magniber | dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10v20210408
submitted
29-09-2021 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204.dll
Size

38KB
MD5

57cc3140477c915e6202e6b1d2f8bb7e
SHA1

69201178ee3bf8bc5b9f8212bb412c7f7a3aa3c0
SHA256

dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204
SHA512

47a0854b4640ba0d8ff69695a0f799af56362a801752a00ada96d1d876ab3f396d81be3ee511b36b2889f213656f2b126ea51077ca6e75cd630810dd20b6a91e

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://de9cac1062ec44d0f6ddihwvy.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/ddihwvy Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://de9cac1062ec44d0f6ddihwvy.outwest.top/ddihwvy http://de9cac1062ec44d0f6ddihwvy.coldsum.space/ddihwvy http://de9cac1062ec44d0f6ddihwvy.datesat.site/ddihwvy http://de9cac1062ec44d0f6ddihwvy.outplea.xyz/ddihwvy Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://de9cac1062ec44d0f6ddihwvy.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/ddihwvy

http://de9cac1062ec44d0f6ddihwvy.outwest.top/ddihwvy

http://de9cac1062ec44d0f6ddihwvy.coldsum.space/ddihwvy

http://de9cac1062ec44d0f6ddihwvy.datesat.site/ddihwvy

http://de9cac1062ec44d0f6ddihwvy.outplea.xyz/ddihwvy

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3596	cmd.exe	13
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	3596	cmd.exe	13
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	3596	vssadmin.exe	13

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\LimitReceive.raw => C:\Users\Admin\Pictures\LimitReceive.raw.ddihwvy	rundll32.exe
File renamed	C:\Users\Admin\Pictures\SearchUnpublish.raw => C:\Users\Admin\Pictures\SearchUnpublish.raw.ddihwvy	rundll32.exe
File renamed	C:\Users\Admin\Pictures\WritePush.crw => C:\Users\Admin\Pictures\WritePush.crw.ddihwvy	rundll32.exe
File renamed	C:\Users\Admin\Pictures\DismountMount.tif => C:\Users\Admin\Pictures\DismountMount.tif.ddihwvy	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ImportInvoke.tif => C:\Users\Admin\Pictures\ImportInvoke.tif.ddihwvy	rundll32.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe
PID 856 set thread context of 0	856	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3372	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-3624 = "121"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-3624 = "microsoft.microsoftedge_8wekyb3d8bbwe/006"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000002f04d9db370e451e39ccbf2760fe82dfa7234f28db7f99f73407de5e209d15f356570fbcbcb430e587f8d05e595e0b3f1cdc1913aef5c4f02ef0	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2cccb41c0ab5d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{FC159B3D-300E-40A3-ACC9-A9FE890E5A07}"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\ChildCapabilities\121 = 53002d0031002d00310035002d0033002d003100000053002d0031002d00310035002d0033002d003900000053002d0031002d00310035002d0033002d0033003200310035003400330030003800380034002d0031003300330039003800310036003200390032002d00380039003200350037003600310036002d003100310034003500380033003100300031003900000053002d0031002d00310035002d0033002d003700380037003400340038003200350034002d0031003200300037003900370032003800350038002d0033003500350038003600330033003600320032002d003100300035003900380038003600390036003400000053002d0031002d00310035002d0033002d0033003800340035003200370033003400360033002d0031003300330031003400320037003700300032002d0031003100380036003500350031003100390035002d003100310034003800310030003900390037003700000053002d0031002d00310035002d0033002d0031003000320034002d0031003000360035003300360035003900330036002d0031003200380031003600300034003700310036002d0033003500310031003700330038003400320038002d0031003600350034003700320031003600380037002d003400330032003700330034003400370039002d0033003200330032003100330035003800300036002d0034003000350033003200360034003100320032002d003300340035003600390033003400360038003100000053002d0031002d00310035002d0033002d0031003000320034002d0033003600320033003800350035003000340031002d0031003800320036003900390039003900350036002d0033003700340037003000360039003800310038002d0033003500320035003200360030003200320033002d0033003700340037003300370034003500310030002d0031003700340036003200370032003600320034002d003900350030003600300031003100360038002d0035003600350035003600330033003100000053002d0031002d00310035002d0033002d0031003000320034002d0032003400300035003400340033003400380039002d003800370034003000330036003100320032002d0034003200380036003000330035003500350035002d0031003800320033003900320031003500360035002d0031003700340036003500340037003400330031002d0032003400350033003800380035003400340038002d0033003600320035003900350032003900300032002d00390039003100360033003100320035003600000053002d0031002d00310035002d0033002d0031003000320034002d0031003500300032003800320035003100360036002d0031003900360033003700300038003300340035002d0032003600310036003300370037003400360031002d0032003500360032003800390037003000370034002d0034003100390032003000320038003300370032002d0033003900360038003300300031003500370030002d0031003900390037003600320038003600390032002d003100340033003500390035003300360032003200000053002d0031002d00310035002d0033002d0031003000320034002d0033003200300033003300350031003400320039002d0032003100320030003400340033003700380034002d0032003800370032003600370030003700390037002d0031003900310038003900350038003300300032002d0032003800320039003000350035003600340037002d0034003200370035003700390034003500310039002d003700360035003600360034003400310034002d003200370035003100370037003300330033003400000053002d0031002d00310035002d0033002d0031003000320034002d0031003700380038003100320039003300300033002d0032003100380033003200300038003500370037002d0033003900390039003400370034003200370032002d0033003100340037003300350039003900380035002d0031003700350037003300320032003100390033002d0033003800310035003700350036003300380036002d003100350031003500380032003100380030002d003100380038003800310030003100310039003300000053002d0031002d00310035002d0033002d0031003000320034002d0033003100350033003500300039003600310033002d003900360030003600360036003700360037002d0033003700320034003600310031003100330035002d0032003700320035003600360032003600340030002d00310032003100330038003200350033002d003500340033003900310030003200320037002d0031003900350030003400310034003600330035002d003400310039003000320039003000310038003700000053002d0031002d00310035002d0033002d0031003000320034002d003100320036003000370038003500390033002d0033003600350038003600380036003700320038002d0031003900380034003800380033003300300036002d003800320031003300390039003600390036002d0033003600380034003000370039003900360030002d003500360034003000330038003600380030002d0033003400310034003800380030003000390038002d003300340033003500380032003500320030003100000053002d0031002d00310035002d0033002d0031003000320034002d0031003600390032003900370030003100350035002d0034003000350034003800390033003300330035002d003100380035003700310034003000390031002d0033003300360032003600300031003900340033002d0033003500320036003500390033003100380031002d0031003100350039003800310036003900380034002d0032003100390039003000300038003500380031002d00340039003700340039003200390039003100000053002d0031002d00310035002d0033002d0031003000320034002d003200320030003000320032003700370030002d003700300031003200360031003900380034002d0033003900390031003200390032003900350036002d0034003200300038003700350031003000320030002d0032003900310038003200390033003000350038002d0033003300390036003400310039003300330031002d0031003700300030003900330032003300340038002d003200300037003800330036003400380039003100000053002d0031002d00310035002d0033002d0031003000320034002d003500320038003100310038003900360036002d0033003800370036003800370034003300390038002d003700300039003500310033003500370031002d0031003900300037003800370033003000380034002d0033003500390038003200320037003600330034002d0033003600390038003700330030003000360030002d003200370038003000370037003700380038002d003300390039003000360030003000320030003500000053002d0031002d00310035002d0033002d0031003000320034002d0031003800360034003100310031003700350034002d003700370036003200370033003300310037002d0033003600360036003900320035003000320037002d0032003500320033003900300038003000380031002d0033003700390032003400350038003200300036002d0033003500380032003400370032003400330037002d0034003100310034003400310039003900370037002d003100350038003200380038003400380035003700000053002d0031002d00310035002d0033002d0031003000320034002d0034003000340034003800330035003100330039002d0032003600350038003400380032003000340031002d0033003100320037003900370033003100360034002d003300320039003200380037003200330031002d0033003800360035003800380030003800360031002d0031003900330038003600380035003600340033002d003400360031003000360037003600350038002d003100300038003700300030003000340032003200000053002d0031002d00310035002d0033002d0031003000320034002d0032003900320032003200390036003200360031002d0031003600340037003400380032003700360038002d0032003000310037003000390031003100340036002d0033003800350038003600360037003000360038002d0034003100330035003600360033003600360032002d0032003900330031003900380035003800390034002d0031003600320037003800320030003900320035002d00380031003800330036003600340033003100000053002d0031002d00310035002d0033002d003300000053002d0031002d00310035002d0033002d003800000053002d0031002d00310035002d0033002d0031003000320034002d0032003400340030003300300036003300370037002d0033003300300034003600310031003000340039002d0031003400390034003300390039003000370031002d0031003100360031003900320036003200320033002d003100360033003900310032003300380034002d0031003400330037003000360035003700370033002d0031003400350036003800320030003500360030002d00320033003900300031003500380031003900360000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz!	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-3624 = "microsoft.microsoftedge_8wekyb3d8bbwe/001"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = bd1f471c0ab5d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\ChildCapabilities	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\WasEverActivated = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4032	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
856	rundll32.exe
856	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2740	Process not Found

