Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
03/03/2025, 19:05
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Badrabbit family
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
-
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
-
Chimera family
-
CryptoLocker
Ransomware family with multiple variants.
-
Cryptolocker family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Renames multiple (3258) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
-
Downloads MZ/PE file 6 IoCs
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 27 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 5 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 35 IoCs
-
NTFS ADS 8 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc121146f8,0x7ffc12114708,0x7ffc121147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5072 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6012 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3464 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\WinNuke.98 (1).exe"C:\Users\Admin\Downloads\WinNuke.98 (1).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\WinNuke.98 (1).exe"C:\Users\Admin\Downloads\WinNuke.98 (1).exe"2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6136 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6716 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6524 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\HawkEye.exe"C:\Users\Admin\Downloads\HawkEye.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\HawkEye.exe"C:\Users\Admin\Downloads\HawkEye.exe"2⤵
- Chimera
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5364 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5712 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\AgentTesla.exe"C:\Users\Admin\Downloads\AgentTesla.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\AgentTesla.exe"C:\Users\Admin\Downloads\AgentTesla.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5508 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3883725423 && exit"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3883725423 && exit"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 19:25:004⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 19:25:005⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\5C7E.tmp"C:\Windows\5C7E.tmp" \\.\pipe\{625078C0-4795-4897-BDFD-756CB1369FEF}4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6236 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,10277647414352332725,7231810604746850408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1184 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\CryptoLocker.exe"C:\Users\Admin\Downloads\CryptoLocker.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Downloads\CryptoLocker.exe"C:\Users\Admin\Downloads\CryptoLocker.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD591281d7f18713b8be65f361335cd720a
SHA1bb4510cf09268646177189c21709c832be6488a9
SHA256529a4e90d34063301a519f563dd652dd0e341fb850a60f08d4339ce57903d352
SHA512961cd4574a8a10a7fda4b81baf4f941ca17be81bf2bd6338c014d3d14a5907ba9019d07d88ed8ee283648a70ce3cae99bc5c7a139333277be6b1628e199fbd7b
-
Filesize
5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
4KB
MD5da597791be3b6e732f0bc8b20e38ee62
SHA11125c45d285c360542027d7554a5c442288974de
SHA2565b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e
-
Filesize
152B
MD5010f6dd77f14afcb78185650052a120d
SHA176139f0141fa930b6460f3ca6f00671b4627dc98
SHA25680321891fd7f7c02dd4be4e5be09f8e57d49e076c750f8deb300be8f600de2d7
SHA5126e6c9e348e948b946cfb97478698423e1272c4417bc8540e5daa64858e28be8fda5baf28538aee849f8bb409c17a51c60e48a3f1793e3a86cb27edeb32aa30a5
-
Filesize
152B
MD5f09c5037ff47e75546f2997642cac037
SHA163d599921be61b598ef4605a837bb8422222bef2
SHA256ba61197fff5ed487084790b869045ab41830bdf6db815503e8e064dd4e4df662
SHA512280bff6eac4b2b4fe515696223f61531f6b507c4c863ad9eef5ab0b1d65d264eba74fb7c9314b6920922142b8ab7605792211fca11a9a9ef0fc2ae995bf4f473
-
Filesize
1KB
MD5691807df205ba4124627ddb8ea2b049d
SHA1a7fa5cbcf4ddb496a049faac24682f25b774f5f3
SHA256cc6319a0a9adcdbadca9bbf318107ad1744ea014f7b82b51907579ed165c4da8
SHA512b81a3214fdabf57bbf7c4c7a6d5f803336007fbfaed8e0911a0b9825ee567410275e1b9378b96a88f1669408e439b97275b03e1290d2f783f11f5d5fdb6b59a9
-
Filesize
579B
MD549c8405f7b641371c2c9bb3783578c1d
SHA13439af403c4c125fa058ec0edee8769213b03ffa
SHA2561c07e79b8c1034f01a9b1d102090018264ca749f265fcc6a909982d684754ad3
SHA5127121c90cc94dceb339e37f467b8ffc35efca5781a0623bad4ecd7de494a5ac620bb2e080ff2ba3609d4a26a6b326c1143f4b617d57c2970a7e0d8d646f48d01c
-
Filesize
5KB
MD5c4a59f0797fffb039d795701ba9e7dd9
SHA17bbabe0948c651148d9855f19b64f5bbe8599ac3
SHA2561cd195f16937b315042b08451c75292729a5137263449d00f8a1669c8fafcf06
SHA51282e7a45bb93cb4c2d3299e758ede3a5df54ed01f788e7b63c15c176450febca8808981f6b8e61cd248583165fedff0a791cbfd32c3e145c749769868b135c40c
-
Filesize
6KB
MD5e0d7e63188d9f6c80006703de3f574e9
SHA1ac815510fc9899f0b768429496f1ec2b625598af
SHA25622de73d00d11ee9aac164ea68cac01f2dd7c1a25e54e19403bdbb21ad0ddc4fc
SHA51290b69aed995501e074884ca8989c5a577e44e859ce25f37c8896730a39a7896afb892056755ae0bed5690b8ddcc12ff50bad1b73c42a887371a49bcee623016f
-
Filesize
6KB
MD527ddacf0b21b34824f1a255abf172324
SHA15d50ec46cc3dae83e4c07abb2eed4c00ed167f17
SHA256c4b34d9e3d4575649236a765b222212194a9392d83dedc403e83d9c622a8455b
SHA512ffbe56dddd2911d01a0c4bcdd9f8af92bb3109a6bbed97ce42f8c6c1768964a2c8447da4bdf9840ecc167bce20c82a72834e9a19383e6cf1809d8cf3e8bde7b4
-
Filesize
6KB
MD5a7ff46f5e53ac2913fda91543015e20b
SHA18c79601963205799493a6b9ed5f9e8a5a7390f3e
SHA2568bb26891cc2901f90ef5742f626dcbeeabd2674f414ba81721729a83c9f3c85f
SHA51205c60e5f0d099c9739017ebe151f604af8fedb2de9b1f367f027eb637cad8c4c6ffd851fe6018c88dbcc552fb0bc5024c14d666b08e85099b1541a92b4ca3b64
-
Filesize
1KB
MD5c5379ba3d4c056f15e6e17dd6447e772
SHA1e2a6ad44d15e26168fc9a479365e67db45ecc3e2
SHA256fed3dab41ed8f2f0671663757e08388a648fcac85c99ca37d35bf5ac16d0e039
SHA512f96f17cfa49ec9561f71c7a3fe91ee5e1353a56174795ce0377ecacf578b4d6efa6e88dac4d7e7fd8bb01f4261246701d5f0a26ff95c230689eefb18fc3c70c4
-
Filesize
1KB
MD5aaf49de99e0a91a54a821f7b86095f9c
SHA13bfed38fecf84fb9bb0efea50aa8701dc0a27575
SHA256cd44256191e2c5f7d4098388f4e5e076eba793864edb157c1d9fa284d25c2cd6
SHA5121b52d1e1685d69f045f5c741028f3fa2934a9a13891ba1606da47ff4d67fcf618c90ee8890a2b69ff0f5798423ba4cdd4f6a4f08fb5a451664a6840c9ee3d007
-
Filesize
1KB
MD52c915ea7fc674f9def9b738f62e2ec2c
SHA1d6b0ab88954273030dc40e29984bc291d393f5ea
SHA2568c4215580bbe3612815137466e4a26dfef6086043d7b32e78f3e88495a452166
SHA5127fb1daf9138c725bc33489952a1419d582425a9ca67af5da403f90ed9009e635a6378de276f83346f033f0aefe36203da75f675b44e313207ce1f859d1aeaf19
-
Filesize
1KB
MD57f51ef2b684d8d89f7023403f15f9fd6
SHA1edf4fca9523d08371c2216ef675caa4084e61395
SHA256caaf09686940bdba06548a63cf8ca6b966ba3906164da4a69d1dc9210accbc6c
SHA5126f1fc6ebb18fc3ee6c0e6492d115ea986c8e50d8c6fbff6b490ed9ae0380392225658c0a4bb35f7ea59ebc281feed4ed81f1e3c61de3689ed94151a23ce4b1a4
-
Filesize
1KB
MD5a35d2fa86c1e2fb930cd82c7768c3e86
SHA1461b51ae9cf258bc35b2e7ba23ce7c9ec8f4540b
SHA2561e5e6a81b071adacf9ad9cb38a3433a2021c069e1a707f9769ae3d57293bee12
SHA512b63f7fe989f0dcc1c15ecaf35df5c1e428338c653426c17dd24c68daa6c6520a3c1ef7b763b6270bda20aff94bfa0e2e91c556bbfc6121fbcf048670dc05717a
-
Filesize
1KB
MD582102c3c0419f5c06526af8f158e330f
SHA121540f9edea883727d518bbdf60516cabb281bb2
SHA25686b5a1b041be52fd42f307f05f2cfb19b345320d951d21763f72b5b4dbd82cd4
SHA51253f707c2aae0e6368e9a0e33788ed5f87ff5a149b2356122587d38e0f23994e40a48a27f305fc5e1424c8634da1b9fc1f65a4e0aa6eed9814b0910bc584ca684
-
Filesize
1KB
MD5cd66e8b2047f3fd825bc0c3b1c8dfbbc
SHA15023bcbe45605002872ebcc9d344a87a1abe373f
SHA256bd7ecece240e6b0b12e3aff582ac18f93ace37db5a15a72eab516415a7f06933
SHA512f99e42ff46daac78e5dc37496f21a6104e068355588f92e85a8675955ae135b65ca1410308c77cac81f30cce97f24677ec2d1d66d7367011477afd79224b28aa
-
Filesize
1KB
MD58a0d9310b49dd68eb1a1997a2dc8a44a
SHA1e08cabd6feda07bce464c41c39f002cce9a286a4
SHA2565a670bf3752122c654508a33eb1d45b588f41f2d5b99acc60e81d989f1e0c03f
SHA5127de0414ecaed4f2f995b36042a9bf66f62a3299711616e874077fb52bc131283d907f03d43ab1806843e614e54c13e1d9415db25d7ba2d0839670d8a54ad0b22
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5298d6fcadd47fef13f57d4b5202a7408
SHA19858939d23d45fe8d65638c91fa6756ab90dc015
SHA256be835271dde16f2df806b1bf96259fa14b8c7f1fa5051f1fcb45a6340e531460
SHA512d69fd219f45511db945a2eb2abad7e6b7067012f8add26db2da5f56491ed980813f31726826055ce44c86293637a7154583f2e692726975c43cc35379fb070b9
-
Filesize
11KB
MD5bb32f07fb9aceff7166665134b83d955
SHA1bb7caec1bb331d7693c8a101d5438b151a5fe3e4
SHA2562089e5c7a0cdcd31194bbf7d03831a56b153ed6c09af7f4c545d3a63dc3d3cfc
SHA51296581632b2a223050ce42560fa76bc863da0f7b34f947b7368c3b1ad3495f5a09b7292b0c986d2ec164fe6967aefb6d21b48a30fad80fb4417d261fb21403c48
-
Filesize
11KB
MD54953bfd557b6b364ab35b321e48b699a
SHA10c4613135fdd4e243b236f6a56a03470d90ce44a
SHA2560352892518f72d22af1bd940c05f4f6363f2a1b720012c5372747032f7485198
SHA51201d6c1f669a84337b74dd29ee6ea2ed8e4794eb8edd39973cb240002660a3144a894f1ac0211a4885b27df51022d771fbbbe4103912c241467474fd11d7b8e46
-
Filesize
12KB
MD581e113c9c246cf9e318ffe4041005138
SHA149b5cb161b04cac119bc90e5a5d11b3174665aeb
SHA256e555e60d8fa3caf77bfea76a636c56bba7a41787ef2903ffc8d709f5edf31d03
SHA512b340d6514075e2283e07505e7d6856fe7d5f54218144b191cabd2984574a46838bfb06da08b8aef8c1334d08fcc2bc7bf173fb64296eaecb11a89a51a08e23f8
-
Filesize
12KB
MD5c8295009a322e76ef030d3f08ca245ec
SHA1bf30fce9f7aa4826752f663f3af1c166c85885f2
SHA256975e8979d9c94f5f9879c14771a43475e0d1abe2707e1216abf328c28a62cea9
SHA5122e6ce396c814fb04c3bdd9a9bc59bbaaf9237019bf767753022e0d2767b48154d0f0c347d8ab64dfa284f906be1bf118f6e09107a93287c97da7693865cefbb2
-
Filesize
32KB
MD5eb9324121994e5e41f1738b5af8944b1
SHA1aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA2562f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA5127f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2
-
Filesize
2.8MB
MD5cce284cab135d9c0a2a64a7caec09107
SHA1e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA25618aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
232KB
MD560fabd1a2509b59831876d5e2aa71a6b
SHA18b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA2561dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA5123e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
64KB
-
Filesize
104KB