25bb0c574a6e
SHA512313290098dea85e9535bf9550e6de104881b113befce834f117bc2ec048e56bbf3eb6a1fb49e292c7cb74db106551406747bf65ab03d0b1d42c9dab08982dd30
-
Filesize
6KB
MD57a99f298c15b1e7bbd287857faccebd2
SHA1bbdcd56d650d81a1fada61a9c903500bd5476162
SHA2562d80339dab1ec8609160f2dbdf660f9d06d38950ec4653a8ace09f1395faa24a
SHA5123fed6dfd4a626857d128c1e47acdd916c038a46b2f79ea4c66b99b2858483e7095cb0244e7a21371d22640c9d28a576ca448150f0ae0dd9afde6ed5c0669d262
-
Filesize
6KB
MD5b8d73d4b4535befd90b45992c12f83f7
SHA1205b17126b5f32f847e948c2b554a2214e8cbeba
SHA256da0c2a2af0106fb850315647decabd947b384c5646f15585138d00c9f1c73edc
SHA512611da65d060e1f82920c297e36323e895a605af9c8c3e71240d1e8eb02276e9a6f4b4cda236e7edff9d6f03a35cd1a8e6269f05a906f4a2a05f240c6cea7fd91
-
Filesize
6KB
MD53c8cb77e58b356230a5f89700bd99d28
SHA1956b1bcfd328594601ce609536bba3ca0ab9103c
SHA25670619accb003088e83188edb4050cb2dac9c343730776b97ca58fed8ccef2450
SHA512cf50a4aae2e51ae1fca8928fc667771896297158327a0f332bfc50fa3f2675193c575f7b64ba1876bacabab790b123a3ce5eee56d9932692d70f311b835dc5ca
-
Filesize
1KB
MD5b8f654c78f6359510a58f1ea5659f57f
SHA12267af70f806a4d9d0f744a0f23050a1ce4cc044
SHA256e87058c3ac8331fb08d7a0e499a72f354660c69ec77b467479853329d03eee1f
SHA512742d8061eb78945beeddbc49d9a1ce64dfe92852d067d4d1089c9a970d37cdb5e8f947e68f8a5d2d874b6a727340f71c78925353212218805b5f1c0adf3d6858
-
Filesize
1KB
MD515e43d1ef54d9de416ce1b1235fd180f
SHA1af1a0240511ff3b22f04bf482c5ceb21e61b22c2
SHA256587d4ce9faf13ce4d3e0aa19e246caba5a76171f890d9eda9043a5987d8a1441
SHA5129eb2875f34d0ed3caf1b91bc5bddf9d075bea857cf3d8cf98bc71d30711dc5fa439397bca3f8530df032123ef1a831aedab850cbd0f3f83dd0402dd52cd52e8b
-
Filesize
1KB
MD5ef5aaceae27c6a3ca5c0472a3ca05f2f
SHA142cdb29b802357a60d481184f5c8db320fd24840
SHA2562680d5892fcd3b755203fd14a7e5ba5fd70b131a330f0c94e5c9ddb7ce9ec618
SHA512492f16d7b836dfb1985535d7ce0c4f8c4c4449743bd462923f8337e385ea48e3ecc1c96d3031c3120ff50413f07c9ba176b851bea46aa3cb09a86ac3a7f28610
-
Filesize
1KB
MD5ac0bcee8941ced66e56d72d62f05afa4
SHA1efe4a8b8a783c6a9c4c276b85dd49cb42e7939bd
SHA25610c83dae443fcc0665d8194eac23d058093a161effd8eb8e9e645093a7c81ac3
SHA5124568481c1c5a87489b53a57a79f4575808e75282868174b2ce397d9718acc00909656b7f88ec3f2ae56f1c68c43d8a8c9237a92a371e2f8e9eb3d0f6229d868f
-
Filesize
1KB
MD52e820e04c8dff1eaa74a288475d465fc
SHA17f47aa47cf9472e941584a3f773fd0e77401f0e0
SHA2568c8b092aa4574f49a5bb031fd6890c9fdfe04043efc9c8be0b35a90876994311
SHA51223bc8b9215332361b42caada06e5021aabbff98b557f8d924db3dc1cf1070462cbf440ad07f78e0f2e494e04c129f6583eef595e425aae48471b49bc56495ec2
-
Filesize
706B
MD5538ab7bbdbdc1ed8cd03be1adf93560f
SHA143342eb9b6b98202cfc5e3604ec31a756f946007
SHA25696dfe3096778d2840fc7801993a351158bcff6e28b35eee52a166841c3ce274e
SHA512bb8a5edb02c0ead849f49c3fe08b65a71dabc723825a81827bfc821c26b88d20d1d75201eacdbea1037fa2f805a8aef747e93568119a12d7d2ed8656a04f8fec
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD59c37c2b681be47f48542a3048a140f95
SHA164474aa5bb43d482a69ee4e0f1176513be01d363
SHA256450019c429d5fe272fd5e66c8fb22f26595e14202d2e28e76637636c4f72ef77
SHA512ec9c85fc0b09fb8e42ecc58bf2c6d548838984d8fec4133a23546bc9e757b485af4e54fa4f600021f5893584d30e956187b6103303a8d591df253626b475d312
-
Filesize
10KB
MD5f69041634d3754b84ec1a9971f4fc5fd
SHA18e27344c29b93e362c2840a063b30db96bdb8caa
SHA25645ec5750989b54fb6c04f87a31e4d836f8bdfed7617cf71e92939b2a449dee1c
SHA512bb9a3121c3737ff365250f8e5b40870e3b1154dbf49e41bfac6d43fd72c8545a16d8172ad01263eee14b922b473946f6eff9c752cf0bdf04718826092af462c0
-
Filesize
10KB
MD50272d7c46f82eae9bef631c4de75d55f
SHA1e0953ca1db3ac246ee1d2e468295048999acc831
SHA256a1016acccbf6f3e3c38680a47dd390d8baa0c471429717f431b8e5a24cc73de3
SHA5121f4e354e2fc8644a5110c7db8c3f490ec5988f8bb068f8e353b10ccd2c120dec186dfb7bd417a06a3bffb878469c73e3c8741275daa23228df21f6715fbd488b
-
Filesize
11KB
MD59eceba654b07ab184c0200605e882e4f
SHA1c9352488fc6a0c99adb5b28bd4e2df81c2f6aad1
SHA2566228c6ddf7a4eed9389c81f768af4415b47755739c32e4224ca6e700c4dce35e
SHA512eb6fd31f4b9742f8ee291a4adee8e2f80a93381bd3aabb60135a78ccb1bcb2acc53deb01c56fc154a563f8b6040da3d4ac2266b5f082070f295e62bfb0e348bd
-
Filesize
4KB
MD593ceffafe7bb69ec3f9b4a90908ece46
SHA114c85fa8930f8bfbe1f9102a10f4b03d24a16d02
SHA256b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07
SHA512c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144
-
Filesize
32KB
MD5eb9324121994e5e41f1738b5af8944b1
SHA1aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA2562f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA5127f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6