25c1c67de6ead9c4efd8372caccfbba80cc77667dd9b172e5535b1c7a7b81a5e

Analysis

max time kernel
1814s
max time network
1819s
platform
windows10_x64
resource
win10-20220331-en
submitted
07-04-2022 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Size

324KB
MD5

0d8ff116ce8976fc820c996a6ee90c3a
SHA1

f04aa63508e99c54095cba747f31fb28fbfd392e
SHA256

25c1c67de6ead9c4efd8372caccfbba80cc77667dd9b172e5535b1c7a7b81a5e
SHA512

2c2c7b2eac7ac70d0bba26821a52e72e443428c154368c0ca173ff9901bcfdab386d81a759478ca6e85211003eb5fe3bebef076533eed647ad4803054a38311a

Score

10^/10

evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3729659790-1998850411-3319863756-1000\how_recover+aqr.txt

Ransom Note

________________________1234____________________________________- What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? ________________________1234____________________________________ Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. ________________________1234____________________________________ For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gfhshhf.home7dfg4.com/A1C3162A4A639533 2. http://td63hftt.buwve5ton2.com/A1C3162A4A639533 3. https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: tw7kaqthui5ojcez.onion/A1C3162A4A639533 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://gfhshhf.home7dfg4.com/A1C3162A4A639533 http://td63hftt.buwve5ton2.com/A1C3162A4A639533 https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533 Your personal page (using TOR-Browser): tw7kaqthui5ojcez.onion/A1C3162A4A639533 Your personal identification number (if you open the site (or TOR-Browser's) directly): A1C3162A4A639533

URLs

http://gfhshhf.home7dfg4.com/A1C3162A4A639533

http://td63hftt.buwve5ton2.com/A1C3162A4A639533

https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533

http://tw7kaqthui5ojcez.onion/A1C3162A4A639533

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3729659790-1998850411-3319863756-1000\how_recover+aqr.html

Ransom Note

<html>  <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;">  <center> <div style="text-align:left; font-family:Arial;  font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> What happened  to your files? All of your files were protected by a strong encryption with RSA-2048 More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a> What  does this mean? This means that the  structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your  files were encrypted with the public key,  which has been  transferred to your computer via the Internet.  Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our Secret Server!!! * What do I do? Alas, if you  do not take  the necessary measures for the specified  time then the conditions for  obtaining the private key will be changed.  If you really need  your data, then we suggest you  do not waste valuable  time searching for other  solutions becausen  they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your  personal home page, there are a few  different addresses pointing to  your page below: <hr> 1.<a href="http://gfhshhf.home7dfg4.com/A1C3162A4A639533" target="_blank">http://gfhshhf.home7dfg4.com/A1C3162A4A639533</a> 2.<a href="http://td63hftt.buwve5ton2.com/A1C3162A4A639533" target="_blank">http://td63hftt.buwve5ton2.com/A1C3162A4A639533</a> 3.<a href="https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533" target="_blank">https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the  addresses are not available,  follow these steps: <hr> 1.  Download and  install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2.  After a successful installation, run the browser and wait for initialization. 3.  Type in the tor-browser address bar: tw7kaqthui5ojcez.onion/A1C3162A4A639533 4.  Follow the instructions  on the site.</div> IMPORTANT INFORMATION: <div class="tb" style="width:790px;">  Your Personal PAGES: <a href="http://gfhshhf.home7dfg4.com/A1C3162A4A639533" target="_blank">http://gfhshhf.home7dfg4.com/A1C3162A4A639533</a> <a href="http://td63hftt.buwve5ton2.com/A1C3162A4A639533" target="_blank">http://td63hftt.buwve5ton2.com/A1C3162A4A639533</a>  <a href="https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533" target="_blank">  https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533</a>  Your  Personal PAGES  (using TOR-Browser): tw7kaqthui5ojcez.onion/A1C3162A4A639533  Your personal  code  (if you open the  site (or TOR-Browser's) directly):  A1C3162A4A639533 </div></div></center></body></html>

URLs

https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533</a>

Extracted

Path

C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html

Ransom Note

to your files? protected by a strong encryption with RSA-2048 More information about the encryption RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) does this mean? means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our Secret Server!!! * do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really need your data, then we suggest you do not waste valuable time searching for other solutions becausen they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1.http://gfhshhf.home7dfg4.com/A1C3162A4A639533 2.http://td63hftt.buwve5ton2.com/A1C3162A4A639533 3.https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the tor-browser address bar: tw7kaqthui5ojcez.onion/A1C3162A4A639533 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your Personal PAGES: http://gfhshhf.home7dfg4.com/A1C3162A4A639533 http://td63hftt.buwve5ton2.com/A1C3162A4A639533 https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533 Your Personal PAGES (using TOR-Browser): tw7kaqthui5ojcez.onion/A1C3162A4A639533 Your personal code (if you open the site (or TOR-Browser's) directly):

URLs

http://tw7kaqthui5ojcez.onion/A1C3162A4A639533

http://gfhshhf.home7dfg4.com/A1C3162A4A639533

http://td63hftt.buwve5ton2.com/A1C3162A4A639533

https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

2308 bcdedit.exe
3840 bcdedit.exe
4136 bcdedit.exe
4332 bcdedit.exe
4428 bcdedit.exe
Executes dropped EXE 2 IoCs

Processes:

giiit-a.exegiiit-a.exe

pid process

2108 giiit-a.exe
2676 giiit-a.exe

pid	process
2308	bcdedit.exe
3840	bcdedit.exe
4136	bcdedit.exe
4332	bcdedit.exe
4428	bcdedit.exe

pid	process
2108	giiit-a.exe
2676	giiit-a.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

giiit-a.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RedoRestart.crw => C:\Users\Admin\Pictures\RedoRestart.crw.vvv	giiit-a.exe
File renamed	C:\Users\Admin\Pictures\WatchSearch.raw => C:\Users\Admin\Pictures\WatchSearch.raw.vvv	giiit-a.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

giiit-a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Control Panel\International\Geo\Nation	giiit-a.exe

Drops startup file 4 IoCs

Processes:

giiit-a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+aqr.txt	giiit-a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+aqr.txt	giiit-a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

giiit-a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Windows\CurrentVersion\Run	giiit-a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Windows\CurrentVersion\Run\hgjuy78gfh = "C:\\Users\\Admin\\AppData\\Roaming\\giiit-a.exe"	giiit-a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	giiit-a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hgjuy78gfh = "C:\\Users\\Admin\\AppData\\Roaming\\giiit-a.exe"	giiit-a.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 myexternalip.com
4 myexternalip.com

flow	ioc
2	myexternalip.com
4	myexternalip.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exegiiit-a.exe

description	pid	process	target process
PID 1744 set thread context of 1804	1744	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
PID 2108 set thread context of 2676	2108	giiit-a.exe	giiit-a.exe

Drops file in Program Files directory 64 IoCs

Processes:

giiit-a.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\how_recover+aqr.txt	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bb_16x11.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-black_scale-200.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\beeps\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\Common Files\System\ado\how_recover+aqr.txt	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\OptInPopup\how_recover+aqr.txt	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\11891_20x20x32.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-400.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-125_contrast-white.png	giiit-a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Donut_icon.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\PaintApplist.scale-100.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-200.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\nu_60x42.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\qa_16x11.png	giiit-a.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Tab\TabTiles.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\hm_60x42.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-white_scale-200.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-256.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\sr-latn-cs\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-180.png	giiit-a.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Tab\TabMaster.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1249_72x72x32.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-150.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\moe_default_icon.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6478_24x24x32.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8577_24x24x32.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\how_recover+aqr.txt	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sunglasses.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-400.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\how_recover+aqr.txt	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\how_recover+aqr.txt	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-60_altform-unplated.png	giiit-a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\how_recover+aqr.txt	giiit-a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\how_recover+aqr.txt	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\TriPeaks\how_recover+aqr.txt	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_windowed.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-180.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\how_recover+aqr.txt	giiit-a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\how_recover+aqr.txt	giiit-a.exe
File opened for modification	C:\Program Files\Windows Defender\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\aquarium_13c.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\am_60x42.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5664_32x32x32.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated_contrast-white.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	giiit-a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.map	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Light.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_13s.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-400.png	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sv.pak	giiit-a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\how_recover+aqr.html	giiit-a.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\how_recover+aqr.txt	giiit-a.exe

Drops file in Windows directory 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1324 vssadmin.exe
2768 vssadmin.exe

pid	process
1324	vssadmin.exe
2768	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exegiiit-a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz!	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658 = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings	giiit-a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "355529990"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = fce44b2cf544d801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1708 NOTEPAD.EXE

pid	process
1708	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

giiit-a.exe

pid	process
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe
2676	giiit-a.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

792 MicrosoftEdgeCP.exe

pid	process
792	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exegiiit-a.exevssvc.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	1804	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Token: SeDebugPrivilege	2676	giiit-a.exe
Token: SeBackupPrivilege	4648	vssvc.exe
Token: SeRestorePrivilege	4648	vssvc.exe
Token: SeAuditPrivilege	4648	vssvc.exe
Token: SeDebugPrivilege	3748	MicrosoftEdge.exe
Token: SeDebugPrivilege	3748	MicrosoftEdge.exe
Token: SeDebugPrivilege	3748	MicrosoftEdge.exe
Token: SeDebugPrivilege	3748	MicrosoftEdge.exe
Token: SeDebugPrivilege	2172	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2172	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2172	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2172	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1816	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1816	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

3748 MicrosoftEdge.exe
792 MicrosoftEdgeCP.exe
792 MicrosoftEdgeCP.exe

pid	process
3748	MicrosoftEdge.exe
792	MicrosoftEdgeCP.exe
792	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exeVirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exegiiit-a.exegiiit-a.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 1744 wrote to memory of 1804	1744	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
PID 1744 wrote to memory of 1804	1744	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
PID 1744 wrote to memory of 1804	1744	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
PID 1744 wrote to memory of 1804	1744	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
PID 1744 wrote to memory of 1804	1744	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
PID 1744 wrote to memory of 1804	1744	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
PID 1744 wrote to memory of 1804	1744	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
PID 1744 wrote to memory of 1804	1744	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
PID 1744 wrote to memory of 1804	1744	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
PID 1744 wrote to memory of 1804	1744	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
PID 1804 wrote to memory of 2108	1804	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	giiit-a.exe
PID 1804 wrote to memory of 2108	1804	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	giiit-a.exe
PID 1804 wrote to memory of 2108	1804	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	giiit-a.exe
PID 1804 wrote to memory of 2544	1804	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	cmd.exe
PID 1804 wrote to memory of 2544	1804	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	cmd.exe
PID 1804 wrote to memory of 2544	1804	VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe	cmd.exe
PID 2108 wrote to memory of 2676	2108	giiit-a.exe	giiit-a.exe
PID 2108 wrote to memory of 2676	2108	giiit-a.exe	giiit-a.exe
PID 2108 wrote to memory of 2676	2108	giiit-a.exe	giiit-a.exe
PID 2108 wrote to memory of 2676	2108	giiit-a.exe	giiit-a.exe
PID 2108 wrote to memory of 2676	2108	giiit-a.exe	giiit-a.exe
PID 2108 wrote to memory of 2676	2108	giiit-a.exe	giiit-a.exe
PID 2108 wrote to memory of 2676	2108	giiit-a.exe	giiit-a.exe
PID 2108 wrote to memory of 2676	2108	giiit-a.exe	giiit-a.exe
PID 2108 wrote to memory of 2676	2108	giiit-a.exe	giiit-a.exe
PID 2108 wrote to memory of 2676	2108	giiit-a.exe	giiit-a.exe
PID 2676 wrote to memory of 2308	2676	giiit-a.exe	bcdedit.exe
PID 2676 wrote to memory of 2308	2676	giiit-a.exe	bcdedit.exe
PID 2676 wrote to memory of 3840	2676	giiit-a.exe	bcdedit.exe
PID 2676 wrote to memory of 3840	2676	giiit-a.exe	bcdedit.exe
PID 2676 wrote to memory of 4136	2676	giiit-a.exe	bcdedit.exe
PID 2676 wrote to memory of 4136	2676	giiit-a.exe	bcdedit.exe
PID 2676 wrote to memory of 4332	2676	giiit-a.exe	bcdedit.exe
PID 2676 wrote to memory of 4332	2676	giiit-a.exe	bcdedit.exe
PID 2676 wrote to memory of 4428	2676	giiit-a.exe	bcdedit.exe
PID 2676 wrote to memory of 4428	2676	giiit-a.exe	bcdedit.exe
PID 2676 wrote to memory of 1324	2676	giiit-a.exe	vssadmin.exe
PID 2676 wrote to memory of 1324	2676	giiit-a.exe	vssadmin.exe
PID 2676 wrote to memory of 1708	2676	giiit-a.exe	NOTEPAD.EXE
PID 2676 wrote to memory of 1708	2676	giiit-a.exe	NOTEPAD.EXE
PID 2676 wrote to memory of 1708	2676	giiit-a.exe	NOTEPAD.EXE
PID 2676 wrote to memory of 2768	2676	giiit-a.exe	vssadmin.exe
PID 2676 wrote to memory of 2768	2676	giiit-a.exe	vssadmin.exe
PID 792 wrote to memory of 2172	792	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 792 wrote to memory of 2172	792	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 792 wrote to memory of 2172	792	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 792 wrote to memory of 2172	792	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 792 wrote to memory of 2172	792	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 792 wrote to memory of 2172	792	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2676 wrote to memory of 8	2676	giiit-a.exe	cmd.exe
PID 2676 wrote to memory of 8	2676	giiit-a.exe	cmd.exe
PID 2676 wrote to memory of 8	2676	giiit-a.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

giiit-a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	giiit-a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	giiit-a.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Roaming\giiit-a.exe
C:\Users\Admin\AppData\Roaming\giiit-a.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Roaming\giiit-a.exe
C:\Users\Admin\AppData\Roaming\giiit-a.exe
4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2676

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} bootems off
5⤵
- Modifies boot configuration data using bcdedit
PID:2308

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} advancedoptions off
5⤵
- Modifies boot configuration data using bcdedit
PID:3840

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} optionsedit off
5⤵
- Modifies boot configuration data using bcdedit
PID:4136

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
5⤵
- Modifies boot configuration data using bcdedit
PID:4332

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} recoveryenabled off
5⤵
- Modifies boot configuration data using bcdedit
PID:4428

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
5⤵
- Interacts with shadow copies
PID:1324

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
5⤵
- Opens file in notepad (likely ransom note)
PID:1708

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
5⤵
- Interacts with shadow copies
PID:2768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\giiit-a.exe
5⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
3⤵
PID:2544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3896

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\how_recover+aqr.html
Filesize
6KB

MD5
e18dba1ebbcab07a2b7185a9f2153387

SHA1
a50ad8974c5d22deace6eace082213bf10268df7

SHA256
c555e14994754b6c36bcdd0bbcc3764a377c91ca42e6a99f1238bc051502b03b

SHA512
0f335cf12265fc0bfe634eb491803e89c6aa131348590b49c35566240810c87b2b848c11444999275f58ed2841d6f1e7af7d3ce2ecf8aeb6f307f797a6946ea6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\how_recover+aqr.txt
Filesize
2KB

MD5
b66aa2f0d1e866cb2cff6f450c96032c

SHA1
077c6ef88987c26d01a94eeadd9453f82e66a045

SHA256
0f941d99308f47505a2ca3d72addd1baf5684c58a388e88875766d12e524ce77

SHA512
8ba0459a1dc6f797b795769afbe5dd4862c0107ae173b87caac5cf126ac797ae0e4737024de6e15c890c8f0a10570c8f635d412c9b3eb374d9d0b8f13a74057f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\how_recover+aqr.html
Filesize
6KB

MD5
e18dba1ebbcab07a2b7185a9f2153387

SHA1
a50ad8974c5d22deace6eace082213bf10268df7

SHA256
c555e14994754b6c36bcdd0bbcc3764a377c91ca42e6a99f1238bc051502b03b

SHA512
0f335cf12265fc0bfe634eb491803e89c6aa131348590b49c35566240810c87b2b848c11444999275f58ed2841d6f1e7af7d3ce2ecf8aeb6f307f797a6946ea6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\how_recover+aqr.txt
Filesize
2KB

MD5
b66aa2f0d1e866cb2cff6f450c96032c

SHA1
077c6ef88987c26d01a94eeadd9453f82e66a045

SHA256
0f941d99308f47505a2ca3d72addd1baf5684c58a388e88875766d12e524ce77

SHA512
8ba0459a1dc6f797b795769afbe5dd4862c0107ae173b87caac5cf126ac797ae0e4737024de6e15c890c8f0a10570c8f635d412c9b3eb374d9d0b8f13a74057f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\how_recover+aqr.html
Filesize
6KB

MD5
e18dba1ebbcab07a2b7185a9f2153387

SHA1
a50ad8974c5d22deace6eace082213bf10268df7

SHA256
c555e14994754b6c36bcdd0bbcc3764a377c91ca42e6a99f1238bc051502b03b

SHA512
0f335cf12265fc0bfe634eb491803e89c6aa131348590b49c35566240810c87b2b848c11444999275f58ed2841d6f1e7af7d3ce2ecf8aeb6f307f797a6946ea6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\how_recover+aqr.txt
Filesize
2KB

MD5
b66aa2f0d1e866cb2cff6f450c96032c

SHA1
077c6ef88987c26d01a94eeadd9453f82e66a045

SHA256
0f941d99308f47505a2ca3d72addd1baf5684c58a388e88875766d12e524ce77

SHA512
8ba0459a1dc6f797b795769afbe5dd4862c0107ae173b87caac5cf126ac797ae0e4737024de6e15c890c8f0a10570c8f635d412c9b3eb374d9d0b8f13a74057f

Download Submit
C:\Users\Admin\AppData\Roaming\giiit-a.exe
Filesize
324KB

MD5
0d8ff116ce8976fc820c996a6ee90c3a

SHA1
f04aa63508e99c54095cba747f31fb28fbfd392e

SHA256
25c1c67de6ead9c4efd8372caccfbba80cc77667dd9b172e5535b1c7a7b81a5e

SHA512
2c2c7b2eac7ac70d0bba26821a52e72e443428c154368c0ca173ff9901bcfdab386d81a759478ca6e85211003eb5fe3bebef076533eed647ad4803054a38311a

Download Submit
C:\Users\Admin\AppData\Roaming\giiit-a.exe
Filesize
324KB

MD5
0d8ff116ce8976fc820c996a6ee90c3a

SHA1
f04aa63508e99c54095cba747f31fb28fbfd392e

SHA256
25c1c67de6ead9c4efd8372caccfbba80cc77667dd9b172e5535b1c7a7b81a5e

SHA512
2c2c7b2eac7ac70d0bba26821a52e72e443428c154368c0ca173ff9901bcfdab386d81a759478ca6e85211003eb5fe3bebef076533eed647ad4803054a38311a

Download Submit
C:\Users\Admin\AppData\Roaming\giiit-a.exe
Filesize
324KB

MD5
0d8ff116ce8976fc820c996a6ee90c3a

SHA1
f04aa63508e99c54095cba747f31fb28fbfd392e

SHA256
25c1c67de6ead9c4efd8372caccfbba80cc77667dd9b172e5535b1c7a7b81a5e

SHA512
2c2c7b2eac7ac70d0bba26821a52e72e443428c154368c0ca173ff9901bcfdab386d81a759478ca6e85211003eb5fe3bebef076533eed647ad4803054a38311a

Download Submit
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
Filesize
6KB

MD5
e18dba1ebbcab07a2b7185a9f2153387

SHA1
a50ad8974c5d22deace6eace082213bf10268df7

SHA256
c555e14994754b6c36bcdd0bbcc3764a377c91ca42e6a99f1238bc051502b03b

SHA512
0f335cf12265fc0bfe634eb491803e89c6aa131348590b49c35566240810c87b2b848c11444999275f58ed2841d6f1e7af7d3ce2ecf8aeb6f307f797a6946ea6

Download Submit
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
Filesize
2KB

MD5
b66aa2f0d1e866cb2cff6f450c96032c

SHA1
077c6ef88987c26d01a94eeadd9453f82e66a045

SHA256
0f941d99308f47505a2ca3d72addd1baf5684c58a388e88875766d12e524ce77

SHA512
8ba0459a1dc6f797b795769afbe5dd4862c0107ae173b87caac5cf126ac797ae0e4737024de6e15c890c8f0a10570c8f635d412c9b3eb374d9d0b8f13a74057f

Download Submit
memory/8-142-0x0000000000000000-mapping.dmp

Download
memory/1324-136-0x0000000000000000-mapping.dmp

Download
memory/1708-137-0x0000000000000000-mapping.dmp

Download
memory/1744-116-0x0000000000500000-0x00000000005AE000-memory.dmp

Filesize
696KB

Download
memory/1804-118-0x00000000004097F0-mapping.dmp

Download
memory/1804-117-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-119-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1804-120-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2108-121-0x0000000000000000-mapping.dmp

Download
memory/2108-124-0x0000000000830000-0x0000000000833000-memory.dmp

Filesize
12KB

Download
memory/2308-131-0x0000000000000000-mapping.dmp

Download
memory/2544-125-0x0000000000000000-mapping.dmp

Download
memory/2676-127-0x00000000004097F0-mapping.dmp

Download
memory/2676-130-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2676-129-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2768-140-0x0000000000000000-mapping.dmp

Download
memory/3840-132-0x0000000000000000-mapping.dmp

Download
memory/4136-133-0x0000000000000000-mapping.dmp

Download
memory/4332-134-0x0000000000000000-mapping.dmp

Download
memory/4428-135-0x0000000000000000-mapping.dmp

Download