magniber | d0375fc9cbb564fb18e0afea926c7faf50464b9afb329913dd5486c7cbb36e2e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2022 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SYSTEM.Security.Database.Upgrade.Win10.0.jse
Size

162KB
MD5

a42d1d053f9b042cadb123bae1d9a799
SHA1

38e6e535ec406f7a1a32080328a7f15f75bb91ec
SHA256

d0375fc9cbb564fb18e0afea926c7faf50464b9afb329913dd5486c7cbb36e2e
SHA512

771084247ecf8366babc3bab84880383bdfabde6cc4ae784fd7b918c51e2dd06b36a5040f71c1aa89a65cd1d1f5fa1db15171d1ac98c8d6af2cc7fb8e7210599
SSDEEP

3072:dA4PMqloVupG97fDGoglotP5QBaTv2rUJckkkkkBslKM/5woYKHDCPH3uO5AIHfo:dA4P7lMuRoDWaTv2QqkkkkkUKvHEpMQ

Score

10^/10

magniber evasion persistence ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4964-134-0x000001D200000000-0x000001D201000000-memory.dmp	family_magniber
behavioral2/memory/2332-135-0x000001CA36500000-0x000001CA3650A000-memory.dmp	family_magniber
behavioral2/memory/4964-147-0x000001D200000000-0x000001D201000000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	4072	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4072	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4072	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4072	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	4072	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	4072	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	4072	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	4072	wbadmin.exe

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

1820 bcdedit.exe
4816 bcdedit.exe
4036 bcdedit.exe
2976 bcdedit.exe
Deletes System State backups 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

4556 wbadmin.exe
1776 wbadmin.exe
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

4464 wbadmin.exe
208 wbadmin.exe

pid	process
1820	bcdedit.exe
4816	bcdedit.exe
4036	bcdedit.exe
2976	bcdedit.exe

pid	process
4556	wbadmin.exe
1776	wbadmin.exe

pid	process
4464	wbadmin.exe
208	wbadmin.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sihost.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\WaitPush.raw => C:\Users\Admin\Pictures\WaitPush.raw.hfenvscvo	sihost.exe
File renamed	C:\Users\Admin\Pictures\CopyImport.tif => C:\Users\Admin\Pictures\CopyImport.tif.hfenvscvo	sihost.exe

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\be64d7e9-0b03-43e7-81e7-3dd6f1aaf179.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220913094431.pma	setup.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2236 3260 WerFault.exe DllHost.exe

pid	pid_target	process	target process
2236	3260	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exesihost.exeExplorer.EXEtaskhostw.exeSearchApp.exesvchost.exeRuntimeBroker.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\422271be-2a96-4e88-8d = "\\\\?\\Volume{5D2B4A7C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\b42d63be470b72effabd2fa5bebbc3e2d8d88c4f971bf3188d563f3b78cad4ab"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b955cb18-6592-4888-bf	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06d9126b-395b-4422-af	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc57138c-2855-42b5-ab = e23f1f8055c7d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc57138c-2855-42b5-ab = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a313cb21-a362-4cc8-8c = "\\\\?\\Volume{5D2B4A7C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\e3abaeb2ec2f732388ca0fed8d9da209d654663774f448b704f662efcaef31e8"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\917ba20f-4079-4753-96 = "\\\\?\\Volume{5D2B4A7C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6d898b3f779591c13da1f2b28ce32141fe3eb569a7d6f4a1152ba756aad77d00"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a313cb21-a362-4cc8-8c	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\422271be-2a96-4e88-8d = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8901ad0b-8b86-4c6d-99 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06d9126b-395b-4422-af = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006314ee7f55c7d8016314ee7f55c7d8016314ee7f55c7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002d55a24d2000376466363464306238636535373635383839346238373832346636633733363566303839666330383232303664633530333235663032623263626661636465610000b20009000400efbe2d55a24d2d55a24d2e000000000000000000000000000000000000000000000000009dbb0100370064006600360034006400300062003800630065003500370036003500380038003900340062003800370038003200340066003600630037003300360035006600300038003900660063003000380032003200300036006400630035003000330032003500660030003200620032006300620066006100630064006500610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ecf789041000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37646636346430623863653537363538383934623837383234663663373336356630383966633038323230366463353033323566303262326362666163646561000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000787a696f666176640000000000000000244ecd0ae5297e4b9a9fb667cf3bd6bc18b843ae811aed11aecbc264e7fe3618244ecd0ae5297e4b9a9fb667cf3bd6bc18b843ae811aed11aecbc264e7fe3618ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0032003800390031003000320039003500370035002d0031003400360032003500370035002d0031003100360035003200310033003800300037002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c4a2b5d000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\76abcc7f-db02-4dd1-9d = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\200eb179-1e22-4efa-98 = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0809d307-f57e-458a-9d = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a191c8c9-d9de-4edc-82 = "\\\\?\\Volume{5D2B4A7C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c4785a40d529e7831e7d09d37fa7435e963587a58ebc4a5452e34324916d029c"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\76abcc7f-db02-4dd1-9d = "\\\\?\\Volume{5D2B4A7C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7df64d0b8ce57658894b87824f6c7365f089fc082206dc50325f02b2cbfacdea"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0809d307-f57e-458a-9d = "\\\\?\\Volume{5D2B4A7C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\9531ac91de1830441f396b99b4941050b542e9771d1dcab1c8465ca7e57205d0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc57138c-2855-42b5-ab = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000069bbf87f55c7d80169bbf87f55c7d80169bbf87f55c7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002d55a34d2000366438393862336637373935393163313364613166326232386365333231343166653365623536396137643666346131313532626137353661616437376430300000b20009000400efbe2d55a34d2d55a34d2e0000000000000000000000000000000000000000000000000097412801360064003800390038006200330066003700370039003500390031006300310033006400610031006600320062003200380063006500330032003100340031006600650033006500620035003600390061003700640036006600340061003100310035003200620061003700350036006100610064003700370064003000300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ecf789041000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36643839386233663737393539316331336461316632623238636533323134316665336562353639613764366634613131353262613735366161643737643030000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000787a696f666176640000000000000000244ecd0ae5297e4b9a9fb667cf3bd6bc19b843ae811aed11aecbc264e7fe3618244ecd0ae5297e4b9a9fb667cf3bd6bc19b843ae811aed11aecbc264e7fe3618ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0032003800390031003000320039003500370035002d0031003400360032003500370035002d0031003100360035003200310033003800300037002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c4a2b5d000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\422271be-2a96-4e88-8d	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\917ba20f-4079-4753-96 = 032ab98255c7d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b53492ed-0312-4c85-a7 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0809d307-f57e-458a-9d	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a191c8c9-d9de-4edc-82 = d5bae47f55c7d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\917ba20f-4079-4753-96 = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b53492ed-0312-4c85-a7 = af4af28255c7d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8901ad0b-8b86-4c6d-99 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\200eb179-1e22-4efa-98 = c55f718355c7d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/cytdraqj.mac"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0809d307-f57e-458a-9d = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06d9126b-395b-4422-af = b6f9f57f55c7d801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\422271be-2a96-4e88-8d = c554958055c7d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a191c8c9-d9de-4edc-82 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06d9126b-395b-4422-af = "\\\\?\\Volume{5D2B4A7C-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7df64d0b8ce57658894b87824f6c7365f089fc082206dc50325f02b2cbfacdea"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc57138c-2855-42b5-ab = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\917ba20f-4079-4753-96 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\06d9126b-395b-4422-af	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b53492ed-0312-4c85-a7 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/qlbyfsxqjufx.mac"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a191c8c9-d9de-4edc-82	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cc57138c-2855-42b5-ab	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/fwoqavtdpc.mac"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b53492ed-0312-4c85-a7	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0809d307-f57e-458a-9d	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\76abcc7f-db02-4dd1-9d = 13d8408255c7d801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a313cb21-a362-4cc8-8c = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000019535a8055c7d80119535a8055c7d80119535a8055c7d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002d55a34d2000653361626165623265633266373332333838636130666564386439646132303964363534363633373734663434386237303466363632656663616566333165380000b20009000400efbe2d55a34d2d55a34d2e00000000000000000000000000000000000000000000000000e7a9c600650033006100620061006500620032006500630032006600370033003200330038003800630061003000660065006400380064003900640061003200300039006400360035003400360036003300370037003400660034003400380062003700300034006600360036003200650066006300610065006600330031006500380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ecf789041000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65336162616562326563326637333233383863613066656438643964613230396436353436363337373466343438623730346636363265666361656633316538000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000787a696f666176640000000000000000244ecd0ae5297e4b9a9fb667cf3bd6bc1ab843ae811aed11aecbc264e7fe3618244ecd0ae5297e4b9a9fb667cf3bd6bc1ab843ae811aed11aecbc264e7fe3618ca000000090000a08500000031535053e28a5846bc4c3843bbfc139326986dce6900000004000000001f0000002c00000053002d0031002d0035002d00320031002d0032003800390031003000320039003500370035002d0031003400360032003500370035002d0031003100360035003200310033003800300037002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000007c4a2b5d000000000000d01200000000000000000000000000000000	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

