magniber | 1bce9126a12afe2c0b6582ddbf211dc45ba82f3c2b82a179f0a607a5b4e4f577

pid	Process
2756	bcdedit.exe
4492	bcdedit.exe
2768	bcdedit.exe
1724	bcdedit.exe
1232	bcdedit.exe
3644	bcdedit.exe

Renames multiple (88) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 3 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
3456	wbadmin.exe
4956	wbadmin.exe
1672	wbadmin.exe

Deletes backup catalog 3 TTPs 3 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
1364	wbadmin.exe
2864	wbadmin.exe
2892	wbadmin.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File created	C:\Windows\Installer\e57b9ca.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b9ca.msi	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
1188	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2412	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d2359f35a83f4e380000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d2359f350000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d2359f35000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd2359f35000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d2359f3500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	backgroundTaskHost.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	backgroundTaskHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\ms-settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\ms-settings\CurVer	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\ms-settings\CurVer	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/jwceoqdb.jpg"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings\MuiCache	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/phxdyri.jpg"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/cgqfqgdyhh.jpg"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	backgroundTaskHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\ms-settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/ksuwvjtphq.jpg"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1188	MsiExec.exe
1188	MsiExec.exe
2244	msiexec.exe
2244	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2412	msiexec.exe
Token: SeSecurityPrivilege	2244	msiexec.exe
Token: SeCreateTokenPrivilege	2412	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2412	msiexec.exe
Token: SeLockMemoryPrivilege	2412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2412	msiexec.exe
Token: SeMachineAccountPrivilege	2412	msiexec.exe
Token: SeTcbPrivilege	2412	msiexec.exe
Token: SeSecurityPrivilege	2412	msiexec.exe
Token: SeTakeOwnershipPrivilege	2412	msiexec.exe
Token: SeLoadDriverPrivilege	2412	msiexec.exe
Token: SeSystemProfilePrivilege	2412	msiexec.exe
Token: SeSystemtimePrivilege	2412	msiexec.exe
Token: SeProfSingleProcessPrivilege	2412	msiexec.exe
Token: SeIncBasePriorityPrivilege	2412	msiexec.exe
Token: SeCreatePagefilePrivilege	2412	msiexec.exe
Token: SeCreatePermanentPrivilege	2412	msiexec.exe
Token: SeBackupPrivilege	2412	msiexec.exe
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeShutdownPrivilege	2412	msiexec.exe
Token: SeDebugPrivilege	2412	msiexec.exe
Token: SeAuditPrivilege	2412	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2412	msiexec.exe
Token: SeChangeNotifyPrivilege	2412	msiexec.exe
Token: SeRemoteShutdownPrivilege	2412	msiexec.exe
Token: SeUndockPrivilege	2412	msiexec.exe
Token: SeSyncAgentPrivilege	2412	msiexec.exe
Token: SeEnableDelegationPrivilege	2412	msiexec.exe
Token: SeManageVolumePrivilege	2412	msiexec.exe
Token: SeImpersonatePrivilege	2412	msiexec.exe
Token: SeCreateGlobalPrivilege	2412	msiexec.exe
Token: SeCreateTokenPrivilege	2412	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2412	msiexec.exe
Token: SeLockMemoryPrivilege	2412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2412	msiexec.exe
Token: SeMachineAccountPrivilege	2412	msiexec.exe
Token: SeTcbPrivilege	2412	msiexec.exe
Token: SeSecurityPrivilege	2412	msiexec.exe
Token: SeTakeOwnershipPrivilege	2412	msiexec.exe
Token: SeLoadDriverPrivilege	2412	msiexec.exe
Token: SeSystemProfilePrivilege	2412	msiexec.exe
Token: SeSystemtimePrivilege	2412	msiexec.exe
Token: SeProfSingleProcessPrivilege	2412	msiexec.exe
Token: SeIncBasePriorityPrivilege	2412	msiexec.exe
Token: SeCreatePagefilePrivilege	2412	msiexec.exe
Token: SeCreatePermanentPrivilege	2412	msiexec.exe
Token: SeBackupPrivilege	2412	msiexec.exe
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeShutdownPrivilege	2412	msiexec.exe
Token: SeDebugPrivilege	2412	msiexec.exe
Token: SeAuditPrivilege	2412	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2412	msiexec.exe
Token: SeChangeNotifyPrivilege	2412	msiexec.exe
Token: SeRemoteShutdownPrivilege	2412	msiexec.exe
Token: SeUndockPrivilege	2412	msiexec.exe
Token: SeSyncAgentPrivilege	2412	msiexec.exe
Token: SeEnableDelegationPrivilege	2412	msiexec.exe
Token: SeManageVolumePrivilege	2412	msiexec.exe
Token: SeImpersonatePrivilege	2412	msiexec.exe
Token: SeCreateGlobalPrivilege	2412	msiexec.exe
Token: SeCreateTokenPrivilege	2412	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2412	msiexec.exe
Token: SeLockMemoryPrivilege	2412	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2412	msiexec.exe
2412	msiexec.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3384	Explorer.EXE
3880	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1188	2244	msiexec.exe	85
PID 2244 wrote to memory of 1188	2244	msiexec.exe	85
PID 1188 wrote to memory of 2832	1188	MsiExec.exe	49
PID 1188 wrote to memory of 2848	1188	MsiExec.exe	50
PID 1188 wrote to memory of 3036	1188	MsiExec.exe	52
PID 1188 wrote to memory of 3384	1188	MsiExec.exe	55
PID 1188 wrote to memory of 3564	1188	MsiExec.exe	57
PID 1188 wrote to memory of 3744	1188	MsiExec.exe	58
PID 1188 wrote to memory of 3880	1188	MsiExec.exe	59
PID 1188 wrote to memory of 3956	1188	MsiExec.exe	60
PID 1188 wrote to memory of 4044	1188	MsiExec.exe	61
PID 1188 wrote to memory of 3828	1188	MsiExec.exe	62
PID 1188 wrote to memory of 4412	1188	MsiExec.exe	74
PID 1188 wrote to memory of 4924	1188	MsiExec.exe	76
PID 1188 wrote to memory of 1968	1188	MsiExec.exe	80
PID 1188 wrote to memory of 1988	1188	MsiExec.exe	81
PID 1188 wrote to memory of 2412	1188	MsiExec.exe	82
PID 2244 wrote to memory of 3668	2244	msiexec.exe	93
PID 2244 wrote to memory of 3668	2244	msiexec.exe	93
PID 1448 wrote to memory of 4632	1448	cmd.exe	100
PID 1448 wrote to memory of 4632	1448	cmd.exe	100
PID 4632 wrote to memory of 768	4632	fodhelper.exe	101
PID 4632 wrote to memory of 768	4632	fodhelper.exe	101
PID 1140 wrote to memory of 4816	1140	cmd.exe	116
PID 1140 wrote to memory of 4816	1140	cmd.exe	116
PID 4816 wrote to memory of 4700	4816	fodhelper.exe	117
PID 4816 wrote to memory of 4700	4816	fodhelper.exe	117
PID 4764 wrote to memory of 4368	4764	cmd.exe	128
PID 4764 wrote to memory of 4368	4764	cmd.exe	128
PID 4368 wrote to memory of 232	4368	fodhelper.exe	129
PID 4368 wrote to memory of 232	4368	fodhelper.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2848

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3036

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3384
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2edafe324bbeec87dba04c61032a04815227dcf472f98411a2cd8d377651e862.msi
  2⤵
  - Enumerates connected drives
  - Event Triggered Execution: Installer Packages
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2412
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/cgqfqgdyhh.jpg
      4⤵
      PID:4700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:3564
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/phxdyri.jpg
      4⤵
      PID:232

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of UnmapMainImage
PID:3880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3956

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3828
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/ksuwvjtphq.jpg
      4⤵
      PID:768

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4412

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4924

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1968

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Checks processor information in registry
- Modifies registry class
PID:1988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding BEF65C79C01B38EC7042586145F443D3 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1188
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4536

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2756

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4492

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:1364

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:3456

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:3452

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3916

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2424

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2768

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1724

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:2864

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:4956

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1232

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3644

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:2892

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery