sodinokibi | bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2023 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
Size

542KB
MD5

61c19e7ce627da9b5004371f867a47d3
SHA1

4f3b4329871ec269043068a98e9cc929f603268d
SHA256

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9
SHA512

dd919e1dace4e1f246552bbb1b55cd13f38bdac8764afb67624d4331341dff1c3cd75616da26d9deb4e05c04163b78a5ff8b9ffec2f73b2c9b82d5a41e216244
SSDEEP

6144:YONNYdX7HkqEHcTY6uoZzFyKAuGnlOOkl8tuGogbOIVmda9J4:YONNoX7HMHcTY6uoZzFyfONlwNB2

Score

10^/10

sodinokibi 5 367 ransomware spyware stealer

Malware Config

Extracted

Path

C:\lf6836a7ng-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion lf6836a7ng. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/74448695C00D9750 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/74448695C00D9750 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: blW8aFjqzpIHd10YPHVHkRP9Wfd5xoWVm04sd98ZX462lSba43VyTz9ZA4WmjPXK 3VV7hYrlqRJDAoZOjGJkp5O0wqPEvFH5E/UEDSHrSo8wPZp3Jf9SMyqKZtiXntOs dt6EQmmi0pe/1W+4iQYqmeG5n2v0634uv0gaCnnkR3cF3fqcgXJxg28XFf5L+0ET +7WmMywDnQ9DtzEw5wEZVqFVCq2vk2recvOvH/gahwfBYPcg5tkKz3M2n37B706V Nx/caZmi9ms5f8o2CFKLbJOJ0tpCKvAxhLlB5t3HXLbGYWIO3vZikTkWET1BU2KQ 8T9+epVsGXr0odcgoFAGA5XrUUiKpPmQRV2oUX4qF0P7E0Ne7igHGQu9fXTZCQFA ufTnU9Tk8LFvNQ3XTeuL1TlGIxEVvZerzKgSx+3DO1oemRZCn5FwJXYGqSh91xWT JUydptFZdGVXHrSCPQbXGlbo7NHIOeQsSeXNuC0YxYvUmkhVf31kdxUE204kDuG/ UeCq1l7yWgmvQz64qALhfzuKxyaWMuaQIeVLjyvi6uB9MVi7akmTl/3lVv8mfSTi t7VeEl2gLFkffKGpAJhhJM3E2lRBNwhPmrkbngP6V0hXWbLQMqj8c0kNDpXxMVT9 FonmRyxWQ2rj9EHQryuY+sUklPRetkSm0HukaYv5+IsZA6luYbyM2XE2p5lblv66 OBhUTLq7rVIsWMdo8RQ18MWqVrKnv+7+sbv3C8Ztl7DGjh0f5SfaOMEhPsN4xApX Aa4YLPt/W+dcfOg5+sQsMUb2bEXQ9e+aK1MZhtK9onB3u2gG24jZKWkO3x2G47pE FA16ToUW+bv6wQWHWZ0Z11wOLbIKojPwh+QrQMd+7vvGIpQiMHVeVZju4Pu7agJv NkaZCUb/3x3PaiQEzqJXjdHS5aVoRdQO5GxucX1RG2gSqBfKjbTBpkFhD5vRXw0K 7nKtUqiExJ/TwHViTjNjzgQXL/h7u3nDnQOfd72stoDJGFknL84wd4rOHK/+daBL E/W5aqrOi2fKSF6Iaqb4cNqp+Paq9+W4TVU7KG31X+j2UVgKPp2LTOWqGckOcvZe ScI9FkExD21HNwoZO4F19ZyIHc2BQhDoDFT/LbRT3S4OCPXHjy4NIPY8iJVDJ73u Rxamq5lAHM/NU7z83vQ= Extension name: lf6836a7ng ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/74448695C00D9750

http://decryptor.top/74448695C00D9750

Extracted

Family

sodinokibi

Botnet

Campaign

367

Decoy

craftingalegacy.com

g2mediainc.com

brinkdoepke.eu

vipcarrental.ae

autoteamlast.de

hostastay.com

gavelmasters.com

ronaldhendriks.nl

successcolony.com.ng

medicalsupportco.com

kompresory-opravy.com

sveneulberg.de

oththukaruva.com

voetbalhoogeveen.nl

selected-minds.de

log-barn.co.uk

fsbforsale.com

jobkiwi.com.ng

ivancacu.com

11.in.ua

Attributes

net
true
pid
5
prc
wordpad.exe

outlook.exe

tbirdconfig.exe

agntsvc.exe

thebat.exe

mydesktopservice.exe

sqbcoreservice.exe

thunderbird.exe

ocomm.exe

excel.exe

thebat64.exe

steam.exe

xfssvccon.exe

firefoxconfig.exe

sqlagent.exe

ocssd.exe

mydesktopqos.exe

msaccess.exe

isqlplussvc.exe

mspub.exe

winword.exe

sqlbrowser.exe

dbeng50.exe

sqlservr.exe

oracle.exe

encsvc.exe

powerpnt.exe

dbsnmp.exe

infopath.exe

ocautoupds.exe

mysqld_opt.exe

visio.exe

msftesql.exe

mysqld_nt.exe

synctime.exe

sqlwriter.exe

mysqld.exe

onenote.exe
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
367

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\pictures\ResizeRepair.tiff	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File renamed	C:\Users\Admin\Pictures\CopyMove.png => \??\c:\users\admin\pictures\CopyMove.png.lf6836a7ng	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File renamed	C:\Users\Admin\Pictures\JoinInvoke.crw => \??\c:\users\admin\pictures\JoinInvoke.crw.lf6836a7ng	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File renamed	C:\Users\Admin\Pictures\RegisterUse.tif => \??\c:\users\admin\pictures\RegisterUse.tif.lf6836a7ng	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File renamed	C:\Users\Admin\Pictures\SkipAdd.tif => \??\c:\users\admin\pictures\SkipAdd.tif.lf6836a7ng	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File renamed	C:\Users\Admin\Pictures\ResizeRepair.tiff => \??\c:\users\admin\pictures\ResizeRepair.tiff.lf6836a7ng	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File renamed	C:\Users\Admin\Pictures\TraceCopy.raw => \??\c:\users\admin\pictures\TraceCopy.raw.lf6836a7ng	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

description	ioc	process
File opened (read-only)	\??\A:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\L:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\N:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\O:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\P:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\V:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\K:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\M:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\Q:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\S:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\U:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\Z:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\D:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\F:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\I:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\R:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\T:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\W:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\X:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\Y:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\B:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\E:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\G:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\H:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\J:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\77s41.bmp"	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

Drops file in Program Files directory 35 IoCs

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

description	ioc	process
File opened for modification	\??\c:\program files\ApproveOptimize.emf	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\OpenConnect.M2T	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\ResolveReceive.wvx	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File created	\??\c:\program files (x86)\d60dff40.lock	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\CloseStep.edrwx	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\EnableSync.rm	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\RenameStart.mp2	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File created	\??\c:\program files (x86)\lf6836a7ng-readme.txt	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\BackupDeny.gif	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\CheckpointApprove.pcx	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\JoinSearch.wmf	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\MergeRegister.png	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\RepairRestore.mpeg	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\SyncSkip.ttc	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\ExportRevoke.vstm	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\DisableExport.ttc	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\EditLimit.vdx	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\EnableClear.rtf	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\ReceiveRestart.jpeg	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\WaitResolve.midi	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\AddDisable.mpe	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\CompareEnable.cfg	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\StartReset.xml	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\ApproveRequest.xlt	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\CheckpointResolve.xlsm	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\ClearConvertTo.contact	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\RegisterSwitch.vssm	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\RestartExport.dib	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File created	\??\c:\program files\lf6836a7ng-readme.txt	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File created	\??\c:\program files\d60dff40.lock	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\BackupMerge.pps	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\DebugLimit.wax	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\ReadMerge.otf	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\ReceiveMove.pptm	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\UnregisterOpen.midi	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

Drops file in Windows directory 64 IoCs

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.1_none_f35caf2131abed9a.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_de-de_6b17c8d06620d760.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.19041.1_de-de_d431d440f6bef2b0_rasautou.exe.mui_55686a97	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2d3b6ea159ff4dae_ncprov.dll.mui_40240de1	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.19041.1266_none_14a631980cb7b20a.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-t..services-publicapis_31bf3856ad364e35_10.0.19041.546_none_af7edcb05985488d.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_10.0.19041.1_en-us_a47bd7860bac9950.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b641f2883587d6aa_axinstui.exe.mui_aea34130	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_sr-..-rs_b2c524b47939e030_msimsg.dll.mui_72e8994f	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fa84bcd97ed5458c_vds.exe.mui_2268d934	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_es-es_53c339fa60537c35.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_en-us_313221c95b98e24b.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_et-ee_5acfcbd46d6163cc_comctl32.dll.mui_0da4e682	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d88727f57b0f135a_scdeviceenum.dll.mui_815e7662	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_af1113fd9cfe31c0_vdsutil.dll.mui_0caf9b0e	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_pt-br_ccfd6386dfdf0d78.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5af0d35f5d5822e9_apphelp.dll.mui_59096153	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_da-dk_02d56f028cfc5e3f.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service_31bf3856ad364e35_10.0.19041.546_none_66a0aaafcc19efa6_w32time.dll_2a7540a9	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntosext_31bf3856ad364e35_10.0.19041.1_none_89e4438cceba3f44_ntosext.sys_e9e096c6	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_en-us_313221c95b98e24b_iprtrmgr.dll.mui_eb023b92	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-kernel_31bf3856ad364e35_10.0.19041.1288_none_33d42a5f37165008_msrpc.sys_2e252236	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..turalauthentication_31bf3856ad364e35_10.0.19041.153_none_d1a66a77fe3b57f3.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_79327b950c3ce978_win32kbase.sys.mui_07d441e9	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_8ab89bbe670645a7_mofd.dll.mui_793ef98d	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-etw-ese_31bf3856ad364e35_10.0.19041.1_none_854be02225b9bfa7.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_8514sysr.fon_d6a097a2	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_sl-si_0c94bc70042838ff_msimsg.dll.mui_72e8994f	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_be1670627d88fc7f.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-kernel32_31bf3856ad364e35_10.0.19041.1202_none_12d2bc7d3fe2a244_kernel32.dll_ef9eca7e	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a5f5f155cd89b58d.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_10.0.19041.1_none_0c8c7a5954ab0dda.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_de-de_d942b0e37da37953.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.19041.1_en-us_fb569e49a9e4cc22.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_en-us_2c89c78983615cee_winload.efi.mui_35ee487d	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_en-us_8f48a1e2598394c7_sti.dll.mui_00a4f15b	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_cs-cz_659b8edb96b66240_comctl32.dll.mui_0da4e682	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1_it-it_0d9468386d9ee63a_winlogon.exe.mui_3280fc46	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_8ab89bbe670645a7_wmiutils.dll.mui_42583eaf	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_fr-fr_6de3ffe5662417e0_comctl32.dll.mui_0da4e682	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_da-dk_2544c1cd8276af7a_comctl32.dll.mui_0da4e682	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userpowermanagement_31bf3856ad364e35_10.0.19041.546_none_8b678fb390086be3_powrprof.dll_480be757	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ncrypt-dll_31bf3856ad364e35_10.0.19041.662_none_3bbdfd78507f28c7_ncrypt.dll_0f36c580	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_sr-..-rs_06d2e219c8bbb7bf.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_05fb19d338e44a8b.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.1_it-it_12393e2b3711dbc6_dsregcmd.exe.mui_8ce2c638	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_afaadb8f0b8a9278_msobjs.dll_052c8a60	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-partitionmanager_31bf3856ad364e35_10.0.19041.1110_none_56683e3b6f9cb252.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_430caa488be6f8ed_rpcepmap.dll.mui_349798e1	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-xmllite_31bf3856ad364e35_10.0.19041.546_none_6734c593021dd8ae.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3285a4fbe26a9651.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..ndactivitymoderator_31bf3856ad364e35_10.0.19041.1_none_959a3e1eebb4b6e0.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_21b80f3a6591f527_mofd.dll.mui_793ef98d	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.19041.1_en-us_52b90495d63821ca.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.1202_none_cc0c3d35675da3a1_appidpolicyconverter.exe_83972af0	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1_en-us_6e70c9a2dd0624b1.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6acc9b918cd7cb00.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_el-gr_78f993560d286ca3.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_en-us_53f7dd16602c8a90_wevtsvc.dll.mui_f41bf7b7	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_es-es_61100044695b873d.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.19041.789_none_3136b8d712da0334.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ldap-client_31bf3856ad364e35_10.0.19041.546_none_d1358e97b53afe52.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a_wowreg32.exe_94fc2d06	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exemsedge.exemsedge.exemsedge.exe

pid	process
1368	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
1368	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
2972	msedge.exe
2972	msedge.exe
2484	msedge.exe
2484	msedge.exe
3348	msedge.exe
3348	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

3348 msedge.exe
3348 msedge.exe
3348 msedge.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

3348 msedge.exe
3348 msedge.exe
3348 msedge.exe

pid	process
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe

pid	process
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exemsedge.exemsedge.exe

description	pid	process	target process
PID 1368 wrote to memory of 2388	1368	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe	cmd.exe
PID 1368 wrote to memory of 2388	1368	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe	cmd.exe
PID 1368 wrote to memory of 2388	1368	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe	cmd.exe
PID 1832 wrote to memory of 1748	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 1748	1832	msedge.exe	msedge.exe
PID 3348 wrote to memory of 3160	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 3160	3348	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 1832 wrote to memory of 4752	1832	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4788	3348	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
"C:\Users\Admin\AppData\Local\Temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\SetRead.shtml
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf8,0x124,0x7fff25b746f8,0x7fff25b74708,0x7fff25b74718
2⤵
PID:3160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7913632502706514171,511067195854747131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
2⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7913632502706514171,511067195854747131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7913632502706514171,511067195854747131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
2⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7913632502706514171,511067195854747131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7913632502706514171,511067195854747131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7913632502706514171,511067195854747131,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
2⤵
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,7913632502706514171,511067195854747131,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\SetRead.shtml
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff25b746f8,0x7fff25b74708,0x7fff25b74718
2⤵
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1937330518404868480,9131397331278134529,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
2⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,1937330518404868480,9131397331278134529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
be343d8f8a119b42eeb26b957040410f

SHA1
e163b539b0b6ea557eb6c386baa787a30730042b

SHA256
3731be50e2445f5385c94571f202dc2a7fce2d40f653a0a57e2d5f849bde3259

SHA512
243157fdae77645d822d59e8dfbfed77c61625574562e2dfbb4a63153c96894f96d8f89a9674bd80567c635754008634e276abd8fce01cea67dc91d6fb35e6ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
442B

MD5
93334dbcd984247c4beee9df138efaa1

SHA1
27dfac2cb97b96ac7fe4ce139bd1f603fb10d046

SHA256
f0da4a6802c2913994561450eb6b2b1004a695e63f650f31520f596aa5f16961

SHA512
86b3747e2bcd15672e6cfb776b6b09dde52178ca743087521d325d1d244a92bfe8c282246a9b5e48c07856db3015fc41a501b87d29948b413f28a3b259187b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
0ebd8e7b6e3f2337643f1ace8085fafb

SHA1
85697094ce2cd9b23045e38b7444f50b9add2757

SHA256
31004332f2d8ed3bbc36217cd59a05aac700d24263591e2f75124f51546b6842

SHA512
5f6c71af18c5c13835d7400bacb85eec8754107a1552aa41717b5ba1666529c7b03b4ec7f322ad4e12cc91bb2cf1220c52487d68d4f81f8ca4e487b99b18c329

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
274037810eab3ab7386510c52b16d6e8

SHA1
da6881b666aeae4ca901331936cb5989a325dd30

SHA256
681a6bb4255088909a4178383719911c9d0f7b1cc1f1caadd526971779849c4b

SHA512
6e377595b6102bfd977ed44233d9c6f3d6a0391f449ee27c316c37edd622a58029d3feba0fec96707ea3e5b5b16f47d37e265ec117da707640ea6a1d810273a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
0ebd8e7b6e3f2337643f1ace8085fafb

SHA1
85697094ce2cd9b23045e38b7444f50b9add2757

SHA256
31004332f2d8ed3bbc36217cd59a05aac700d24263591e2f75124f51546b6842

SHA512
5f6c71af18c5c13835d7400bacb85eec8754107a1552aa41717b5ba1666529c7b03b4ec7f322ad4e12cc91bb2cf1220c52487d68d4f81f8ca4e487b99b18c329

Download Submit
\??\pipe\LOCAL\crashpad_1832_UCJTBPHBVCHPNUBN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3348_GDZBZWROXDFYPAUV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1368-132-0x0000000000536000-0x0000000000551000-memory.dmp

Filesize
108KB

Download
memory/1368-133-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1368-137-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1368-134-0x0000000000536000-0x0000000000551000-memory.dmp

Filesize
108KB

Download
memory/1368-135-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1748-138-0x0000000000000000-mapping.dmp

Download
memory/2044-154-0x0000000000000000-mapping.dmp

Download
memory/2344-159-0x0000000000000000-mapping.dmp

Download
memory/2388-136-0x0000000000000000-mapping.dmp

Download
memory/2484-149-0x0000000000000000-mapping.dmp

Download
memory/2972-150-0x0000000000000000-mapping.dmp

Download
memory/3136-161-0x0000000000000000-mapping.dmp

Download
memory/3160-139-0x0000000000000000-mapping.dmp

Download
memory/3852-157-0x0000000000000000-mapping.dmp

Download
memory/4752-147-0x0000000000000000-mapping.dmp

Download
memory/4780-163-0x0000000000000000-mapping.dmp

Download
memory/4788-148-0x0000000000000000-mapping.dmp

Download