WScript.exemsedge.exemsedge.exeidentity_helper.exe

pid process

4964 WScript.exe
4964 WScript.exe
2400 msedge.exe
2400 msedge.exe
1988 msedge.exe
1988 msedge.exe
2876 identity_helper.exe
2876 identity_helper.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3044 Explorer.EXE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

1988 msedge.exe
1988 msedge.exe
1988 msedge.exe
1988 msedge.exe

pid	process
4964	WScript.exe
4964	WScript.exe
2400	msedge.exe
2400	msedge.exe
1988	msedge.exe
1988	msedge.exe
2876	identity_helper.exe
2876	identity_helper.exe

pid	process
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXERuntimeBroker.exevssvc.exewbengine.exe

description	pid	process
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3420	RuntimeBroker.exe
Token: SeShutdownPrivilege	3420	RuntimeBroker.exe
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3420	RuntimeBroker.exe
Token: SeShutdownPrivilege	3420	RuntimeBroker.exe
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3420	RuntimeBroker.exe
Token: SeBackupPrivilege	3652	vssvc.exe
Token: SeRestorePrivilege	3652	vssvc.exe
Token: SeAuditPrivilege	3652	vssvc.exe
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeBackupPrivilege	3444	wbengine.exe
Token: SeRestorePrivilege	3444	wbengine.exe
Token: SeSecurityPrivilege	3444	wbengine.exe
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE
Token: SeShutdownPrivilege	3044	Explorer.EXE

Suspicious use of FindShellTrayWindow 19 IoCs

Processes:

Explorer.EXEmsedge.exe

pid	process
3044	Explorer.EXE
3044	Explorer.EXE
1988	msedge.exe
3044	Explorer.EXE
3044	Explorer.EXE
3044	Explorer.EXE
1988	msedge.exe
3044	Explorer.EXE
3044	Explorer.EXE
3044	Explorer.EXE
3044	Explorer.EXE
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

Explorer.EXEmsedge.exe

pid	process
3044	Explorer.EXE
3044	Explorer.EXE
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.execmd.exefodhelper.exeExplorer.EXEmsedge.exe

description	pid	process	target process
PID 4964 wrote to memory of 2332	4964	WScript.exe	sihost.exe
PID 4964 wrote to memory of 2364	4964	WScript.exe	svchost.exe
PID 4964 wrote to memory of 2440	4964	WScript.exe	taskhostw.exe
PID 4964 wrote to memory of 3044	4964	WScript.exe	Explorer.EXE
PID 4964 wrote to memory of 772	4964	WScript.exe	svchost.exe
PID 4964 wrote to memory of 3260	4964	WScript.exe	DllHost.exe
PID 4964 wrote to memory of 3356	4964	WScript.exe	StartMenuExperienceHost.exe
PID 4964 wrote to memory of 3420	4964	WScript.exe	RuntimeBroker.exe
PID 4964 wrote to memory of 3516	4964	WScript.exe	SearchApp.exe
PID 4964 wrote to memory of 3732	4964	WScript.exe	RuntimeBroker.exe
PID 4964 wrote to memory of 4688	4964	WScript.exe	RuntimeBroker.exe
PID 4964 wrote to memory of 1996	4964	WScript.exe	backgroundTaskHost.exe
PID 4964 wrote to memory of 1600	4964	WScript.exe	backgroundTaskHost.exe
PID 4964 wrote to memory of 4860	4964	WScript.exe	RuntimeBroker.exe
PID 820 wrote to memory of 4532	820	cmd.exe	fodhelper.exe
PID 820 wrote to memory of 4532	820	cmd.exe	fodhelper.exe
PID 4532 wrote to memory of 4644	4532	fodhelper.exe	wscript.exe
PID 4532 wrote to memory of 4644	4532	fodhelper.exe	wscript.exe
PID 3044 wrote to memory of 1988	3044	Explorer.EXE	msedge.exe
PID 3044 wrote to memory of 1988	3044	Explorer.EXE	msedge.exe
PID 1988 wrote to memory of 3268	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3268	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 3528	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 2400	1988	msedge.exe	msedge.exe
PID 1988 wrote to memory of 2400	1988	msedge.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\SYSTEM.Security.Database.Upgrade.Win10.0.jse"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\README.html
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbc94b46f8,0x7ffbc94b4708,0x7ffbc94b4718
    3⤵
    PID:3268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,2908373011831708803,16131432092841739182,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
    3⤵
    PID:3528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,2908373011831708803,16131432092841739182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,2908373011831708803,16131432092841739182,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3308 /prefetch:8
    3⤵
    PID:3776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2908373011831708803,16131432092841739182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
    3⤵
    PID:4556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2908373011831708803,16131432092841739182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
    3⤵
    PID:1564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,2908373011831708803,16131432092841739182,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5356 /prefetch:8
    3⤵
    PID:3484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,2908373011831708803,16131432092841739182,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5460 /prefetch:8
    3⤵
    PID:4640
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,2908373011831708803,16131432092841739182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
    3⤵
    PID:2424
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:2776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff70d755460,0x7ff70d755470,0x7ff70d755480
      4⤵
      PID:2376
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,2908373011831708803,16131432092841739182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2908373011831708803,16131432092841739182,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
    3⤵
    PID:5196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2908373011831708803,16131432092841739182,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
    3⤵
    PID:5212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,2908373011831708803,16131432092841739182,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1844 /prefetch:8
    3⤵
    PID:1996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1600

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4688
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/umxgltcsmyj.mac
      4⤵
      PID:4644

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3732

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
PID:3516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3260
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3260 -s 940
  2⤵
  - Program crash
  PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:772
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  PID:3908
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:4640
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/vwmdtfusa.mac
      4⤵
      PID:4544

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2364

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3260 -ip 3260
1⤵
PID:1116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1820

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4816

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4464

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:4556

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4956

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:284

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4036

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2976

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:1776

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk

Filesize
2KB

MD5
27a41179f1916723f53a3dac5a71f31e

SHA1
5691c0503802c61b8a3332351770553217e3c34f

SHA256
8544c353352eb990705e3c279249f2408273bdbb7d86d76be8d708ae873e0cab

SHA512
697352b7f551e8ccc8afeb70dfc7ba789f4d3bfe4951f9b4a97836558909d647ffc632b80f7ba39c85bf6707b4d855a81dd1f6493a5b35ec261155633fde411f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Filesize
9KB

MD5
c282095f0bdb81e6eec3d3fc19a8ef58

SHA1
13c091c37a4fd6380da4258b58478fd699de0203

SHA256
a3a187d225f444f051a3ef1a6cc38484b33a85b83843b3aba06f1d2817514bc4

SHA512
8244c3d2d892216e0fff039caecf64fa3958cf0904fe42c229fd7ed94907327d1223c6225979b160fa4d578892e2939aa15cdc2b546c305c0307b0384b35aeba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\ccba5a5986c77e43.automaticDestinations-ms

Filesize
3KB

MD5
d8899e7221aa99d37b3b9628eda92ec8

SHA1
5e0ef78acd910471813176fdd9674d502f5cd869

SHA256
e281413f6f8b022e4ebcbc0de0fd2548a8beb6f56bcb53285de11c326a1363cb

SHA512
ca613df9895b55048549c15416976145f6fadbfd9da7f54f3c7b53c613648e62b6d14414eaae24fd386b50fec8fb6bdf4e4683aa2115082b546e4f4000ed54bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
7KB

MD5
2407d0390b0c2c2c507d9c544293ff4a

SHA1
bd0e842a7eef1c3b74f65af0aa2ad01e030710cd

SHA256
fa74f509f63e82520d2705dbd6ba12a8f805a32e668a0387d88490aa6eabfb3a

SHA512
92403f303a910aa5f396b50e50c6d792fa091b8b6fccfe4bb56043d4b00cde80d8667a7c0780d734b06f49b203792460a288338a06e40c6786e9ffaa386e39c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
c23adba313a0523d200530ca8e2ba632

