ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40

Analysis

max time kernel
152s
max time network
143s
platform
windows10_x64
resource
win10v20210408
submitted
26-07-2021 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample.exe
Size

300KB
MD5

beb272ed6ca4bb3559758c8c6426eade
SHA1

836654dee6d0d60b6e0e1483d05e0bf29c0f97a7
SHA256

ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40
SHA512

960bb6d3352bd7ce68f0963829a0df136ba6f94f1b9881e76ed7f21a9dd79f4b508ced38980ecaeddf5b9fae08b0b5ac2318ddda82f9abf3c9c96b77a06a4a0f

Score

10^/10

persistence ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\how_recover+ksk.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://idjsnfnkwjefnsdf.likinrealm.com/2654F9FABF5E1A61 2. http://krfdnhfnsai3d.abeleros.com/2654F9FABF5E1A61 3. http://idjsnfnkwjefnsdf.likinrealm.com/2654F9FABF5E1A61 4. https://4nauizsaaopuj3qj.onion.to/2654F9FABF5E1A61 5. https://4nauizsaaopuj3qj.tor2web.org/2654F9FABF5E1A61 6. https://4nauizsaaopuj3qj.onion.cab/2654F9FABF5E1A61 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: 4nauizsaaopuj3qj.onion/2654F9FABF5E1A61 4. Follow the instructions on the site. !!! IMPORTANT INFORMATION: !!! Your personal pages: http://idjsnfnkwjefnsdf.likinrealm.com/2654F9FABF5E1A61 http://krfdnhfnsai3d.abeleros.com/2654F9FABF5E1A61 http://idjsnfnkwjefnsdf.likinrealm.com/2654F9FABF5E1A61 https://4nauizsaaopuj3qj.onion.to/2654F9FABF5E1A61 !!! Your personal page in TOR Browser: 4nauizsaaopuj3qj.onion/2654F9FABF5E1A61 !!! Your personal identification ID: 2654F9FABF5E1A61 00000000000000000000000000000

URLs

http://idjsnfnkwjefnsdf.likinrealm.com/2654F9FABF5E1A61

http://krfdnhfnsai3d.abeleros.com/2654F9FABF5E1A61

https://4nauizsaaopuj3qj.onion.to/2654F9FABF5E1A61

https://4nauizsaaopuj3qj.tor2web.org/2654F9FABF5E1A61

https://4nauizsaaopuj3qj.onion.cab/2654F9FABF5E1A61

http://4nauizsaaopuj3qj.onion/2654F9FABF5E1A61

Signatures

suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata
suricata: ET MALWARE HTTP POST to WP Theme Directory Without Referer
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

rxtgrhe45.exe

pid process

768 rxtgrhe45.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rxtgrhe45.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\OutReset.raw => C:\Users\Admin\Pictures\OutReset.raw.xxx	rxtgrhe45.exe
File renamed	C:\Users\Admin\Pictures\RedoWatch.png => C:\Users\Admin\Pictures\RedoWatch.png.xxx	rxtgrhe45.exe
File renamed	C:\Users\Admin\Pictures\SelectRename.crw => C:\Users\Admin\Pictures\SelectRename.crw.xxx	rxtgrhe45.exe
File renamed	C:\Users\Admin\Pictures\WaitGet.crw => C:\Users\Admin\Pictures\WaitGet.crw.xxx	rxtgrhe45.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rxtgrhe45.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	rxtgrhe45.exe

Drops startup file 4 IoCs

Processes:

rxtgrhe45.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+ksk.html	rxtgrhe45.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+ksk.html	rxtgrhe45.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rxtgrhe45.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\meryHmas = "C:\\Users\\Admin\\AppData\\Roaming\\rxtgrhe45.exe"	rxtgrhe45.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	rxtgrhe45.exe

Drops file in Program Files directory 64 IoCs

Processes:

rxtgrhe45.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\Logo.scale-150.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-100.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-125.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT	rxtgrhe45.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\how_recover+ksk.html	rxtgrhe45.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\27.jpg	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Spiral.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-100.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256_altform-unplated.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\how_recover+ksk.html	rxtgrhe45.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\how_recover+ksk.html	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-80_altform-unplated.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.targetsize-64.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.scale-100.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Stripes\how_recover+ksk.html	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\giggle.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\how_recover+ksk.html	rxtgrhe45.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\how_recover+ksk.html	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-200.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\how_recover+ksk.html	rxtgrhe45.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\how_recover+ksk.html	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-24.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\AppCS\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-64.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-black_scale-200.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt	rxtgrhe45.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40_altform-unplated.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-300.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-40.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\how_recover+ksk.html	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-125_contrast-high.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-200.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-100.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLogo.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\how_recover+ksk.html	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\ellipsis_16x16x32.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsStoreLogo.scale-100.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\RadialControl\how_recover+ksk.html	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\how_recover+ksk.html	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\189.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Undo\Undo-up.mobile.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe\how_recover+ksk.html	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppStoreLogo.scale-125.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\hr_16x11.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\Reference Assemblies\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-125.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-100.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-72_altform-unplated.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\eu_16x11.png	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe\how_recover+ksk.txt	rxtgrhe45.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_SaveAutomatically_RTL_Tablet.mp4	rxtgrhe45.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2864 vssadmin.exe
1840 vssadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

pid	process
2864	vssadmin.exe
1840	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000007fbf77f0471c1a3ce9e12c90f0fc76e1f767c1edebf257ce04ee62cab02846b2a6f43f06cc1c58c857002f65c906e43dcc96c4bebed8f758de68	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 45de57cc3682d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 307b74cc3682d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 34c142e13682d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2912fcc73682d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000013298a8f8b2faa7f1db86644544a4ba4c30ffff16f4baf1978f46b255ce53d1aba4e60d2905e200a154b9a96fd310c198079a88d82ac849892efc9e24193359b1765c4ea98baf09afb56b350a5d74adf42779462482d013e7a50	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = d01bab2b6982d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7f1fccda3682d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

232 NOTEPAD.EXE

pid	process
232	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rxtgrhe45.exe

pid	process
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe
768	rxtgrhe45.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

3896 MicrosoftEdgeCP.exe

pid	process
3896	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample.exerxtgrhe45.exevssvc.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	628	ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample.exe
Token: SeDebugPrivilege	768	rxtgrhe45.exe
Token: SeBackupPrivilege	2364	vssvc.exe
Token: SeRestorePrivilege	2364	vssvc.exe
Token: SeAuditPrivilege	2364	vssvc.exe
Token: SeDebugPrivilege	3052	MicrosoftEdge.exe
Token: SeDebugPrivilege	3052	MicrosoftEdge.exe
Token: SeDebugPrivilege	3052	MicrosoftEdge.exe
Token: SeDebugPrivilege	3052	MicrosoftEdge.exe
Token: SeDebugPrivilege	2672	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2672	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2672	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2672	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4260	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4260	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

3052 MicrosoftEdge.exe
3896 MicrosoftEdgeCP.exe
3896 MicrosoftEdgeCP.exe

pid	process
3052	MicrosoftEdge.exe
3896	MicrosoftEdgeCP.exe
3896	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample.exerxtgrhe45.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 628 wrote to memory of 768	628	ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample.exe	rxtgrhe45.exe
PID 628 wrote to memory of 768	628	ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample.exe	rxtgrhe45.exe
PID 628 wrote to memory of 768	628	ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample.exe	rxtgrhe45.exe
PID 628 wrote to memory of 3668	628	ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample.exe	cmd.exe
PID 628 wrote to memory of 3668	628	ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample.exe	cmd.exe
PID 628 wrote to memory of 3668	628	ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample.exe	cmd.exe
PID 768 wrote to memory of 2864	768	rxtgrhe45.exe	vssadmin.exe
PID 768 wrote to memory of 2864	768	rxtgrhe45.exe	vssadmin.exe
PID 768 wrote to memory of 232	768	rxtgrhe45.exe	NOTEPAD.EXE
PID 768 wrote to memory of 232	768	rxtgrhe45.exe	NOTEPAD.EXE
PID 768 wrote to memory of 232	768	rxtgrhe45.exe	NOTEPAD.EXE
PID 768 wrote to memory of 1840	768	rxtgrhe45.exe	vssadmin.exe
PID 768 wrote to memory of 1840	768	rxtgrhe45.exe	vssadmin.exe
PID 768 wrote to memory of 4104	768	rxtgrhe45.exe	cmd.exe
PID 768 wrote to memory of 4104	768	rxtgrhe45.exe	cmd.exe
PID 768 wrote to memory of 4104	768	rxtgrhe45.exe	cmd.exe
PID 3896 wrote to memory of 2672	3896	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3896 wrote to memory of 2672	3896	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3896 wrote to memory of 2672	3896	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3896 wrote to memory of 2672	3896	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3896 wrote to memory of 2672	3896	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3896 wrote to memory of 2672	3896	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

rxtgrhe45.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	rxtgrhe45.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	rxtgrhe45.exe

C:\Users\Admin\AppData\Local\Temp\ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample.exe
"C:\Users\Admin\AppData\Local\Temp\ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Roaming\rxtgrhe45.exe
C:\Users\Admin\AppData\Roaming\rxtgrhe45.exe
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:768

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
3⤵
- Interacts with shadow copies
PID:2864

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_Restore_FILES.TXT
3⤵
- Opens file in notepad (likely ransom note)
PID:232

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
3⤵
- Interacts with shadow copies
PID:1840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\RXTGRH~1.EXE
3⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AC6F48~1.EXE
2⤵
PID:3668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3052

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rxtgrhe45.exe
MD5
beb272ed6ca4bb3559758c8c6426eade

SHA1
836654dee6d0d60b6e0e1483d05e0bf29c0f97a7

SHA256
ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40

SHA512
960bb6d3352bd7ce68f0963829a0df136ba6f94f1b9881e76ed7f21a9dd79f4b508ced38980ecaeddf5b9fae08b0b5ac2318ddda82f9abf3c9c96b77a06a4a0f

Download Submit
C:\Users\Admin\AppData\Roaming\rxtgrhe45.exe
MD5
beb272ed6ca4bb3559758c8c6426eade

SHA1
836654dee6d0d60b6e0e1483d05e0bf29c0f97a7

SHA256
ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40

SHA512
960bb6d3352bd7ce68f0963829a0df136ba6f94f1b9881e76ed7f21a9dd79f4b508ced38980ecaeddf5b9fae08b0b5ac2318ddda82f9abf3c9c96b77a06a4a0f

Download Submit
C:\Users\Admin\Desktop\Howto_Restore_FILES.HTM
MD5
7f87edb54abb031b17584aaa3ac51097

SHA1
ad07befab730344b57060739069ea36fd76831b5

SHA256
d31b1c87865794c498888d1d39dd7dd8ad39adf937913b58ff24a76b95038ce2

SHA512
5435c3ef54bf576961e77d7bfa9c975e588c85d4bee6d601fca06df1bfc77496b756d08d1ae12e075eb5749df0a0b0e23d63820ab0289fcaf25c540edc4b8dbd

Download Submit
C:\Users\Admin\Desktop\Howto_Restore_FILES.TXT
MD5
42422ab76d75b8b4d90c86e65ca9b413

SHA1
f7f04c0f1fc49fe589764d10584fd914620e9a4c

SHA256
282573a2dfb1d8d4c2877af48701e755b5d57d63608c8aacde4cff3fff3ead2c

SHA512
bc0038265ef9748ed54e7bd86742fcacb7efac2dccb63520054de92fdbd94286ed0ed9e1493d789c86dd34eb520c92d265cfd08d6e6bacf1eef2a1087a44e403

Download Submit
memory/232-119-0x0000000000000000-mapping.dmp

Download
memory/768-114-0x0000000000000000-mapping.dmp

Download
memory/1840-122-0x0000000000000000-mapping.dmp

Download
memory/2864-118-0x0000000000000000-mapping.dmp

Download
memory/3668-117-0x0000000000000000-mapping.dmp

Download
memory/4104-123-0x0000000000000000-mapping.dmp

Download