Analysis
-
max time kernel
148s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2022 12:55
Static task
static1
Behavioral task
behavioral1
Sample
Antivirus_Upgrade_Cloud.9fdd7aebbe418ed2.jse
Resource
win7-20220812-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
Antivirus_Upgrade_Cloud.9fdd7aebbe418ed2.jse
Resource
win10v2004-20220812-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
Antivirus_Upgrade_Cloud.9fdd7aebbe418ed2.jse
-
Size
176KB
-
MD5
ad184cf93d38d51111a7ef305992eb5f
-
SHA1
37b05248dbd96c8a94082471069f24a7b1036313
-
SHA256
266f930572d3006c36ba7e97b4ffed107827decd7738a58c218e1ae5450fbe95
-
SHA512
a37d0984d65b0eaef4169a22e5802ac8f24b9508b717f46b2911ad583f5a4b2e4f59bd31c317976f14995ba69a7855318ef7d5e0ba866d3b8fc1db352a14c56e
-
SSDEEP
3072:x4xkakIeI6QKzm+bga+V9cw+yOTE4o5V0eD11TbXx1113B1WR9KflL11H6IFNC4v:GfelQKzbMYJQ4o5VxhakLDNyjt8
Score
10/10
Malware Config
Signatures
-
Detect magniber ransomware 3 IoCs
resource yara_rule behavioral2/memory/880-134-0x00000211B5220000-0x00000211B6220000-memory.dmp family_magniber behavioral2/memory/2372-135-0x0000020029D60000-0x0000020029D6B000-memory.dmp family_magniber behavioral2/memory/880-147-0x00000211B5220000-0x00000211B6220000-memory.dmp family_magniber -
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 4544 bcdedit.exe 71 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 4544 bcdedit.exe 71 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 4544 wbadmin.exe 71 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 4544 wbadmin.exe 71 -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1680 bcdedit.exe 2200 bcdedit.exe -
pid Process 1144 wbadmin.exe -
pid Process 4520 wbadmin.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ImportEnter.tiff sihost.exe File renamed C:\Users\Admin\Pictures\ImportEnter.tiff => C:\Users\Admin\Pictures\ImportEnter.tiff.lfqxdcb sihost.exe File renamed C:\Users\Admin\Pictures\RepairWatch.tiff => C:\Users\Admin\Pictures\RepairWatch.tiff.lfqxdcb sihost.exe File renamed C:\Users\Admin\Pictures\ExpandSuspend.raw => C:\Users\Admin\Pictures\ExpandSuspend.raw.lfqxdcb sihost.exe File renamed C:\Users\Admin\Pictures\WaitClose.raw => C:\Users\Admin\Pictures\WaitClose.raw.lfqxdcb sihost.exe File renamed C:\Users\Admin\Pictures\GroupCopy.tiff => C:\Users\Admin\Pictures\GroupCopy.tiff.lfqxdcb sihost.exe File opened for modification C:\Users\Admin\Pictures\RepairWatch.tiff sihost.exe File renamed C:\Users\Admin\Pictures\StopConnect.tif => C:\Users\Admin\Pictures\StopConnect.tif.lfqxdcb sihost.exe File renamed C:\Users\Admin\Pictures\ResizeConnect.crw => C:\Users\Admin\Pictures\ResizeConnect.crw.lfqxdcb sihost.exe File opened for modification C:\Users\Admin\Pictures\GroupCopy.tiff sihost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4048 3308 WerFault.exe 56 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Modifies registry class 42 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/gtcdta.now" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/sjquep.now" sihost.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings taskhostw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/atkfrjgbugk.now" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute svchost.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/kdwlrcnbldxn.now" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer svchost.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" sihost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute sihost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/sadchg.now" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/tmtgrxoxq.now" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/kxndrn.now" taskhostw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer sihost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/iymdoexiz.now" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer taskhostw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" taskhostw.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 880 WScript.exe 880 WScript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2228 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 3512 RuntimeBroker.exe Token: SeShutdownPrivilege 3512 RuntimeBroker.exe Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 3512 RuntimeBroker.exe Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeBackupPrivilege 4348 vssvc.exe Token: SeRestorePrivilege 4348 vssvc.exe Token: SeAuditPrivilege 4348 vssvc.exe Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeBackupPrivilege 3596 wbengine.exe Token: SeRestorePrivilege 3596 wbengine.exe Token: SeSecurityPrivilege 3596 wbengine.exe Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE Token: SeShutdownPrivilege 2228 Explorer.EXE Token: SeCreatePagefilePrivilege 2228 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 880 wrote to memory of 2372 880 WScript.exe 42 PID 880 wrote to memory of 2380 880 WScript.exe 43 PID 880 wrote to memory of 2476 880 WScript.exe 44 PID 880 wrote to memory of 2228 880 WScript.exe 58 PID 880 wrote to memory of 3108 880 WScript.exe 57 PID 880 wrote to memory of 3308 880 WScript.exe 56 PID 880 wrote to memory of 3404 880 WScript.exe 55 PID 880 wrote to memory of 3512 880 WScript.exe 54 PID 880 wrote to memory of 3620 880 WScript.exe 53 PID 880 wrote to memory of 3824 880 WScript.exe 52 PID 880 wrote to memory of 4700 880 WScript.exe 64 PID 736 wrote to memory of 3676 736 cmd.exe 93 PID 736 wrote to memory of 3676 736 cmd.exe 93 PID 3676 wrote to memory of 5088 3676 fodhelper.exe 95 PID 3676 wrote to memory of 5088 3676 fodhelper.exe 95 PID 4832 wrote to memory of 4184 4832 cmd.exe 112 PID 4832 wrote to memory of 4184 4832 cmd.exe 112 PID 4184 wrote to memory of 1736 4184 fodhelper.exe 114 PID 4184 wrote to memory of 1736 4184 fodhelper.exe 114 PID 3100 wrote to memory of 3312 3100 cmd.exe 117 PID 3100 wrote to memory of 3312 3100 cmd.exe 117 PID 3312 wrote to memory of 4008 3312 fodhelper.exe 118 PID 3312 wrote to memory of 4008 3312 fodhelper.exe 118
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
- Modifies registry class
PID:2380 -
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\system32\wscript.exe"wscript.exe" /B /E:VBScript.Encode ../../Users/Public/atkfrjgbugk.now4⤵PID:5088
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Modifies registry class
PID:2476
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:3824
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3620
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3404
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3308
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3308 -s 7482⤵
- Program crash
PID:4048
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
- Modifies registry class
PID:3108 -
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\system32\wscript.exe"wscript.exe" /B /E:VBScript.Encode ../../Users/Public/kxndrn.now4⤵PID:1736
-
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Antivirus_Upgrade_Cloud.9fdd7aebbe418ed2.jse"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:4700 -
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\system32\wscript.exe"wscript.exe" /B /E:VBScript.Encode ../../Users/Public/kdwlrcnbldxn.now4⤵PID:4008
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 3308 -ip 33081⤵PID:1440
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1680
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2200
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4520
-
C:\Windows\system32\wbadmin.exewbadmin delete systemstatebackup -quiet1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:1144
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1692
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1852
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
880B
MD5b190ff090537a6cd507870077a4a6160
SHA17d23d91564a6dcb298b03b122d0f4e329a4f29f4
SHA256422626de7cbc0fb2c7c36fd85ae325b873270d027666fe47d9588cd81489c053
SHA512a151b50cb3bc593b605c01e38d3c438dba472e3635f2ebf3646d1febe8deb2c74c997457cd3af51a7f528311f4c28f752b5ed7bac1b087b389d1368ebcf9978b