xenarmor | 10db45b88db5377749bce89b2fe511917e38d027e539ac652ea79829fb82985d

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
1980	Runtime Broker.exe
4920	Runtime Broker.exe
396	Runtime Broker.exe
3332	Runtime Broker.exe
1416	Runtime Broker.exe
1184	Runtime Broker.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000000070d-73.dat	upx
behavioral2/files/0x0003000000000733-93.dat	upx
behavioral2/files/0x0003000000000717-88.dat	upx
behavioral2/files/0x0003000000000711-83.dat	upx
behavioral2/files/0x000300000000070f-78.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\ProgramData\\Runtime Broker.exe"	cmd.exe

Drops desktop.ini file(s) 17 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	cmd.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	cmd.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{64861ACD-EFB8-4FC0-9031-97A3D4558B92}	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1972	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4956	powershell.exe
4956	powershell.exe
4656	powershell.exe
4656	powershell.exe
3784	powershell.exe
3784	powershell.exe
2044	powershell.exe
2044	powershell.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe
864	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
864	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3088	msedge.exe
3088	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	cmd.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	864	cmd.exe
Token: SeDebugPrivilege	1980	Runtime Broker.exe
Token: SeDebugPrivilege	4920	Runtime Broker.exe
Token: SeDebugPrivilege	8	cmd.exe
Token: SeDebugPrivilege	396	Runtime Broker.exe
Token: SeDebugPrivilege	1416	Runtime Broker.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	1184	Runtime Broker.exe
Token: SeShutdownPrivilege	5860	shutdown.exe
Token: SeRemoteShutdownPrivilege	5860	shutdown.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
3088	msedge.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
864	cmd.exe
756	firefox.exe
5932	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 4956	864	cmd.exe	90
PID 864 wrote to memory of 4956	864	cmd.exe	90
PID 864 wrote to memory of 4656	864	cmd.exe	92
PID 864 wrote to memory of 4656	864	cmd.exe	92
PID 864 wrote to memory of 3784	864	cmd.exe	94
PID 864 wrote to memory of 3784	864	cmd.exe	94
PID 864 wrote to memory of 2044	864	cmd.exe	96
PID 864 wrote to memory of 2044	864	cmd.exe	96
PID 864 wrote to memory of 4108	864	cmd.exe	100
PID 864 wrote to memory of 4108	864	cmd.exe	100
PID 864 wrote to memory of 8	864	cmd.exe	111
PID 864 wrote to memory of 8	864	cmd.exe	111
PID 864 wrote to memory of 3044	864	cmd.exe	113
PID 864 wrote to memory of 3044	864	cmd.exe	113
PID 864 wrote to memory of 3088	864	cmd.exe	130
PID 864 wrote to memory of 3088	864	cmd.exe	130
PID 3088 wrote to memory of 3432	3088	msedge.exe	131
PID 3088 wrote to memory of 3432	3088	msedge.exe	131
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132
PID 3088 wrote to memory of 4004	3088	msedge.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cmd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4108
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.json
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d4,0x7ffd785d2e98,0x7ffd785d2ea4,0x7ffd785d2eb0
    3⤵
    PID:3432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2836 --field-trial-handle=2840,i,10884242588458977471,16708502865948536099,262144 --variations-seed-version /prefetch:2
    3⤵
    PID:4004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3088 --field-trial-handle=2840,i,10884242588458977471,16708502865948536099,262144 --variations-seed-version /prefetch:3
    3⤵
    PID:5016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3456 --field-trial-handle=2840,i,10884242588458977471,16708502865948536099,262144 --variations-seed-version /prefetch:8
    3⤵
    PID:2996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2500 --field-trial-handle=2840,i,10884242588458977471,16708502865948536099,262144 --variations-seed-version /prefetch:1
    3⤵
    PID:3420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=4116 --field-trial-handle=2840,i,10884242588458977471,16708502865948536099,262144 --variations-seed-version /prefetch:1
    3⤵
    PID:4484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
    3⤵
    - Enumerates system info in registry
    - Modifies registry class
    PID:1112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ffd785d2e98,0x7ffd785d2ea4,0x7ffd785d2eb0
      4⤵
      PID:1604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2272 --field-trial-handle=2276,i,6923621185779335326,210137663405424520,262144 --variations-seed-version /prefetch:2
      4⤵
      PID:4840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3284 --field-trial-handle=2276,i,6923621185779335326,210137663405424520,262144 --variations-seed-version /prefetch:3
      4⤵
      PID:804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3484 --field-trial-handle=2276,i,6923621185779335326,210137663405424520,262144 --variations-seed-version /prefetch:8
      4⤵
      PID:1268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=2276,i,6923621185779335326,210137663405424520,262144 --variations-seed-version /prefetch:8
      4⤵
      PID:4888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=2276,i,6923621185779335326,210137663405424520,262144 --variations-seed-version /prefetch:8
      4⤵
      PID:2316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4524 --field-trial-handle=2276,i,6923621185779335326,210137663405424520,262144 --variations-seed-version /prefetch:8
      4⤵
      PID:5816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4536 --field-trial-handle=2276,i,6923621185779335326,210137663405424520,262144 --variations-seed-version /prefetch:8
      4⤵
      PID:5824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4552 --field-trial-handle=2276,i,6923621185779335326,210137663405424520,262144 --variations-seed-version /prefetch:8
      4⤵
      PID:5920
- C:\Windows\SYSTEM32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:636