SHA1
e4df9e30066e8dd0d66170299a8e62880f9cbf1f

SHA256
86fc04c61661a8978bc80a9822b2e4073c194e86e0be32352f70b45effc8ca66

SHA512
32e5d81301d4293d2234eb450fc3bf448029f2383d0ccb4de882a2c445cf98fd96c651781b2bd62430a500f8486576f75a8ed1a0d66edc219bc9b66c041bd9d4

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
e9a32263aa483fa40a9daa1875f289c3

SHA1
4db1cd0bbf55ff7b6db96463630e5f687420d4a6

SHA256
9d71caa3265a071d10576c91acd38ffcf17c5189e6fb87174b2b7f0260445a99

SHA512
729515daea934e310cb5a0eea6451aadf35cb4e3665105027bc86e9b7791a4e24d077957d0a61fc42ffafa341104a6790824971a5d5559156dedbb65608f74b6

Download Submit
C:\Users\Admin\Desktop\README.html

Filesize
14KB

MD5
89f2e1a50444c03691810511d1909056

SHA1
306996bd197e379f1f72004ab01b3048be4419ee

SHA256
476f6d69b5fd158a92d41fa9beca6a9b38a30683257dad6c047b16194ce25b6f

SHA512
105fe3bdfbdc5539d67d5922e89b8a3ab6c4794433015a44917add2596decb8983a2089527d33a9d5762075339e5499cde25e6ce19bcf3062b6416feb410758b

Download Submit
C:\Users\Public\umxgltcsmyj.mac

Filesize
873B

MD5
e4195f5a10694ed45910584f38d3f6a5

SHA1
11e9a814a7f7b9d90df4e3313c4f9abaf9ad118a

SHA256
e317ccb3013be2088cac9ca03730d65feeaf65b687d436fb88f8a324eea3a926

SHA512
0227d7a00548da8644cbde7bc01eff09faedcec9cbbde5283ac31b1d615bb5b22c049739983ab139065adc9d4d00c11b97922f104b9b0e5282a480217c5196f3

Download Submit
C:\Users\Public\vwmdtfusa.mac

Filesize
873B

MD5
e4195f5a10694ed45910584f38d3f6a5

SHA1
11e9a814a7f7b9d90df4e3313c4f9abaf9ad118a

SHA256
e317ccb3013be2088cac9ca03730d65feeaf65b687d436fb88f8a324eea3a926

SHA512
0227d7a00548da8644cbde7bc01eff09faedcec9cbbde5283ac31b1d615bb5b22c049739983ab139065adc9d4d00c11b97922f104b9b0e5282a480217c5196f3

Download Submit
\??\pipe\LOCAL\crashpad_1988_RXDJLGOWPDTKDYJG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1564-168-0x0000000000000000-mapping.dmp

Download
memory/1988-155-0x0000000000000000-mapping.dmp

Download
memory/1996-189-0x0000000000000000-mapping.dmp

Download
memory/2332-135-0x000001CA36500000-0x000001CA3650A000-memory.dmp

Filesize
40KB

Download
memory/2376-177-0x0000000000000000-mapping.dmp

Download
memory/2400-161-0x0000000000000000-mapping.dmp

Download
memory/2776-176-0x0000000000000000-mapping.dmp

Download
memory/2876-179-0x0000000000000000-mapping.dmp

Download
memory/3268-156-0x0000000000000000-mapping.dmp

Download
memory/3484-172-0x0000000000000000-mapping.dmp

Download
memory/3528-160-0x0000000000000000-mapping.dmp

Download
memory/3776-164-0x0000000000000000-mapping.dmp

Download
memory/4532-151-0x0000000000000000-mapping.dmp

Download
memory/4544-182-0x0000000000000000-mapping.dmp

Download
memory/4556-166-0x0000000000000000-mapping.dmp

Download
memory/4640-175-0x0000000000000000-mapping.dmp

Download
memory/4640-181-0x0000000000000000-mapping.dmp

Download
memory/4644-152-0x0000000000000000-mapping.dmp

Download
memory/4964-147-0x000001D200000000-0x000001D201000000-memory.dmp

Filesize
16.0MB

Download
memory/4964-134-0x000001D200000000-0x000001D201000000-memory.dmp

Filesize
16.0MB

Download
memory/4964-144-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp

Filesize
10.8MB

Download
memory/4964-150-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp

Filesize
10.8MB

Download
memory/4964-132-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp

Filesize
10.8MB

Download
memory/5196-185-0x0000000000000000-mapping.dmp

Download
memory/5212-187-0x0000000000000000-mapping.dmp

Download