b0f6d7c7a168f77b93aa42d7dc22a0118f98f525c14272467ff37c34217417d9

Analysis

max time kernel
126s
max time network
110s
platform
windows10_x64
resource
win10v20210410
submitted
15-04-2021 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gr_rs.exe
Size

678KB
MD5

7684408e648ed2c462817083cd61d6d5
SHA1

8dc1ba94b3b2996dcf45aa2b73730ff636fbed2e
SHA256

b0f6d7c7a168f77b93aa42d7dc22a0118f98f525c14272467ff37c34217417d9
SHA512

00224011cae9e86fac9f394b52b5267166f3bfc6ac6fe34594aaebd53c74f64f716bebdf1e9ad30072d0f800e22680597b766aca8dcc0d57c9f43d39092b7f55

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Recovery_Instructions.html

Family

medusalocker

Ransom Note

Your personal ID: E28F58269F7FEDAE9CB8EECDE2D55A225AEB354675A3C304BDC118709A2B6F06B22A904B69F139AF2B24FD11994DA2CFC0A5FE8DA91DBA519B40CBB36DA2AE32 53681ACE6D035F4BE96BA9E17A4EFCE7F5BBDB392F67C6326F561F59C18D9C22672A68BE1CC3B22DC36A29D9613B3CE857520E7CEB3E2348719D71A67118 8A3E9A4C079252076D7AF53B1C298AE475188903809B1F2F49D2CB883C7E5E96AF6486402EC259877170527BC618AB0EE6487B89446E3791A942CF8FCC8F 40E15359EC0BABAB478E4EEC3FF381A1127835DCB69FEB8A357CC2B1E7FC943B571C60A1DA3A74D053B172DB0489CB7D8040BC56BC079CA13BEBD35D90FD C1E3C79EA91AEB9F2EDA87E3BE9138F7E48E6E629EAE72B2A13295E97324C4EE2863C787B7AB35AB14D208055F3FDFC8C556ED66104A04C31186374C9E4D F2B28B0F3514FB627816DED19AE195CAC0FAB7AD95B1A8D5FEC1BC5CE51C720A34D7F84343F7B04440B088E10C8C24C5242D59C2534941859B84E598BFD6 B72965260DD36ACC9165CE18758813BB559651B9EDE190B3EC2FF1A58E79B2BFC76D26C01FF2A26E5398B5AA4266B01357614A926A4466AA17FD6BBC5D1F F2EFE002AE32597A35FD65DA78179E7738ADE4C7DBD70A3F4DD19C365BFDD9B400063FA24E5F3A4DAB764DF695F7CAC8BF67DB9258AE00B5C06C9CBB3A82 4E5E5AAACBFB005F5A21F2890C19 /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. http://gvlay6u4g53rxdi5.onion/8-Ww5sCBhsL8eM4PeAgsfgfa9lrqa81r31-c5EO4jlAOS7D8NCgbfZhNaL4wpxKeGEy * Note that this server is available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open "{{URL}}". 4. Start a chat and follow the further instructions. If you can not use the above link, use the email: support@imfoodst.com support@securycasts.com * To contact us, create a new mail on the site: protonmail.com Make contact as soon as possible. Your private key (decryption key) is only stored temporarily. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Emails

support@imfoodst.com support@securycasts.com

URLs

http://gvlay6u4g53rxdi5.onion/8-Ww5sCBhsL8eM4PeAgsfgfa9lrqa81r31-c5EO4jlAOS7D8NCgbfZhNaL4wpxKeGEy

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Gr_rs.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\PingInstall.crw => C:\Users\Admin\Pictures\PingInstall.crw.rs	Gr_rs.exe
File renamed	C:\Users\Admin\Pictures\PublishUnpublish.raw => C:\Users\Admin\Pictures\PublishUnpublish.raw.rs	Gr_rs.exe
File renamed	C:\Users\Admin\Pictures\UsePing.crw => C:\Users\Admin\Pictures\UsePing.crw.rs	Gr_rs.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromClear.raw => C:\Users\Admin\Pictures\ConvertFromClear.raw.rs	Gr_rs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Gr_rs.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gr_rs.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

Gr_rs.exe

description ioc process

File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini Gr_rs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gr_rs.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	Gr_rs.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Gr_rs.exe

description	ioc	process
File opened (read-only)	\??\F:	Gr_rs.exe
File opened (read-only)	\??\G:	Gr_rs.exe
File opened (read-only)	\??\N:	Gr_rs.exe
File opened (read-only)	\??\Z:	Gr_rs.exe
File opened (read-only)	\??\B:	Gr_rs.exe
File opened (read-only)	\??\O:	Gr_rs.exe
File opened (read-only)	\??\P:	Gr_rs.exe
File opened (read-only)	\??\Q:	Gr_rs.exe
File opened (read-only)	\??\S:	Gr_rs.exe
File opened (read-only)	\??\Y:	Gr_rs.exe
File opened (read-only)	\??\H:	Gr_rs.exe
File opened (read-only)	\??\I:	Gr_rs.exe
File opened (read-only)	\??\L:	Gr_rs.exe
File opened (read-only)	\??\T:	Gr_rs.exe
File opened (read-only)	\??\U:	Gr_rs.exe
File opened (read-only)	\??\W:	Gr_rs.exe
File opened (read-only)	\??\V:	Gr_rs.exe
File opened (read-only)	\??\X:	Gr_rs.exe
File opened (read-only)	\??\A:	Gr_rs.exe
File opened (read-only)	\??\E:	Gr_rs.exe
File opened (read-only)	\??\J:	Gr_rs.exe
File opened (read-only)	\??\K:	Gr_rs.exe
File opened (read-only)	\??\M:	Gr_rs.exe
File opened (read-only)	\??\R:	Gr_rs.exe

Drops file in Windows directory 2 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

496 vssadmin.exe
3480 vssadmin.exe
1092 vssadmin.exe

pid	process
496	vssadmin.exe
3480	vssadmin.exe
1092	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdgeCP.exebrowser_broker.exeMicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packag = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "s0i51m2"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000077cc84faf06d4c5a1c27a14987a9aa6ff8eaf84d39d03c14c8d7d8cd86a1d5c2fcec4fc34b029bb2fe619f258e816c9c85d5d16ad94e3490625	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000ddbeb80d2d164626bb0dbc6d0636f0ceb594c103b2e4731eb2b0991be4186292be7cbba1427cc49e54f9ef55cb0ea3552a2bcd163cc174c86c3a11eb9f1b76599a93e3d6dad7dfe1ce07e06250842330acea08f271233e9b3235134af8cbeca2d7a3c10041484d9ff6d6a5849eb6cb8ee972210c082af626ab4080b0c248c58c7d4c5e304cedd760df067e0d26c6d3605164cfe8d0f52ce13afdfab6adb2aa67642e0239dae7a1747c38b05a98d2afa78a5e1529dda6b0f9c80abf9796297b257ae9e548f156be2b180a1c4150fcf09560021d2a265cd57c8e0953c4ebcd68ab041d7a0e665b9b64151dec47fb626f80c8eef831283788ca4b99a484e2bedce61d6ae46e6c1471697f119aa03226079e81c3ba2dca56875adc5962ac9d1cd3b52b70c4cddda26d1dc0864188ad66fe9a34220404cbdbaacffaeb495a9107b19ed2cefce1c1254073bc1ce5ce3744c8f2a2a9486fd4e57b5d31ee52ce899f045bf326601c0bbed142ba73cc71a5de76294cfa826c2d94177a990154497005ed2ece17939ff98bc55d7c2cd04a1b561cc493b3f63d1e08a8e8d480cd6860192e49d33053e2e7c9	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Gr_rs.exe

pid	process
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe
2112	Gr_rs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

4148 MicrosoftEdgeCP.exe
4708 MicrosoftEdgeCP.exe

pid	process
4148	MicrosoftEdgeCP.exe
4708	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exewmic.exewmic.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	2648	vssvc.exe
Token: SeRestorePrivilege	2648	vssvc.exe
Token: SeAuditPrivilege	2648	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2452	wmic.exe
Token: SeSecurityPrivilege	2452	wmic.exe
Token: SeTakeOwnershipPrivilege	2452	wmic.exe
Token: SeLoadDriverPrivilege	2452	wmic.exe
Token: SeSystemProfilePrivilege	2452	wmic.exe
Token: SeSystemtimePrivilege	2452	wmic.exe
Token: SeProfSingleProcessPrivilege	2452	wmic.exe
Token: SeIncBasePriorityPrivilege	2452	wmic.exe
Token: SeCreatePagefilePrivilege	2452	wmic.exe
Token: SeBackupPrivilege	2452	wmic.exe
Token: SeRestorePrivilege	2452	wmic.exe
Token: SeShutdownPrivilege	2452	wmic.exe
Token: SeDebugPrivilege	2452	wmic.exe
Token: SeSystemEnvironmentPrivilege	2452	wmic.exe
Token: SeRemoteShutdownPrivilege	2452	wmic.exe
Token: SeUndockPrivilege	2452	wmic.exe
Token: SeManageVolumePrivilege	2452	wmic.exe
Token: 33	2452	wmic.exe
Token: 34	2452	wmic.exe
Token: 35	2452	wmic.exe
Token: 36	2452	wmic.exe
Token: SeIncreaseQuotaPrivilege	3528	wmic.exe
Token: SeSecurityPrivilege	3528	wmic.exe
Token: SeTakeOwnershipPrivilege	3528	wmic.exe
Token: SeLoadDriverPrivilege	3528	wmic.exe
Token: SeSystemProfilePrivilege	3528	wmic.exe
Token: SeSystemtimePrivilege	3528	wmic.exe
Token: SeProfSingleProcessPrivilege	3528	wmic.exe
Token: SeIncBasePriorityPrivilege	3528	wmic.exe
Token: SeCreatePagefilePrivilege	3528	wmic.exe
Token: SeBackupPrivilege	3528	wmic.exe
Token: SeRestorePrivilege	3528	wmic.exe
Token: SeShutdownPrivilege	3528	wmic.exe
Token: SeDebugPrivilege	3528	wmic.exe
Token: SeSystemEnvironmentPrivilege	3528	wmic.exe
Token: SeRemoteShutdownPrivilege	3528	wmic.exe
Token: SeUndockPrivilege	3528	wmic.exe
Token: SeManageVolumePrivilege	3528	wmic.exe
Token: 33	3528	wmic.exe
Token: 34	3528	wmic.exe
Token: 35	3528	wmic.exe
Token: 36	3528	wmic.exe
Token: SeIncreaseQuotaPrivilege	3852	wmic.exe
Token: SeSecurityPrivilege	3852	wmic.exe
Token: SeTakeOwnershipPrivilege	3852	wmic.exe
Token: SeLoadDriverPrivilege	3852	wmic.exe
Token: SeSystemProfilePrivilege	3852	wmic.exe
Token: SeSystemtimePrivilege	3852	wmic.exe
Token: SeProfSingleProcessPrivilege	3852	wmic.exe
Token: SeIncBasePriorityPrivilege	3852	wmic.exe
Token: SeCreatePagefilePrivilege	3852	wmic.exe
Token: SeBackupPrivilege	3852	wmic.exe
Token: SeRestorePrivilege	3852	wmic.exe
Token: SeShutdownPrivilege	3852	wmic.exe
Token: SeDebugPrivilege	3852	wmic.exe
Token: SeSystemEnvironmentPrivilege	3852	wmic.exe
Token: SeRemoteShutdownPrivilege	3852	wmic.exe
Token: SeUndockPrivilege	3852	wmic.exe
Token: SeManageVolumePrivilege	3852	wmic.exe
Token: 33	3852	wmic.exe
Token: 34	3852	wmic.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

1580 MicrosoftEdge.exe
4148 MicrosoftEdgeCP.exe
4148 MicrosoftEdgeCP.exe
4460 MicrosoftEdge.exe
4708 MicrosoftEdgeCP.exe
4708 MicrosoftEdgeCP.exe

pid	process
1580	MicrosoftEdge.exe
4148	MicrosoftEdgeCP.exe
4148	MicrosoftEdgeCP.exe
4460	MicrosoftEdge.exe
4708	MicrosoftEdgeCP.exe
4708	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

Gr_rs.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 2112 wrote to memory of 496	2112	Gr_rs.exe	vssadmin.exe
PID 2112 wrote to memory of 496	2112	Gr_rs.exe	vssadmin.exe
PID 2112 wrote to memory of 496	2112	Gr_rs.exe	vssadmin.exe
PID 2112 wrote to memory of 2452	2112	Gr_rs.exe	wmic.exe
PID 2112 wrote to memory of 2452	2112	Gr_rs.exe	wmic.exe
PID 2112 wrote to memory of 2452	2112	Gr_rs.exe	wmic.exe
PID 2112 wrote to memory of 3480	2112	Gr_rs.exe	vssadmin.exe
PID 2112 wrote to memory of 3480	2112	Gr_rs.exe	vssadmin.exe
PID 2112 wrote to memory of 3480	2112	Gr_rs.exe	vssadmin.exe
PID 2112 wrote to memory of 3528	2112	Gr_rs.exe	wmic.exe
PID 2112 wrote to memory of 3528	2112	Gr_rs.exe	wmic.exe
PID 2112 wrote to memory of 3528	2112	Gr_rs.exe	wmic.exe
PID 2112 wrote to memory of 1092	2112	Gr_rs.exe	vssadmin.exe
PID 2112 wrote to memory of 1092	2112	Gr_rs.exe	vssadmin.exe
PID 2112 wrote to memory of 1092	2112	Gr_rs.exe	vssadmin.exe
PID 2112 wrote to memory of 3852	2112	Gr_rs.exe	wmic.exe
PID 2112 wrote to memory of 3852	2112	Gr_rs.exe	wmic.exe
PID 2112 wrote to memory of 3852	2112	Gr_rs.exe	wmic.exe
PID 4148 wrote to memory of 4212	4148	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4148 wrote to memory of 4212	4148	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4148 wrote to memory of 4212	4148	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4148 wrote to memory of 4212	4148	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4148 wrote to memory of 4212	4148	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4148 wrote to memory of 4212	4148	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4708 wrote to memory of 4772	4708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4708 wrote to memory of 4772	4708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4708 wrote to memory of 4772	4708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4708 wrote to memory of 4772	4708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4708 wrote to memory of 4772	4708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4708 wrote to memory of 4772	4708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