C:\ProgramData\Runtime Broker.exe
"C:\ProgramData\Runtime Broker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\ProgramData\Runtime Broker.exe
"C:\ProgramData\Runtime Broker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5412 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=3756 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5092 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5532 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:3596

C:\ProgramData\Runtime Broker.exe
"C:\ProgramData\Runtime Broker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\64a6bf0034bc4868a2a46920a99605f7 /t 4296 /p 1488
1⤵
PID:3968

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GrantUnblock.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:1972

C:\ProgramData\Runtime Broker.exe
"C:\ProgramData\Runtime Broker.exe"
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\78354da397fd40cbbcaef5e438b4acba /t 416 /p 1972
1⤵
PID:2828

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\My Data.txt
1⤵
PID:3376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2480
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="756.0.2024364593\1379580976" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5fdd3cd-1403-425c-bffa-f13070168b45} 756 "\\.\pipe\gecko-crash-server-pipe.756" 1964 249053d8758 gpu
    3⤵
    PID:2864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="756.1.607837811\1278675653" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2324 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29f15ce3-4f51-4195-9cd7-2dc65ca9caec} 756 "\\.\pipe\gecko-crash-server-pipe.756" 2364 249050fa258 socket
    3⤵
    - Checks processor information in registry
    PID:1068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="756.2.1506660354\879299285" -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3256 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34d59a37-bbc7-4443-99ad-4801008e34e0} 756 "\\.\pipe\gecko-crash-server-pipe.756" 3272 2490939a758 tab
    3⤵
    PID:2604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="756.3.1784072694\1224934997" -childID 2 -isForBrowser -prefsHandle 3724 -prefMapHandle 3720 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6aee5f4-98a7-41bb-b0fb-b7d1ab5520e0} 756 "\\.\pipe\gecko-crash-server-pipe.756" 3736 2490a4cb858 tab
    3⤵
    PID:1720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="756.4.1602228120\1950143226" -childID 3 -isForBrowser -prefsHandle 4336 -prefMapHandle 4332 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e18fc357-5334-406e-bca8-0c7f992402b9} 756 "\\.\pipe\gecko-crash-server-pipe.756" 4348 2490abd5658 tab
    3⤵
    PID:900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="756.5.10634897\1301122117" -childID 4 -isForBrowser -prefsHandle 5080 -prefMapHandle 5076 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f38d3e1e-222c-48b9-ba7a-a76d44f65463} 756 "\\.\pipe\gecko-crash-server-pipe.756" 5040 2490c0ab358 tab
    3⤵
    PID:4804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="756.6.2075490694\815639443" -childID 5 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d5f747b-bba5-49d8-a2c1-c1b2abf899a0} 756 "\\.\pipe\gecko-crash-server-pipe.756" 5256 2490c0ab958 tab
    3⤵
    PID:2988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="756.7.1400104443\52454831" -childID 6 -isForBrowser -prefsHandle 5324 -prefMapHandle 5328 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94872834-5c46-48b7-a286-dfcc62747857} 756 "\\.\pipe\gecko-crash-server-pipe.756" 5316 2490c82f258 tab
    3⤵
    PID:2044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="756.8.1589331379\729167635" -childID 7 -isForBrowser -prefsHandle 5676 -prefMapHandle 5700 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {854341a4-8715-40c9-9acd-d65b3582a6c8} 756 "\\.\pipe\gecko-crash-server-pipe.756" 5672 2490ca8f058 tab
    3⤵
    PID:5376

C:\ProgramData\Runtime Broker.exe
"C:\ProgramData\Runtime Broker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\ProgramData\Runtime Broker.exe
"C:\ProgramData\Runtime Broker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\My Data.txt
1⤵
PID:464

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa394a055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

System Information Discovery