hxxps://www[.]mediafire[.]com/file/go0d2s1phvtbw94/Element3D2[.]2[.]3[.]2192[.]zip/file

Resubmissions

29/09/2024, 15:24

240929-ss6ejssgqe 7

29/09/2024, 15:07

240929-shjg2asdqe 7

29/09/2024, 14:58

240929-scamyasbrh 7

Analysis

max time kernel
468s
max time network
469s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/go0d2s1phvtbw94/Element3D2.2.3.2192.zip/file

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Video Copilot Element 3D v2.2.3.2192.exe

Executes dropped EXE 2 IoCs

pid	Process
5956	Video Copilot Element 3D v2.2.3.2192.exe
180	Video Copilot Element 3D v2.2.3.2192.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5672	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2656	msedge.exe
2656	msedge.exe
2196	msedge.exe
2196	msedge.exe
4656	identity_helper.exe
4656	identity_helper.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
1252	msedge.exe
1252	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5404	7zG.exe
Token: 35	5404	7zG.exe
Token: SeSecurityPrivilege	5404	7zG.exe
Token: SeSecurityPrivilege	5404	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
180	Video Copilot Element 3D v2.2.3.2192.exe
180	Video Copilot Element 3D v2.2.3.2192.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 4620	2196	msedge.exe	82
PID 2196 wrote to memory of 4620	2196	msedge.exe	82
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 3164	2196	msedge.exe	83
PID 2196 wrote to memory of 2656	2196	msedge.exe	84
PID 2196 wrote to memory of 2656	2196	msedge.exe	84
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85
PID 2196 wrote to memory of 3008	2196	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/go0d2s1phvtbw94/Element3D2.2.3.2192.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc28ee46f8,0x7ffc28ee4708,0x7ffc28ee4718
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7208 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,6069202340378861247,9596389997643100479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6132

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Element3D2.2.3.2192\" -spe -an -ai#7zMap9348:100:7zEvent26932
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5404

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Element3D2.2.3.2192\Element 3D 2.2.3.2192\Read Me.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5672

C:\Users\Admin\Downloads\Element3D2.2.3.2192\Element 3D 2.2.3.2192\Video Copilot Element 3D v2.2.3.2192.exe
"C:\Users\Admin\Downloads\Element3D2.2.3.2192\Element 3D 2.2.3.2192\Video Copilot Element 3D v2.2.3.2192.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5956
- C:\Users\Admin\Downloads\Element3D2.2.3.2192\Element 3D 2.2.3.2192\Video Copilot Element 3D v2.2.3.2192.exe
  "C:\Users\Admin\Downloads\Element3D2.2.3.2192\Element 3D 2.2.3.2192\Video Copilot Element 3D v2.2.3.2192.exe" /UAC
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6b06fb3e-9b2f-4891-b857-edc00b70500b.tmp

Filesize
5KB

MD5
f27037746ceaae2f97dd0c2acc08e5b4

SHA1
e3bf8e9ce1c293c6774c8c44922ec609e5da4e55

SHA256
2e2a97b936c32bcc01bb1915713bf371434d5dd233aa412c52827cb6933c9bea

SHA512
73ae8ba98df52bf3c882df9a48838a67259f8962434961c79a669d5749052abfd94d94fa1f1dd3df545b28aee9090f005579fa83eb08333c8e523cd3b4a351dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fa987ec59db90f2fec06a3d663de45c1

SHA1
ac69f97bc159bd480eb64f84fc8a0256fffc6c59

SHA256
b23ec72091220bc883f6e3bc7228c9130faf5aae5df6f24a6b64dddbd2260da9

SHA512
eb4672c6afacc35cf92d8d0faf74f17a01d698332c5fcb64bfde42ba07f7662650d81892fbda649fc856de60fce926615cc760d5839e003268479d2ac4256ebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
04419a17c363a62b2d31b7a9afaaadaf

SHA1
a56b2b1dea28fddc149e12b507c97c9640bd86d9

SHA256
15aef7f4f2a0d5d8f47daf2269cd67b471725f4a6e5324ba1f32506f60832b15

SHA512
5085ea7747e8a5b427c06c9e5c11fe4c2c2e8151da0715ca2c771e1db15831616d5f33c71fd3eb95b623d9973e3fd2779912f17613128f9ef139e7574c9cd27f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
97981598194232decf49f1a5e3e97b7e

SHA1
c88bd3f4664444711329e606d08bc80004277296

SHA256
329971830412150cf54fec37cbede8874d6946f6167341419202bc6fd5b81435

SHA512
5c64f26aeaa24eb88ecea884424f47e4d451f9a1154d0800789e30bb9a9ab39426efc9497177f7bbcabb85328cb4997bd34d6b3921ff308baee123fdda1918ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
a86c69b5b2a2c1211edca7539569962a

SHA1
59bc388586a48e8a6793cef46f6e1e88de162e3c

SHA256
1b30b14e13d89f2b3ee6cd639ce84276b7e85b433b2ef8a906cde104c4b6334d

SHA512
ed97494badca8fb4202f3b8a34059b1b4f48efd30f097eea3129267790d043000b390a05535054ad1b5f415c29fc28ebf259b919b3451786bbbc16870076959b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
bb44dab04dcd3d2a7d33ebd51b8ccfae

SHA1
1a407f3b830e48b96bded1224d31329627a005e5

SHA256
5119b8675d8ba14a045759985e26e9db1b51bd142055566e0e76f37bf42daed4

SHA512
7a49ee504285f64fe69b2ccf05ac5dba48bdcaab088a73d60c1718fd5e3bcb8dfc4b896e931894498d8aa5b4a6ddf17a89aef53beca559cc25d7b544e24b1a20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4feee6ced5a28c032843c83a5602cf43

SHA1
fb30bee57cf29e232251ed8f5636caae5237988d

SHA256
0c82c7e7aa91cdd8aadf57e4d1821acccc183dac27bac0b571cba95241106523

SHA512
e4d131a2f4ee5fdec62d11ed45dbd9330311534c2eddf09a4e235e94d363e446bbc9443a6092273d18ba8b6cbba777ff3031b40d5bfc9b5661cdb42dd279d8d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d772bb3feb288a8fffdc03b33700e4aa

SHA1
2b8cfbc777fa2bfcc86d25e8462956271b34cfdb

SHA256
59f3de85ef140eb41fc738b2907a815881993e0d395ba1725cc763bf0f23c273

SHA512
ffeb4046f8bbe9935e20a4d85ffeb7f8a9fda9edfe26f54e2dbe0b0d394855b76db38b2401742d9abef01f11238d77a6e46f9326f0e8aca79885b2fd53582da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57de3a.TMP

Filesize
1KB

MD5
ab62a6b5a5abc5e0db44f7ec44e1b4ef

SHA1
55608b679a342f62044668f921f90b1167f298d2

SHA256
9317d6ceea43d1ebafb88a406886eb28a7626eb86eaaf7f63caa5eedaaa8ab8c

SHA512
e4922beb955f0b6342e55f3ce545bc7b7a287149db62dc7ccf2205efb3dad5a3f74662f899ed2c1f80abf33efc5ddbf405b69a6cff1f851cb43ce6f67e6726a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\efbb50c4-3d9e-4000-9187-72eca8577dd3.tmp

Filesize
2KB

MD5
3061be64ae7befd06356949b6f3b82f0

SHA1
509ed5661dbd37ccddda6fdd00c6e64f6263d16b

SHA256
ec5f2dea14a95bc1994b5c7cf732222197fc03fae3a1e922078365ba4791321c

SHA512
3a9e5089b609fc9a5bd27f264d377afd548784dd3d0a21966c78216a62b10dceb52ef011c64f5dac4dbc39af1bffd2f139369b76526ba708c5be925fc0b2538c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1876cde15cf088c451bce6822907f6e3

SHA1
af9291f62ab80903ec6da8413f4c1dc7131c67e3

SHA256
dad977de75d3a3705382a17407180e1b86bc755d6e35483202718ba18744c8c9

SHA512
5635bd2a05d38834beb5671b73b2ab4e3e45d4ab3fe11325dba3d692f7c63f441a27d875c524a18fcb664cf2af550496a6b594197ae60cfe9bc4828a0dc31fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d2cecb94746abb68086c15ae4a134c1d

SHA1
89afccff8968f14e2902b4d3d5a7a4a8d41a4a54

SHA256
abac533ef3e56bb7457e14066c28a5ebcb4e8f23d263eab83fab2ea01bceeda8

SHA512
e14ad7df160124403f0ce209d445c31b11ec473eac0300f7a0b28481fb0b12738c2c0a558ca03587bb89df4b5eaa2b904e2df33654a7ac8e6a160c0ef9e89c34

Download Submit
C:\Users\Admin\Documents\VideoCopilot\Models\Starter_Pack_Physical\maps\paint_can_diffuse.dds

Filesize
2.7MB

MD5
7831453a351d0b578bdd19d93055a5bc

SHA1
fe3cfb9d94cec592a4e2fdb55077d2b56a0e778d

SHA256
1b043f7d20eb449e98d3ce0aea04f5e921917410386fec00f918e51fb506076c

SHA512
9c656498ac9224d013036b2b434475b101cbfd158c364837f8b91934d6e0ff7b8d68ae9620a5f85cd9e4acc38c2b21fd6a722f633b9a9778a6ab5fe5ab1622a2

Download Submit
C:\Users\Admin\Documents\VideoCopilot\Models\Starter_Pack_Physical\maps\telephone_pole_normal.dds

Filesize
5.3MB

MD5
232124e535c852a11e14f31e98ce2cd2

SHA1
58f2d4a5d1a1d022b7f6451b900cd497576001b7

SHA256
d3f114729a0de26c1c334e5439c8dffbe386b4160df1012644210311dea3a594

SHA512
ec3ad6d3d4573a34bb8748b57a64302bbfa41723a5a5fca472793b7b7aabba50d650cfd5179ba7d65b0bc20d9633d6fe5288254d399829917de15bd47756a864

Download Submit
C:\Users\Admin\Documents\VideoCopilot\Models\Starter_Pack_Physical\maps\truck_tire_diffuse.dds

Filesize
10.7MB

MD5
d02511db630092111895ffe844a60700

SHA1
16e178ac00a20e2a5479d58de67514b17bfadd93

SHA256
5afc14c3bfa3b95e43988a22dc4f5234a3dc308bbc138a035be70ee04ff48e8e

SHA512
75fa9953f315c591817bc69a12c5d649143786af94ea44957f3e188537a7310013e5f279601ecbc4cd04e22556bf7988ae54bb332fff80828c3ddeeab0087b78

Download Submit
C:\Users\Admin\Downloads\Element3D2.2.3.2192\Element 3D 2.2.3.2192\Read Me.txt

Filesize
824B

MD5
17c898b8f482f91c4ad32f1aa2a47150

SHA1
e22815d49aaa8b061050d9d9f6b38e506230f782

SHA256
50e92031da29fd2d995c6191a07bf10c74e4c60fbbe858ee6d08a7b95e7e099c

SHA512
02f499bb42303da1bba011319a61eccf4ff7dd7f762fdee37aefbef87eff2933062ec798829e19d8a1ba56a95c2b39a258c63cd945f80bd0e1cdee8a201e148b

Download Submit