Suspicious behavior: MapViewOfSection 10 IoCs

pid	Process
856	rundll32.exe
856	rundll32.exe
856	rundll32.exe
856	rundll32.exe
856	rundll32.exe
856	rundll32.exe
856	rundll32.exe
856	rundll32.exe
3936	MicrosoftEdgeCP.exe
3936	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2740	Process not Found
Token: SeCreatePagefilePrivilege	2740	Process not Found
Token: SeShutdownPrivilege	2740	Process not Found
Token: SeCreatePagefilePrivilege	2740	Process not Found
Token: SeShutdownPrivilege	2740	Process not Found
Token: SeCreatePagefilePrivilege	2740	Process not Found
Token: SeShutdownPrivilege	2740	Process not Found
Token: SeCreatePagefilePrivilege	2740	Process not Found
Token: SeShutdownPrivilege	2740	Process not Found
Token: SeCreatePagefilePrivilege	2740	Process not Found
Token: SeShutdownPrivilege	2740	Process not Found
Token: SeCreatePagefilePrivilege	2740	Process not Found
Token: SeShutdownPrivilege	2740	Process not Found
Token: SeCreatePagefilePrivilege	2740	Process not Found
Token: SeShutdownPrivilege	2740	Process not Found
Token: SeCreatePagefilePrivilege	2740	Process not Found
Token: SeShutdownPrivilege	2740	Process not Found
Token: SeCreatePagefilePrivilege	2740	Process not Found
Token: SeShutdownPrivilege	2740	Process not Found
Token: SeCreatePagefilePrivilege	2740	Process not Found
Token: SeIncreaseQuotaPrivilege	644	wmic.exe
Token: SeSecurityPrivilege	644	wmic.exe
Token: SeTakeOwnershipPrivilege	644	wmic.exe
Token: SeLoadDriverPrivilege	644	wmic.exe
Token: SeSystemProfilePrivilege	644	wmic.exe
Token: SeSystemtimePrivilege	644	wmic.exe
Token: SeProfSingleProcessPrivilege	644	wmic.exe
Token: SeIncBasePriorityPrivilege	644	wmic.exe
Token: SeCreatePagefilePrivilege	644	wmic.exe
Token: SeBackupPrivilege	644	wmic.exe
Token: SeRestorePrivilege	644	wmic.exe
Token: SeShutdownPrivilege	644	wmic.exe
Token: SeDebugPrivilege	644	wmic.exe
Token: SeSystemEnvironmentPrivilege	644	wmic.exe
Token: SeRemoteShutdownPrivilege	644	wmic.exe
Token: SeUndockPrivilege	644	wmic.exe
Token: SeManageVolumePrivilege	644	wmic.exe
Token: 33	644	wmic.exe
Token: 34	644	wmic.exe
Token: 35	644	wmic.exe
Token: 36	644	wmic.exe
Token: SeIncreaseQuotaPrivilege	1320	MicrosoftEdge.exe
Token: SeSecurityPrivilege	1320	MicrosoftEdge.exe
Token: SeTakeOwnershipPrivilege	1320	MicrosoftEdge.exe
Token: SeLoadDriverPrivilege	1320	MicrosoftEdge.exe
Token: SeSystemProfilePrivilege	1320	MicrosoftEdge.exe
Token: SeSystemtimePrivilege	1320	MicrosoftEdge.exe
Token: SeProfSingleProcessPrivilege	1320	MicrosoftEdge.exe
Token: SeIncBasePriorityPrivilege	1320	MicrosoftEdge.exe
Token: SeCreatePagefilePrivilege	1320	MicrosoftEdge.exe
Token: SeBackupPrivilege	1320	MicrosoftEdge.exe
Token: SeRestorePrivilege	1320	MicrosoftEdge.exe
Token: SeShutdownPrivilege	1320	MicrosoftEdge.exe
Token: SeDebugPrivilege	1320	MicrosoftEdge.exe
Token: SeSystemEnvironmentPrivilege	1320	MicrosoftEdge.exe
Token: SeRemoteShutdownPrivilege	1320	MicrosoftEdge.exe
Token: SeUndockPrivilege	1320	MicrosoftEdge.exe
Token: SeManageVolumePrivilege	1320	MicrosoftEdge.exe
Token: 33	1320	MicrosoftEdge.exe
Token: 34	1320	MicrosoftEdge.exe
Token: 35	1320	MicrosoftEdge.exe
Token: 36	1320	MicrosoftEdge.exe
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2740	Process not Found
2740	Process not Found
2740	Process not Found
2740	Process not Found
2740	Process not Found
2740	Process not Found
2740	Process not Found
2740	Process not Found

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2740	Process not Found
1320	MicrosoftEdge.exe
3936	MicrosoftEdgeCP.exe
3936	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2740	Process not Found

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 4032	856	rundll32.exe	68
PID 856 wrote to memory of 4032	856	rundll32.exe	68
PID 856 wrote to memory of 3936	856	rundll32.exe	72
PID 856 wrote to memory of 3936	856	rundll32.exe	72
PID 856 wrote to memory of 644	856	rundll32.exe	74
PID 856 wrote to memory of 644	856	rundll32.exe	74
PID 856 wrote to memory of 3112	856	rundll32.exe	75
PID 856 wrote to memory of 3112	856	rundll32.exe	75
PID 856 wrote to memory of 1004	856	rundll32.exe	76
PID 856 wrote to memory of 1004	856	rundll32.exe	76
PID 1004 wrote to memory of 1320	1004	cmd.exe	94
PID 1004 wrote to memory of 1320	1004	cmd.exe	94
PID 3112 wrote to memory of 1520	3112	cmd.exe	81
PID 3112 wrote to memory of 1520	3112	cmd.exe	81
PID 2360 wrote to memory of 3364	2360	cmd.exe	89
PID 2360 wrote to memory of 3364	2360	cmd.exe	89
PID 2276 wrote to memory of 2864	2276	cmd.exe	90
PID 2276 wrote to memory of 2864	2276	cmd.exe	90
PID 3936 wrote to memory of 1252	3936	MicrosoftEdgeCP.exe	98
PID 3936 wrote to memory of 1252	3936	MicrosoftEdgeCP.exe	98
PID 3936 wrote to memory of 1252	3936	MicrosoftEdgeCP.exe	98
PID 3936 wrote to memory of 1252	3936	MicrosoftEdgeCP.exe	98
PID 3936 wrote to memory of 1252	3936	MicrosoftEdgeCP.exe	98
PID 3936 wrote to memory of 1252	3936	MicrosoftEdgeCP.exe	98

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204.dll,#1
1⤵
- Modifies extensions of user files
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4032
- C:\Windows\system32\cmd.exe
  cmd /c "start http://de9cac1062ec44d0f6ddihwvy.outwest.top/ddihwvy^&1^&46369875^&66^&297^&2215063"
  2⤵
  PID:3936
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1320

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2864

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3364

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2060

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1116

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2056

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1252

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-120-0x0000025ED7C30000-0x0000025ED7C31000-memory.dmp

Filesize
4KB

Download
memory/856-137-0x0000000102340000-0x0000000102341000-memory.dmp

Filesize
4KB

Download
memory/856-116-0x0000025ED7BF0000-0x0000025ED7BF1000-memory.dmp

Filesize
4KB

Download
memory/856-119-0x0000025ED7C20000-0x0000025ED7C21000-memory.dmp

Filesize
4KB

Download
memory/856-115-0x0000025ED7BE0000-0x0000025ED7BE1000-memory.dmp

Filesize
4KB

Download
memory/856-121-0x0000025ED7C40000-0x0000025ED7C41000-memory.dmp

Filesize
4KB

Download
memory/856-123-0x0000025ED8530000-0x0000025ED8531000-memory.dmp

Filesize
4KB

Download
memory/856-124-0x0000025ED8540000-0x0000025ED8541000-memory.dmp

Filesize
4KB

Download
memory/856-122-0x0000025ED8520000-0x0000025ED8521000-memory.dmp

Filesize
4KB

Download
memory/856-125-0x0000025ED8550000-0x0000025ED8551000-memory.dmp

Filesize
4KB

Download
memory/856-128-0x0000000100820000-0x0000000100825000-memory.dmp

Filesize
20KB

Download
memory/856-117-0x0000025ED7C00000-0x0000025ED7C01000-memory.dmp

Filesize
4KB

Download
memory/856-118-0x0000025ED7C10000-0x0000025ED7C11000-memory.dmp

Filesize
4KB

Download
memory/856-114-0x0000025ED7C70000-0x0000025ED84F4000-memory.dmp

Filesize
8.5MB

Download
memory/856-127-0x0000000100810000-0x0000000100811000-memory.dmp

Filesize
4KB

Download
memory/3804-126-0x000001C072660000-0x000001C072668000-memory.dmp

Filesize
32KB

Download