Gr_rs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Gr_rs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	Gr_rs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gr_rs.exe

C:\Users\Admin\AppData\Local\Temp\Gr_rs.exe
"C:\Users\Admin\AppData\Local\Temp\Gr_rs.exe"
1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2112

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:496

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:3480

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1092

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3676

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3848

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4460

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4500

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4772

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
MD5
77358288a63c83d3b9d042c28ac9d8fb

SHA1
9213d9e0ac7fadf797bcc660b9035331735f8fd6

SHA256
9802e00285e47df1190917a681067f6e93cd067a70292b388891be1bb451ab8a

SHA512
9c6265ea1540331ab67e2c3b3f78a5a126e9fc1436df7b9bbe6f4977e4e7151dc1c94497a460e799b2316f28f94afb3f30eaba14b89381a9d00d3d072f8061b7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
MD5
ba306bf7897b8b5c7ea594adda251554

SHA1
32a2a66af0b35114500da76d1baea7f0f46055a7

SHA256
941299067cfe8ef3a45b2719cdbcd862fff890644624c15d18f20474f5b1b17b

SHA512
8ccf01009b101fab0e59ccc7efc12dd72cc14cf9f3d9e732e1588d5f72f685b744d656643147f59819e07016707ebd20825f8d65d20927d7bc8c056fea12c724

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
MD5
641e386bb107cafc0f150402a13787e9

SHA1
155ecd760c5186abc08edbc3e21175db77ed80da

SHA256
c93eb5af7dbb3895f6958e566cb289ff2e243f6d0ed85ddd6a3af53fb4c342fb

SHA512
a28ffffd30c8ea42eef0cc008e9c0774cdf38d1a9679d1299f22bdff9221f7223979cae65f913fbb0aa17d6d4f57aa7fdf52d3abc159a6132970938de051a646

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
MD5
9401f6e95559dcb40cc88d13a402cb6c

SHA1
6e444d35343a42a3f0cedc25f71bdfa27ea9b190

SHA256
e9010285b4d96b1628ef891d083106ecfb4d93075a3b037a22ff846206ba254c

SHA512
646d45dab75d36dbab4b997777b068044a63418487db20d004dcb233c5724f637b0fe37fde4b2fb437e2c0ba73321f3cdb3434a9506797de6107f37112ce5ef9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{4D6F6E5B-603B-4A35-A142-62EDB5739F6C}.dat
MD5
e4c094a3f23d10f3257a0afe5016eac1

SHA1
c0f724552700dc15e2c100786b0c000549a00a32

SHA256
e1cf4fb3bf8d80246c0d3feb463e2b9ca81e84922f990b69976bc4457d6ab819

SHA512
1bf2a5358952269247f2b9278e85c1fe5adf4fa9de1c8cf64647ee4fdc5e8027ff6f114974d20dcaacbf685caca8e1a13a82c249f5f7a15b74ed8065c2da8e74

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{1A42B863-F8AA-4D4A-A7E9-45B138A18888}.dat
MD5
c6032bcfd17b05bb8c76a041d9301afb

SHA1
7ca73656cd16d8ac7857383fa0ee8194b634d749

SHA256
75b738bd5c3a350e702c88e4a302a73d7297fea038887bc343874336ecca4659

SHA512
22e36b94696a0f5106f332d1ead9720f8b26c89359ea9682a15a2b3e06c2df34345dca8460a24d4240aa1026ad9f2949cbb0c00ea3612659b5b0cee8060aa381

Download Submit
C:\Users\Admin\Desktop\Recovery_Instructions.html
MD5
bdbd1767eb0328efa1bab608cf2bb9c4

SHA1
680be04d7df36b035f88006d6e636cf70d6e74d0

SHA256
e2273a0e6086985635b54b78ced76e92a7e4295b8346993d49ebda3b3f018020

SHA512
b69fb25b867087f18e06f9a679fe96b113f484a54e91b91ece606d2817e35c3c776c15e359a0d74c9cacf996ecbcbc3ec042ae4d8c6cfdd6658741b212a9aac0

Download Submit
memory/496-114-0x0000000000000000-mapping.dmp

Download
memory/1092-118-0x0000000000000000-mapping.dmp

Download
memory/2452-115-0x0000000000000000-mapping.dmp

Download
memory/3480-116-0x0000000000000000-mapping.dmp

Download
memory/3528-117-0x0000000000000000-mapping.dmp

Download
memory/3852-119-0x0000000000000000-mapping.dmp

Download