Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
28/01/2025, 21:10
250128-zz4b4a1qax 1028/01/2025, 20:13
250128-yzxc4szpe1 1028/01/2025, 20:10
250128-yxpkgszpaz 6Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
28/01/2025, 21:10
General
-
Target
https://go.enderman.ch/repository
Malware Config
Signatures
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 42 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://go.enderman.ch/repository1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff931813cb8,0x7ff931813cc8,0x7ff931813cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1148 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3812 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7484 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7940 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8020 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7996 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8028 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8428 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8932 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8884 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8524 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8452 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9054949926190113502,3649877947349400827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8840 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
Filesize
152B
MD5554d6d27186fa7d6762d95dde7a17584
SHA193ea7b20b8fae384cf0be0d65e4295097112fdca
SHA2562fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb
SHA51257d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7
-
Filesize
152B
MD5a28bb0d36049e72d00393056dce10a26
SHA1c753387b64cc15c0efc80084da393acdb4fc01d0
SHA256684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1
SHA51220940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7
-
Filesize
1KB
MD58eb08925924d9dba381393338b7c7876
SHA11fe85ab3ec71930d4f5b308f58fe84d9350b0879
SHA25652fb1614553cbb2feccce23508dec62bbd67483df901bf965aa6a4e08219e2c9
SHA512e813fac60dec1cac45c6ebaf6ad841918d0948ac9a0f32074cb0f1c33ebbf50efd9ad5b2fc946a2cdaee8bdf32c52e65640990f09b2bfaac37bdeea6be2c9b7a
-
Filesize
62KB
MD5c813a1b87f1651d642cdcad5fca7a7d8
SHA10e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b
-
Filesize
67KB
MD569df804d05f8b29a88278b7d582dd279
SHA1d9560905612cf656d5dd0e741172fb4cd9c60688
SHA256b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608
SHA5120ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e
-
Filesize
63KB
MD5226541550a51911c375216f718493f65
SHA1f6e608468401f9384cabdef45ca19e2afacc84bd
SHA256caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5
SHA5122947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516
-
Filesize
19KB
MD51bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA16dd8803e59949c985d6a9df2f26c833041a5178c
SHA256af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863
-
Filesize
576KB
MD5a32636bf267d284352e9d0552db31bdf
SHA1a7e59765e60c211243f55ed80b7d2b06512003ae
SHA256c55a4da37fce37d6a2bef8c5c474de812bbeff74b843243cf8a8334674dcd803
SHA5123893d26142ab5c7b6890b863e870cd1fe3098bdd288dbb0ac922a747217e8f015f638f70567aa9db6a43e4a16a17f10dda06354ead450585efb6a8eff3485644
-
Filesize
1KB
MD5a0b85119b3ac0f801672d157eba599a8
SHA1a9d0ca4a7ea11a6980d7b8b4cd20e8ce810cdd03
SHA25626fd7f0025d36fee0b1c6523239d346fb4dca0a6dd23479e949c8cba75b990ff
SHA512aaaa724ac6e476a962f54413e2217d5f9c906864843a859b0e8f78cc2e952982ddf8a83d512da1296df1b372ed79db84b309e9037f5a4a3027dacc6df18270b9
-
Filesize
4KB
MD5c9adc29b3e20c367496154917fd536b8
SHA117c3587d561d00ac8cc05ffb0fd125aded44cf39
SHA256b3f07cb25807bf281b1f1fec4df9a234137d2b072ef5b3ca30db9b34a71a967d
SHA51254547cfb9926b9d69b79788aabe99ffa1d3ce58646e842d176a230d10912b60a4ddd71e5a05553b7ef9bd31fa0ca5f775ba6fd8267961b80af282fe7309428ff
-
Filesize
10KB
MD586559ba0522cda6bce6fce768c3f839f
SHA11d84bde755903cb5c6f3c0db7b7f74ce8c906624
SHA256d9def5d3afa216e48fa77f51f74bbabca096082554b4e566541b9509f5056049
SHA5127bb1d0c9c28200701fc3197e2e8a1fe0bba82452acf843da918d0098a5c23eff8fe3b3e8f35e17fc9a53db91cc6bf3f544ddc9da785a4f004bffaec78d0d9d15
-
Filesize
568B
MD5e9729537935ceef23da0bbcfe8e94b33
SHA1c87acad59237043bd52bc400ac330f89d9e0b2d4
SHA2565a1b2bcae393f916e19bd2a04a6dda8db99f41635168fbcc515458345d901695
SHA5127e411d65751cf974609bd103f0c2676c741589718a3e28b4b4105919dd900ae3e18744c75ebf49d79eef9959daff876f6e145bf93bd116f1c03a1ea465afe5b8
-
Filesize
6KB
MD5542367cc9ff8c217e424a9485ba91689
SHA198e4534e7078131be75438a10e96e986eb3f0f9a
SHA256fe6ac47be241a189f238fed6f1e68d589c1397086e89a7dbd69773fff65de4b9
SHA512bbd0021df285f46bae9635991a67786de6be70aee27ff99a30d4defe88e78a9d4a506b6c1371335adab1af1e2072f08a8371fd5ebc9f05fb5919467a2bbe7aa3
-
Filesize
9KB
MD59fb79d70bd1fd536752c078aa4d85dd5
SHA1f9f00c25da4a0ede5bf0754a43e741570d711e9d
SHA2565a0380e01b60fee8f64a38cc48b552252a5909fc597192074316ab509f8a81c2
SHA51280aabed4a189b9b840a3a7e7fe153b052009761cf8d047cecdbe072feea01e6af9a6a3f3c28d9ab467475b670c8d71f611fe153529bc6ad6ea7eff0eecc23f92
-
Filesize
6KB
MD5e08a1739ba428078ff190ceb877dba1a
SHA1f0056f23492ed7c6d37c89ff03e96ce9ace2926b
SHA2566a0188967e89c7354fed7a7031e58d6da4c93773d4c53e906dc6c5b1de224ce9
SHA51222ea4c3c1b6e09d80e756a4f4d9cf80824fb9a15318b6aee290f0f8e6b6c993060d02d628c96cebe814f3ba6afd8fbe8b3b559d6b7f3f48b6bcb788cdae466a7
-
Filesize
13KB
MD5412b3b31822231f013e28f0f5454d818
SHA18cf83828ec6e19fcc25e4467ac6e4b84838bdd32
SHA256eaea71f54ac8480ce7b0bd88c04c4aa2b7cf4721155064e83fe8996d4cb3d6ed
SHA51258407af3829a0763967d305c18d6ed760f15b0fcdf91b5f2a352374d489d8b2e276d3a5ed0e78d94a2e338fda3e0b2a3c4fe8b65c6e0cffc1c9c388e75b9ecce
-
Filesize
5KB
MD50e0f7f1f4d39654e8c25b8cf67e1ac39
SHA1420a55c3b0ce857fe1f2f673f8438e1d805f4f9b
SHA2565dffd27689e59713b9c09d5d09df815263a7a7684e96db2df8e760e3b0d1f1f1
SHA5129278d7baa657b0b717c4a6caac11404c083e1b0571f162d9062258ecd084da5cfcb85ff7297eff868515ca4754578be27986685dee444eefbd1896c5443a5638
-
Filesize
13KB
MD5ec52c367bacb5cdfc60396ab7aff2577
SHA1f186cffab14176e1e71dbaa69e8e14907fc06802
SHA256aa4581918908d19ea226943f7c6ce81b9806946a9ff50edb1e65ca54d1c8e21b
SHA5125987a9fd8486414880475c61e9f616c35b06fa0eb8a08d444794ec8300a733ec3c83cbc9c79002e79a980c26e97e7d37daa5c143936a00550a44d274d6ed1cc7
-
Filesize
14KB
MD5a0db59cfd0fa743001268bd1e2bc1316
SHA16a6224c62b0b3fdae1e7e77039329cddcf48cca4
SHA2562e218b4a5d968b4cdfb6ed45aefa283d9bd40dcfba6c38bf4a6be762105d0999
SHA51227134b90d7b0b68faf1f34daacd2d4e56fec26b0c38990cb63b26dcc24d8e25bfeb097ba4edd96fd2a7a19585782148a28afbf8fdb6f01c3a99608ed45f7292d
-
Filesize
6KB
MD57715691406737a9a6fa2668b91d94df7
SHA13e2ab3de9cc7fa0c1045d04c1be0ba216016b4d7
SHA2562357f631bc7fce04fe3086759f4289cfd23d7307ca88537c0777873835040bbd
SHA512d9add5932830c97ba3a95b6a17e1f7f160d9193061e9786a4e786a26d6bc0e8afb68718f9abc64a678bad82a0a33cfd4965add285e62c41b42a640cf962d4288
-
Filesize
6KB
MD50737365f7c71b11d9829d7c3d33c14e0
SHA1331265c38db1f22681a179ec50de6d03a0d7a7db
SHA2561c0ac6203c1f793a35205bc574fdfd0bc5a40a35569087be7d1b809a36c26c5f
SHA512c674a67a251a251b23a28c27b3c06a37917448e5a67bda51ff648804d17748b8359daf4927866c68be664b23885b00594d2fe719163c60c2f9a98d980ff4d534
-
Filesize
1KB
MD5654f5a939232b3a59c2985f10d880018
SHA1cfcb6746ba88db855b67b03c4503e06ebe672180
SHA25656584fab0cf3b0c65781a9540c953df7548e53cfa5784c49c1848abe9be75817
SHA51291da48288022f00167143034d2646d21d0a7e5e0aaed283e4dc2315430c6aad981cb61844c19d845e5a1d08f2902dfc861b58a9188fb3ac7ae831784f7d5333d
-
Filesize
1KB
MD59664e5329db4ae49ccea523b4e766a41
SHA138b2001c921b49504b24bc32657f8b507a45b4b0
SHA256aa9e3224a944f9c5d2136222c1687cdc6083fe0a673bee2392f29bc698c23b25
SHA512b70c8473dd239191a2e5d3fc16972502ca8d82fca260273419117d16a262efd83b2817ec6d9f1fdc1bdd6ed6e4feb7525341f5d05baf7cc73661f4294489866e
-
Filesize
1KB
MD55785b2f015accb67dc044db429b74c88
SHA128894c7942f4f26c2e14bcb585e6a84fd2db18a5
SHA25696def68447e82e721bf6a50db1ee5880ca06bc73c17f52cb6f5c8d7181313f2f
SHA5120eaa565b73aa7c425da2f055c60c8477f647b35e757b0b3e9aa1fa86689521584b6e5eb5f27ae7b8180580fb5f18183bbfb6ffefaa6689eebc4d24a6cdccba95
-
Filesize
5KB
MD517fb1d1e99b02512bcaf37d2f6381e25
SHA1344fdbc797c90d6ddb1993bddcc71de5709a6263
SHA25665b930fe72e123a5e6e3efb4600027f60efe164fa0791ee3698dcb0882db1d18
SHA512be0432783b255fb0621adf7b612ea64df0bd341423438bafaab8f441b51bf7d8c789714144c6d1f3ce25fc07e108aa74821c542315cd255f64aefddadcf8b7a5
-
Filesize
1KB
MD52e36c48f85acc54e03b008167fe64cf1
SHA15c67238db9be2c1383c4a14e8c80f1d469b8f8e2
SHA256cfa61fc5585b87e35bf81fd85326e10a6c17d8233397e01d3a12d91f7c931f87
SHA512324c71b392083ba7f41323e4c2e04c3e70997789e2029ac9224a22284f0593ef636ae6e9b20bc402848984142502f51e4b71380f5c7574c32f74ceb72459db2a
-
Filesize
6KB
MD55d4c086d73d0f00de0e18f930005f4c2
SHA1089fa5e025ceb5e1d22791de903b449be4ef9247
SHA25693d24ccaf21d61d30b7b1813602a4315cdb14efb17310e625d909d650125e120
SHA5126cee549b0c6a8181a98902ccb0a4a2fac4445b98111c62c346257ae79c11dfac38cf539758c71e4f9a6910493d221c45560f056a2b0aa5756939f461ce7d4d4d
-
Filesize
1KB
MD51fe1664e31092dc36745607b64e1d29b
SHA13d3ad28aaad49f79d2759a34b0fbd827fc098b73
SHA25659f26bee0a82da87413a5e619dcd78cd86b40280b2e3d54dd5aec93a20dd4a0d
SHA5123d0997fea03e356f8b387ef86961dceb420c1c19f5194df59bd32429a72f96c7a2245dc3fbadcf536134014c60970b3ec27faeb43a5dad4bc4387fb9f1dc9fc4
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD502ca1be6b8b89e5014d7b8528904225c
SHA1e125d7c0327836508c299f0c83082a2c7193bd65
SHA256b8b6f9d65df74299c80bd48ab41adb4d281f337eb2518587fa4c4fc09f71dfaa
SHA512db543cde7e64d7b96e1b47bbe00afdcc9305e7a80743725a4253a971be8d71b1ea9a8e1f0a8e1069c8bf02e5a035744fd5e8ac7ee8e71afbc1a8d628fcd2de4c
-
Filesize
10KB
MD593b2470a63151ccfc11f0a63d031a5e4
SHA1532eb0902a00fbc166f962017e27b50eb4997eae
SHA25643d5295d6a42bbe8ebca7a0b82352e6209a1b6a7516c721ca1a09183752b6f93
SHA512f39a3123165ba1febe93d849358545244bd59f5555d7928709d4822b47bfa4cea0fc431a766dc5b453b177f002230b8c209c51c1ba6b1167b0c2214c8c4ec68a
-
Filesize
10KB
MD56d18833b20358f1b728ce76b69d68cc9
SHA18103005241893b412f2d40550e6a1f53b221e131
SHA256f612854396f2506a10fbe9b0a8f3bed7c38df7b9011da4498813a2ac56098b5d
SHA512111299ecc2e7f077a4a51fa690b7c539b0c26ab2ac6e660612d34e52704eb889224ff3a124cfafb507c2b7c232219e5715908bb2bd66ee7ccb0102041e927a79
-
Filesize
14KB
MD5a3a3a44982925686fc762bd8450e4439
SHA17097064a1e2ab26e1b142bb7e478e4d306287c6f
SHA2564f975f2f848ae0fc5cba64d3a4944ad88a67deaaec82b8e9e7a1d3575a5ace83
SHA5126772db84966ba9d8bd7fa40a49be3941efcfb36a0ebadb727af5d27dc94ed74d23415561c9996352255d5a595ea52c07adec1224e265efbc8a8d31c47a341e4f
-
Filesize
916KB
MD5f315e49d46914e3989a160bbcfc5de85
SHA199654bfeaad090d95deef3a2e9d5d021d2dc5f63
SHA2565cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7
SHA512224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e
-
Filesize
243B
MD5e10ee4eed71f12f3417c191817fef683
SHA19824d71986627e7c524213c8ed0c43e1253bf7f4
SHA256b68ed34b4e01612220dfdf35d7f84099edc77893b80e4c1bc8fe8315fc4daeea
SHA512f606383b9996ec888ca24ba6412980f13f5e3453bfef7ec04f67ae8e6ff3cf0ac8d2a484f195b4307925f8f5b84146f711432ab3818b94406ad97f2c1a52c94e
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB