Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
900s -
max time network
427s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 18:18
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/AeQXfn
Resource
win10v2004-20240802-en
General
-
Target
https://gofile.io/d/AeQXfn
Malware Config
Signatures
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 2 IoCs
pid Process 2468 7z2408-x64.exe 3056 7zFM.exe -
Loads dropped DLL 1 IoCs
pid Process 3056 7zFM.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\License.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\descript.ion 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7z.dll 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7z.exe 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 7z2408-x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7z2408-x64.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 25 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2408-x64.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2408-x64.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2408-x64.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2408-x64.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings 7zFM.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2408-x64.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 213696.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1240 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 540 msedge.exe 540 msedge.exe 2216 msedge.exe 2216 msedge.exe 4568 identity_helper.exe 4568 identity_helper.exe 1556 msedge.exe 1556 msedge.exe 1020 msedge.exe 1020 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 3336 OpenWith.exe 3056 7zFM.exe 4488 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3056 7zFM.exe Token: 35 3056 7zFM.exe Token: SeSecurityPrivilege 3056 7zFM.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 3056 7zFM.exe 3056 7zFM.exe 3056 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe -
Suspicious use of SetWindowsHookEx 38 IoCs
pid Process 3336 OpenWith.exe 3336 OpenWith.exe 3336 OpenWith.exe 3336 OpenWith.exe 3336 OpenWith.exe 3336 OpenWith.exe 3336 OpenWith.exe 3336 OpenWith.exe 3336 OpenWith.exe 3336 OpenWith.exe 3336 OpenWith.exe 3336 OpenWith.exe 3336 OpenWith.exe 3336 OpenWith.exe 3336 OpenWith.exe 2468 7z2408-x64.exe 2952 OpenWith.exe 2952 OpenWith.exe 2952 OpenWith.exe 2952 OpenWith.exe 2952 OpenWith.exe 2952 OpenWith.exe 2952 OpenWith.exe 2952 OpenWith.exe 2952 OpenWith.exe 2952 OpenWith.exe 2952 OpenWith.exe 2952 OpenWith.exe 2952 OpenWith.exe 4488 OpenWith.exe 4488 OpenWith.exe 4488 OpenWith.exe 4488 OpenWith.exe 4488 OpenWith.exe 4488 OpenWith.exe 4488 OpenWith.exe 4488 OpenWith.exe 4488 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 1696 2216 msedge.exe 84 PID 2216 wrote to memory of 1696 2216 msedge.exe 84 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 1184 2216 msedge.exe 85 PID 2216 wrote to memory of 540 2216 msedge.exe 86 PID 2216 wrote to memory of 540 2216 msedge.exe 86 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87 PID 2216 wrote to memory of 2680 2216 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/AeQXfn1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3dd746f8,0x7fff3dd74708,0x7fff3dd747182⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:82⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:1756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:12⤵PID:724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:12⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:82⤵PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:12⤵PID:3172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:12⤵PID:3248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3844 /prefetch:82⤵PID:3672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2372 /prefetch:12⤵PID:5116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:2316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:2444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:12⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:12⤵PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:1328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵PID:1468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵PID:1004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:12⤵PID:380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6760 /prefetch:82⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,13526279087113716371,12206364320959281467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1020
-
-
C:\Users\Admin\Downloads\7z2408-x64.exe"C:\Users\Admin\Downloads\7z2408-x64.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2812
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2800
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3336
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2952
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2044
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" C:\Users\Admin\Downloads\Cyprus-external.rar1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3056
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4488 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0FB205B8\cyprus.vcxproj2⤵
- Opens file in notepad (likely ransom note)
PID:1240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD51143c4905bba16d8cc02c6ba8f37f365
SHA1db38ac221275acd087cf87ebad393ef7f6e04656
SHA256e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812
SHA512b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894
-
Filesize
963KB
MD5004d7851f74f86704152ecaaa147f0ce
SHA145a9765c26eb0b1372cb711120d90b5f111123b3
SHA256028cf2158df45889e9a565c9ce3c6648fb05c286b97f39c33317163e35d6f6be
SHA51216ebda34803977a324f5592f947b32f5bb2362dd520dc2e97088d12729024498ddfa6800694d37f2e6e5c6fc8d4c6f603414f0c033df9288efc66a2c39b5ec29
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5e897cd4-379e-42ad-8950-94220dc03714.tmp
Filesize1KB
MD5ebaae35080512f4241314dbdf618a6fe
SHA19c984e64831827fcc67d32cc5af5283562adf739
SHA2568e07aa0b7bbfef2ee2a25a37926a2d316033b83e70a94e42a2515ef062a23b3c
SHA512cb1d29a66cc82c4f5d9a751566f2b20eccd99154eed753bf42a0b2250ba28b941131862cee435563174b9ac100bfe2de0e4ade7d15c68f6ab7daae94e6b7b162
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD53583ba0924996f024b02b87b19cd4d5d
SHA1835169db7c93ee14d866c4355a4b59e4bb32cac9
SHA2561e926c1838d0bcbfe1062c9db442cdcd28c27cd4fd1ef121d6c57ad2f0eb253b
SHA5121f8453139b4fe21f8548cdbdd5a51557c75d528e0bbc0bfb25595592d14c47521a81810799327ee637d3a73f93481714007bd6daac5bf127eb91494040a98403
-
Filesize
1KB
MD56c7dcde622c0ef751b22b98d4e1aeb33
SHA1eb3559922b529e9e9b394e02ce40d7c9aca5ad89
SHA256180818a3d53a5842017eeb2850455e7708e6e6d87596726c98f0d9ea04b0d701
SHA51258e387949748605aad2a6b63beb6e63fe19426b99f2d17be000a134310d6458d7878e34ee42bc472e366b3022d7a1470d117fa485585b782fe7b786c5ea10e5f
-
Filesize
6KB
MD537a3c77f79f2b73d78a11698f12b7967
SHA121cadf1d4fb2678d4cce0f90cdbba3aa4bc1c632
SHA256b4a60a0f0900c64f3c69139d03c973b574ff7e664a56a1795039ae9c6cb965a9
SHA512db33fadd8ae93b4d801f5deae9021a5e9ad7e7197de2f76c41fb3578596db85dd287f7042640bb2be5980d9d467de5d3bd57a9c7221bacb138ff7b04f3e0604c
-
Filesize
7KB
MD5475865b27fd7edde88ddf72ed008b275
SHA11e2ea75136739d9d57131016d965f12ceeda1e93
SHA2563d4c76f47261f3485e4ad2e71ad36ef70c6056a3bc9f59c0d49b6875b842614c
SHA512ae07c5a242d974cf8f6cdbf993948b4d179e6a81dc0059f9873d0fd787d3c91ea19adcd50742c4558cf51e0f0e3bf588878ee2f81c41f5030c62f58c9628d3a1
-
Filesize
7KB
MD58ab738415d8e265933afdc3a984454c5
SHA1060110a38fae1c04a11d691a27b5d7c7bc8bc95e
SHA256e37a0a99e819d45582dbe416712f72dac6532276db56d493264f2f4f6e307525
SHA512ded3bc7e637971c7113e74e528b7e6a4e103176a746f41a588f8a25db17a248fcfcd8e2c3775a525ff1b0fa17ed83f7b22b9b5bea769b01879e8934757b6f077
-
Filesize
6KB
MD5d0fdb51f8d44be537bab12706c7b1da0
SHA1464a0ed679e10ae68024f26413ca145a941cc1ca
SHA2562bdf69d8c3df8e0a4e11ba6325d37be4b451ec5fe2f0cb4ab9c2c334fe660159
SHA512cb03bea307eb71bd7fb160bd1fcaa990fb7fd0b2165d93937250b49386d643ca5201d79f41e285f0439429b1d6050125ec48238210a377eb63fd27c0f799a05a
-
Filesize
538B
MD560fcf5f76969d602aa9bf7c27a565955
SHA1ea86a3eba343e2f060fadf57afe6e6a471bd10ed
SHA2561a9a5d3ecd575be676fd805d767231c8e3ba4cdbc3db6f4b09bc73b6c3283026
SHA5128f45f3f5ae43b1c99bd6f9c26be535431f041da6680a5f821e2df9d3f37c555030bd01a0e8b246dfc912663748d8b18b6d97eed569c4b7d2ca5cadfcc963e67a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5953ccc7249c324eb9d58bc62ebbcef06
SHA1d99db2cff7e58fda02d7b7fdaa9f590ab0255722
SHA2569a09fb3894cb051692a3e4b0e4364094faf75c9a1db9b39cfcdebc44532bab63
SHA512cd3571070135aeea95a11f5c06c56a261bbea62e119c55471d2c90b76066f5d9c658061d3e442891ff555f56a8dcd9c51d67ccd5feb451abfb3c8ceb0f00ce1a
-
Filesize
10KB
MD56977a20903e51c88f471a8e9ebca43f8
SHA1911af1eaac6bdf7bae120154e39e9cca63a7ae8f
SHA2566f9e54131154ae17bd879ace92aceedec0a45628801bf23c1eab059aa69fa736
SHA51242514495cd3ddf8a4bac8b5b8f4f686e1912945b792b955e0d4c82cac1de189cac6e9b0e196aa54f94d26877982f2a1e7b47d39c64f5ff080657d268ff76e4f4
-
Filesize
25KB
MD50b7ecf1ad4e1b043f7cfa46cf7ccdabf
SHA14eaf9dbc260b381b95c4debc6a34830719553285
SHA2565656c0ee3dcaf696ffbf7c40463db3fbd2b3f4a4a544265b5c6970ed3b92a9b7
SHA51235d6dd6a4d3a7151db69a83b1e761c53420c6181a6e693882a2395a3aee791c77b00e42e7aa6e47a9e4d286b9818c3c851557c9a88b98081b9a818c83b8d29c1
-
Filesize
1.5MB
MD50330d0bd7341a9afe5b6d161b1ff4aa1
SHA186918e72f2e43c9c664c246e62b41452d662fbf3
SHA25667cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b
SHA512850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1
-
Filesize
9.3MB
MD5599a26c838f524118c4698c618b5df81
SHA1f7e76729b7c34b73a68859b23d22745fd9bf90fc
SHA256f7b70cc7faefd5747a1eef5f72ded5d10212d68dd221bfc277f26312ee93cd45
SHA512a961a5882b42e96e2dd53a8d4d1dc79383d14db8a384befe261fc0106952090781290def3426b5148f3dd9eee2ac10a4f8ecec019c59829a13c848c2a4c74f5a