918567fd880fe414ae41ebca386cfafe8b114369ce8002fa2d9420b5495576c8

General

Target

PCShredder.exe
Size

14.7MB
MD5

96cb05530c60082172543f1011fd9d48
SHA1

3ab9dcd4b109432656b36afa1f8f264d43d43273
SHA256

918567fd880fe414ae41ebca386cfafe8b114369ce8002fa2d9420b5495576c8
SHA512

e6fd8493dee16e771dccc892cd0941cac676fbd2f23cd589350101df3d9c307dcbc3b7e66181f9cc83662da9a455ea5172392485e351754bc775743d90cb7c90

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 47 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets	reg.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0027-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0006-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE39F3D8-1B13-11D0-887F-00A0C90F2744}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0066-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4EC3C18E-7203-41E7-990D-A72B57E286A9}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0009-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E170-0000-0000-C000-000000000046}\InprocServer32\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1d6f0f8f-857d-4011-9eb2-69776d1916f0}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{397c7fba-8bed-47b7-a2b3-07c5fc18b8e9}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{be19f061-c08b-426e-811f-2a1ceb1e80ad}\LocalServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0065-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0067-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0005-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D00A9E84-6BB6-4379-99EB-2B947FF8BC6B}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C93CF9D5-031B-4AAA-AB0B-EF802347B381}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96466-78F3-11D0-A18C-00A0C9118956}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0083-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D8BD090D-3F39-45FD-B29A-7FC62C2E59C3}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE39F3DA-1B13-11D0-887F-00A0C90F2744}\InprocServer32\15.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0035-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82B02373-B5BC-11CF-810F-00A0C9030074}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0092-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7053240-CE69-11CD-A777-00DD01143C57}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0042-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBC}\InprocServer32	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PCShredder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	PCShredder.exe

Drops file in System32 directory 2 IoCs

Processes:

ReAgentc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Drops file in Windows directory 4 IoCs

Processes:

ReAgentc.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3756 vssadmin.exe

pid	process
3756	vssadmin.exe

Modifies registry class 64 IoCs

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46E31370-3F7A-11CE-BED6-00AA00611080}\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4132098-7A03-423D-9463-163CB07C151F}\PersistentAddinsRegistered	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.TemplateMacroEnabled.12\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{589E54F8-90C3-3C76-910B-4E6CBF21068D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BF1BF727-537F-3284-9CA9-5ADF12641AB5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.rat	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\DataFormats\GetSet\3	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2E34EB8-8B9D-11D2-9014-00C04FA38338}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.jxr\AppX43hnxtbyyps62jhe9sqpdzxn1790zetc	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21F57128-08C9-4638-BA12-22D15D88DC5C}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51973C2E-CB0C-11D0-B5C9-00A0244A0E7A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic\windows.fileTypeAs	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage\50220	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.inf\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{18A06B6B-2F3F-4e2b-A611-52BE631B2D22}\Conversion	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00024407-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{34212D32-6E9E-11E2-BDA0-6B2B6288709B}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0068-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\EnableFullPage\.vdw	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0366-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C172B-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493453-5A91-11CF-8700-00AA0060263B}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A72-F07E-4CA4-AF6F-BEF486AA4E6F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D318E959-22AB-4EEA-9A06-962B11AFDC29}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BA99AE52-D539-362F-B78C-4E84C14158BF}\2.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.3gp\ShellEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CF90891-3E04-4092-B96C-28E071EEEACB}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CSSfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroPDF.PDF.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\12B8D03ED28D112328CCF0A0D541598E	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFAF0C0E-8603-40F6-8FD1-42726CAC21E3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\UpdateEncryptionSettingsWork\Shell\Decrypt	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.idl\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CDO.SS_NNTPOnPostFinalSink\CurVer	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{19FED08E-EFD1-45da-B524-7BE4774A6AEE}\MiscStatus	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ContentDirectory.item.videoItem\shellex\PropertySheetHandlers\{883373C3-BF89-11D1-BE35-080036B11A03}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493460-5A91-11CF-8700-00AA0060263B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493467-5A91-11CF-8700-00AA0060263B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MsoEuro.Converter\CurVer	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\vlc.exe\shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SHCmdFile	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2e1f98f5-c3cc-4924-96e8-f7cea7698841}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID\01366d42-c04e-11d1-b1c0-00c04fc2f3ef	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dot	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14F3C12D-7712-42CC-B7CC-64D2BB560C43}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00020A00-0001-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493469-5A91-11CF-8700-00AA0060263B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.mrw\AppX9rkaq77s0jzh1tyccadx9ghba15r6t3h	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{27B33BD9-E6F7-3148-911D-F67340A5353F}\2.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{837D7937-7F1D-377C-AFAE-1745D57D0BF3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8B7E18B8-3E96-3A4C-82CB-3D13FA15A32F}\2.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E0B61DE8-7593-364F-9D03-E2DC0A5C0B18}\2.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.CloudExperienceHost_10.0.19041.1266_neutral_neutral_cw5n1h2txyewy\ActivatableClassId	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00000061-0000-0010-8000-00AA006D2EA4}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002E188-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C172A-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4980 vssvc.exe
Token: SeRestorePrivilege 4980 vssvc.exe
Token: SeAuditPrivilege 4980 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	4980	vssvc.exe
Token: SeRestorePrivilege	4980	vssvc.exe
Token: SeAuditPrivilege	4980	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PCShredder.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3764 wrote to memory of 1732	3764	PCShredder.exe	cmd.exe
PID 3764 wrote to memory of 1732	3764	PCShredder.exe	cmd.exe
PID 1732 wrote to memory of 3756	1732	cmd.exe	vssadmin.exe
PID 1732 wrote to memory of 3756	1732	cmd.exe	vssadmin.exe
PID 3764 wrote to memory of 516	3764	PCShredder.exe	cmd.exe
PID 3764 wrote to memory of 516	3764	PCShredder.exe	cmd.exe
PID 516 wrote to memory of 4976	516	cmd.exe	ReAgentc.exe
PID 516 wrote to memory of 4976	516	cmd.exe	ReAgentc.exe
PID 3764 wrote to memory of 4580	3764	PCShredder.exe	cmd.exe
PID 3764 wrote to memory of 4580	3764	PCShredder.exe	cmd.exe
PID 4580 wrote to memory of 228	4580	cmd.exe	reg.exe
PID 4580 wrote to memory of 228	4580	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\PCShredder.exe
"C:\Users\Admin\AppData\Local\Temp\PCShredder.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k vssadmin.exe delete shadows /all /quiet && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k reagentc.exe /disable && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\system32\ReAgentc.exe
reagentc.exe /disable
3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKCR /f && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\system32\reg.exe
reg delete HKCR /f
3⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Desktop\as.lnk
Filesize
2KB

MD5
596c1f64c7faf04e5c26ff53955feec3

SHA1
150f1074c8b7cda388aef768425b945eca07b177

SHA256
8a635fd63133bb7c743209b185651e3d304ccce1bd3f55d068b250ac85231ec5

SHA512
7ae4e1b746f14613ca9c977066fc21d93ed3f71cc395ec6890da61770b798e01e677c6be5f398441c4fe243ac3591baddc117cff0afe1160c916be4dd18cd660

Download Submit
memory/228-138-0x0000000000000000-mapping.dmp

Download
memory/516-135-0x0000000000000000-mapping.dmp

Download
memory/1732-133-0x0000000000000000-mapping.dmp

Download
memory/3756-134-0x0000000000000000-mapping.dmp

Download
memory/3764-130-0x000001D238880000-0x000001D239732000-memory.dmp

Filesize
14.7MB

Download
memory/3764-131-0x00007FFF9AFE0000-0x00007FFF9BAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3764-132-0x00007FFF9AFE0000-0x00007FFF9BAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4580-137-0x0000000000000000-mapping.dmp

Download
memory/4976-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads