86e08c4190074fa5774eb0f37afacf780bfe1b4f1335cccfcd1d5fe140e09b5b

Analysis

max time kernel
144s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
Size

616KB
MD5

2bfb0ef1b81124ca61c93c341a9ed164
SHA1

80a77d8af4702dc597bc48838f9140e1d3ed2bc0
SHA256

86e08c4190074fa5774eb0f37afacf780bfe1b4f1335cccfcd1d5fe140e09b5b
SHA512

2c336f88c9c7c3f7c8c3ae87f392f92ece3e28155b08b25f31c522b3df509bef5803240647a2853bc34567f943e6afd5dfba732ddbbfe1e2cffd0e272a6f97a0
SSDEEP

12288:Iv/fMH3Mu7vOlM7CjCkczgmziP+1RTwu7vOlM7CjCkczg:Iv/fMfvQjCM+3vQj

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+qtlts.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://p57gest54celltraf743knjf.mottesapo.com/5CB867221FE24DB3 2. http://k4restportgonst34d23r.oftpony.at/5CB867221FE24DB3 3. http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/5CB867221FE24DB3 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/5CB867221FE24DB3 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *** Your personal pages: http://p57gest54celltraf743knjf.mottesapo.com/5CB867221FE24DB3 http://k4restportgonst34d23r.oftpony.at/5CB867221FE24DB3 http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/5CB867221FE24DB3 *** Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/5CB867221FE24DB3 *** Your personal identification ID: 5CB867221FE24DB3

URLs

http://p57gest54celltraf743knjf.mottesapo.com/5CB867221FE24DB3

http://k4restportgonst34d23r.oftpony.at/5CB867221FE24DB3

http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/5CB867221FE24DB3

http://fwgrhsao3aoml7ej.onion/5CB867221FE24DB3

http://fwgrhsao3aoml7ej.ONION/5CB867221FE24DB3

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (855) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mxrmwubydnxm.exewslll.exeVirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exedrmye.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	mxrmwubydnxm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wslll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	drmye.exe

Drops startup file 6 IoCs

Processes:

mxrmwubydnxm.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+qtlts.html	mxrmwubydnxm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qtlts.png	mxrmwubydnxm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qtlts.txt	mxrmwubydnxm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qtlts.html	mxrmwubydnxm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+qtlts.png	mxrmwubydnxm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+qtlts.txt	mxrmwubydnxm.exe

Executes dropped EXE 4 IoCs

Processes:

mxrmwubydnxm.exemxrmwubydnxm.exedrmye.exewslll.exe

pid process

3056 mxrmwubydnxm.exe
1360 mxrmwubydnxm.exe
4620 drmye.exe
220 wslll.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3056	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
4620	drmye.exe
220	wslll.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mxrmwubydnxm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12_23-dst = "C:\\Windows\\mxrmwubydnxm.exe"	mxrmwubydnxm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exemxrmwubydnxm.exe

description	pid	process	target process
PID 3952 set thread context of 4088	3952	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
PID 3056 set thread context of 1360	3056	mxrmwubydnxm.exe	mxrmwubydnxm.exe

Drops file in Program Files directory 64 IoCs

Processes:

mxrmwubydnxm.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Recovery+qtlts.html	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\Recovery+qtlts.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\ImportFromDevice.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\Recovery+qtlts.txt	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+qtlts.html	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\script\Recovery+qtlts.html	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-96_altform-lightunplated.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\Recovery+qtlts.html	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\Recovery+qtlts.txt	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\Recovery+qtlts.txt	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\Common Files\System\uk-UA\Recovery+qtlts.html	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-white_scale-200.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-20_contrast-black.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-200_contrast-black.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Recovery+qtlts.txt	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\LargeTile.scale-100.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-100_contrast-black.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ml-IN\Recovery+qtlts.html	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-16_altform-unplated.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-100_contrast-black.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-125.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\Recovery+qtlts.txt	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\Recovery+qtlts.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-400.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\RevokeSync.css	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\Recovery+qtlts.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\Recovery+qtlts.html	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\Recovery+qtlts.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-125.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\Recovery+qtlts.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Recovery+qtlts.txt	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\Recovery+qtlts.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\Recovery+qtlts.html	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-400_contrast-black.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-48.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\Recovery+qtlts.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-400.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-400.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-400.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\Recovery+qtlts.txt	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Recovery+qtlts.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\Recovery+qtlts.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\Recovery+qtlts.txt	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\Recovery+qtlts.txt	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileForms32x32.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p2.mp4	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-40.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreMedTile.scale-200.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\Recovery+qtlts.html	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-100.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\Recovery+qtlts.html	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\Recovery+qtlts.html	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-40.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-400.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\Recovery+qtlts.html	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-black_scale-125.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-125.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-unplated_contrast-black.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-200.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-100.png	mxrmwubydnxm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+qtlts.txt	mxrmwubydnxm.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe

description	ioc	process
File created	C:\Windows\mxrmwubydnxm.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
File opened for modification	C:\Windows\mxrmwubydnxm.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4000 vssadmin.exe
2348 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

mxrmwubydnxm.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings mxrmwubydnxm.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5000 NOTEPAD.EXE

pid	process
4000	vssadmin.exe
2348	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	mxrmwubydnxm.exe

pid	process
5000	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mxrmwubydnxm.exe

pid	process
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe
1360	mxrmwubydnxm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

440 msedge.exe
440 msedge.exe
440 msedge.exe
440 msedge.exe
440 msedge.exe
440 msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exemxrmwubydnxm.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4088	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
Token: SeDebugPrivilege	1360	mxrmwubydnxm.exe
Token: SeBackupPrivilege	5020	vssvc.exe
Token: SeRestorePrivilege	5020	vssvc.exe
Token: SeAuditPrivilege	5020	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exemxrmwubydnxm.exe

pid process

3952 VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
3056 mxrmwubydnxm.exe

pid	process
3952	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
3056	mxrmwubydnxm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exeVirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exemxrmwubydnxm.exemxrmwubydnxm.exedrmye.exemsedge.exewslll.exe

description	pid	process	target process
PID 3952 wrote to memory of 4088	3952	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
PID 3952 wrote to memory of 4088	3952	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
PID 3952 wrote to memory of 4088	3952	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
PID 3952 wrote to memory of 4088	3952	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
PID 3952 wrote to memory of 4088	3952	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
PID 3952 wrote to memory of 4088	3952	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
PID 3952 wrote to memory of 4088	3952	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
PID 3952 wrote to memory of 4088	3952	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
PID 3952 wrote to memory of 4088	3952	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
PID 3952 wrote to memory of 4088	3952	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
PID 4088 wrote to memory of 3056	4088	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	mxrmwubydnxm.exe
PID 4088 wrote to memory of 3056	4088	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	mxrmwubydnxm.exe
PID 4088 wrote to memory of 3056	4088	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	mxrmwubydnxm.exe
PID 4088 wrote to memory of 2792	4088	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	cmd.exe
PID 4088 wrote to memory of 2792	4088	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	cmd.exe
PID 4088 wrote to memory of 2792	4088	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	cmd.exe
PID 3056 wrote to memory of 1360	3056	mxrmwubydnxm.exe	mxrmwubydnxm.exe
PID 3056 wrote to memory of 1360	3056	mxrmwubydnxm.exe	mxrmwubydnxm.exe
PID 3056 wrote to memory of 1360	3056	mxrmwubydnxm.exe	mxrmwubydnxm.exe
PID 3056 wrote to memory of 1360	3056	mxrmwubydnxm.exe	mxrmwubydnxm.exe
PID 3056 wrote to memory of 1360	3056	mxrmwubydnxm.exe	mxrmwubydnxm.exe
PID 3056 wrote to memory of 1360	3056	mxrmwubydnxm.exe	mxrmwubydnxm.exe
PID 3056 wrote to memory of 1360	3056	mxrmwubydnxm.exe	mxrmwubydnxm.exe
PID 3056 wrote to memory of 1360	3056	mxrmwubydnxm.exe	mxrmwubydnxm.exe
PID 3056 wrote to memory of 1360	3056	mxrmwubydnxm.exe	mxrmwubydnxm.exe
PID 3056 wrote to memory of 1360	3056	mxrmwubydnxm.exe	mxrmwubydnxm.exe
PID 1360 wrote to memory of 4620	1360	mxrmwubydnxm.exe	drmye.exe
PID 1360 wrote to memory of 4620	1360	mxrmwubydnxm.exe	drmye.exe
PID 1360 wrote to memory of 4620	1360	mxrmwubydnxm.exe	drmye.exe
PID 4620 wrote to memory of 4000	4620	drmye.exe	vssadmin.exe
PID 4620 wrote to memory of 4000	4620	drmye.exe	vssadmin.exe
PID 1360 wrote to memory of 5000	1360	mxrmwubydnxm.exe	NOTEPAD.EXE
PID 1360 wrote to memory of 5000	1360	mxrmwubydnxm.exe	NOTEPAD.EXE
PID 1360 wrote to memory of 5000	1360	mxrmwubydnxm.exe	NOTEPAD.EXE
PID 1360 wrote to memory of 440	1360	mxrmwubydnxm.exe	msedge.exe
PID 1360 wrote to memory of 440	1360	mxrmwubydnxm.exe	msedge.exe
PID 440 wrote to memory of 4680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 4680	440	msedge.exe	msedge.exe
PID 1360 wrote to memory of 220	1360	mxrmwubydnxm.exe	wslll.exe
PID 1360 wrote to memory of 220	1360	mxrmwubydnxm.exe	wslll.exe
PID 1360 wrote to memory of 220	1360	mxrmwubydnxm.exe	wslll.exe
PID 220 wrote to memory of 2348	220	wslll.exe	vssadmin.exe
PID 220 wrote to memory of 2348	220	wslll.exe	vssadmin.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe
PID 440 wrote to memory of 3680	440	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

mxrmwubydnxm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	mxrmwubydnxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	mxrmwubydnxm.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\mxrmwubydnxm.exe
    C:\Windows\mxrmwubydnxm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\mxrmwubydnxm.exe
      C:\Windows\mxrmwubydnxm.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1360
    - - C:\Users\Admin\Documents\drmye.exe
        
        C:\Users\Admin\Documents\drmye.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4620
      - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:4000
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:5000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcda1246f8,0x7ffcda124708,0x7ffcda124718
        6⤵
        
        PID:4680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,7926118586377406216,8844023081651636466,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        6⤵
        
        PID:3680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,7926118586377406216,8844023081651636466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
        6⤵
        
        PID:4692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,7926118586377406216,8844023081651636466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
        6⤵
        
        PID:3552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7926118586377406216,8844023081651636466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
        6⤵
        
        PID:1336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7926118586377406216,8844023081651636466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
        6⤵
        
        PID:2748
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,7926118586377406216,8844023081651636466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
        6⤵
        
        PID:4684
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,7926118586377406216,8844023081651636466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
        6⤵
        
        PID:1576
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7926118586377406216,8844023081651636466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
        6⤵
        
        PID:2820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7926118586377406216,8844023081651636466,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
        6⤵
        
        PID:5048
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7926118586377406216,8844023081651636466,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
        6⤵
        
        PID:2236
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7926118586377406216,8844023081651636466,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
        6⤵
        
        PID:3828
    - - C:\Users\Admin\Documents\wslll.exe
        
        C:\Users\Admin\Documents\wslll.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
      - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MXRMWU~1.EXE
        5⤵
        
        PID:700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    PID:2792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+qtlts.html

Filesize
8KB

MD5
c28556b4b848e4d6f908ea7ffe8d89da

SHA1
0b28d79f4a9ec687484b004cba49251b3dc9ebd0

SHA256
4ae8c3e15fd13afa38fd6e0be980b35b6b3413b673bee74f1bec442be6f929ee

SHA512
dca2148ad4399bad747b6ad71f9c4e21b8ba84f3ce523d48e2778e0b99ac67419576c77ae771ef4645b62b6971914c22f1af580d96f694c26d7d67e66e02eec7

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+qtlts.png

Filesize
67KB

MD5
f25db838596f9e8f878b7e3dfe1da1ce

SHA1
ba89bb4c8181a8d86c319e6f585a919f1040ebd2

SHA256
914254063b6c73c8d3223a48bcb8cc7b886a04332a395489c931fc9f204b5803

SHA512
43581c21997121f78c0bcc8a8e8e0bbaad25f45caefdbe62c3a9feb6b6cd9b5e0ea600a7b259743ca036cfc7ba4b16ccb8269f9b0ce7154d5ef12c665fc31852

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+qtlts.txt

Filesize
2KB

MD5
e012ab3edf78c46f8ad7ef36622b3e23

SHA1
127dc38167351f27ba3c3c597000a768a1b84e2e

SHA256
806b3fee22863278fc1e0a81b2671fe5280634d4653e5517143ec78bbb76a174

SHA512
924fbf349b216d59e41c8643b760e3f1e63a9c2c0d6b2255ed6f49a7e332f3696b3d201f459de3654ed45aece21561941563a04d35a4da6aa297cfca9f5fb8ee

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
ac30b98c7d05fc7f2014c4bcdb1861c1

SHA1
1bb72b49f7ba3b0114b847b32ed3975071ed84c0

SHA256
d9bc7b9afe92742686cbc136646d5fd84a8782a8dc79ea6fda07b91adfade2f3

SHA512
1f16126e4f5fee9465275f4f72579190954ad46fb824104b90d952fdb7acf97c9dae55473f59eb4ed082e13c36a468906c8722736d4b5d1c8e66fd0c739b4010

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
6f4b742c2a019ae1435046a92f9ff675

SHA1
bdc90cd2d3bac7744550f0c33f82f3e7af5c7417

SHA256
51921519ef61a615cc2a9fb91be970fdb3409bdd9f4cd32b6b81f98b672afd62

SHA512
28026a3ba0c33692fc1067aef25a92709090c3d21baa68d57517883075e68eb9e05e8be2bc6526e5a97980ad6af6554d13a037ccf0ade4b58b489b020897529f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
a5243aeb6694fc6bdb4ef58eeb306472

SHA1
e7569aa645919df03d7ca0cbea45261bcd0b3efc

SHA256
5dd27bc06f46466a7836234a6fe7516e628bbd8af540faaa6cfebf77a49cb51c

SHA512
cf0535aa2cb32b44b6026f151dd7170b91911d301b60a62ef94ade72ce7b3fd9ef1d212672665dbada2fea8a1a04bcd91a5009d25c788ac4b6d0d8c2387d9f89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b682197f10cee8c92fdc6a290b0e9b92

SHA1
8d7b1e9645e7e1ed318e777073cffbee9c95db6d

SHA256
710bb3e2d9be514b377268ad2a5837392b3c285fbf88d521213c2978ed37ecd1

SHA512
4a9309a3b3b7325976ad9498c3a4728ffa225f9975ab03d4ac3bacc7ad7aa9cc450052b0d8dd7989cbb30598736b1e983d7c30052eece57e1b754f8d6acc1fb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b3edee802f223f31e23202717fddeeff

SHA1
32703deb86a7ba8d6db62ee336fd17af5afb166a

SHA256
7cb8f8aedb9fc5ff301949629c2d4f338370a7b4a60f56c4020c78116c770693

SHA512
3bfeb490a6ed9e2d5829b51da8f8927d514f1516cf9791965ab15cb5023231350ba4ad06d1f3ebd5ef7b073fa32968ff0c486932eb29a98ee35c9e92d6bf0237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
01d2f746f83328bd4859117bfb78d18c

SHA1
b0d8ff0b99f4adc7da1751ee1cbfbc15cdce2099

SHA256
08635b028999a27af634c5f768a8d1655e169271662bb229c3b0456b64a759c9

SHA512
b21431732d13a104b7b06709cab69bd4b79507b9fc8700d04749ff716e314132bbce2cb4ea34f6b251c0b8bfb0be68bed1578406dd8bcbb3f5f447a956826622

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586114217182871.txt

Filesize
75KB

MD5
5074d6c610ea70372cabf78c2d928001

SHA1
c0ea8b646b3e50efbc397a0a8c75f077a831ac8b

SHA256
d40339dd1b87f7b0597d51940105b2ca23019c60e3dbd12259e42c5d3670b727

SHA512
1d11e694f3799503dcb91973a7200d24b4de076ecf55e795d372b79f3497c445d65763f8d47ff6cca3c033b9ebc8707c2c016bc32bea94608095c8ebcd3eea07

Download Submit
C:\Users\Admin\Documents\drmye.exe

Filesize
5KB

MD5
34d3f2e3fd92cd38a103d415dbb22936

SHA1
abdcf16a82cf8d3109ec39203181d839f2154a68

SHA256
5119839eaaf7dfc670c7d2c8a83e74f895e07fab5f22c379185769eed07ece25

SHA512
bc76ed0fe69ab38f66217f4b4aec79947e706136aecc5a42840ccd963799c8c175dc796d92be678b2b1e55d22c3a97fb4b9e00f6879958ae5a5bb2081ae7ad92

Download Submit
C:\Windows\mxrmwubydnxm.exe

Filesize
616KB

MD5
2bfb0ef1b81124ca61c93c341a9ed164

SHA1
80a77d8af4702dc597bc48838f9140e1d3ed2bc0

SHA256
86e08c4190074fa5774eb0f37afacf780bfe1b4f1335cccfcd1d5fe140e09b5b

SHA512
2c336f88c9c7c3f7c8c3ae87f392f92ece3e28155b08b25f31c522b3df509bef5803240647a2853bc34567f943e6afd5dfba732ddbbfe1e2cffd0e272a6f97a0

Download Submit
\??\pipe\LOCAL\crashpad_440_EOHJXDHIFUFMPKMH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1360-8896-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1360-17-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1360-26-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1360-18-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1360-273-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1360-20-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1360-10364-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1360-10415-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1360-2656-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1360-5401-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1360-10417-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1360-29-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1360-10363-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3056-19-0x0000000000400000-0x000000000078D000-memory.dmp

Filesize
3.6MB

Download
memory/3056-12-0x0000000000400000-0x000000000078D000-memory.dmp

Filesize
3.6MB

Download
memory/3952-0-0x0000000000DD0000-0x0000000000DD3000-memory.dmp

Filesize
12KB

Download
memory/3952-4-0x0000000000DD0000-0x0000000000DD3000-memory.dmp

Filesize
12KB

Download
memory/3952-1-0x0000000000DD0000-0x0000000000DD3000-memory.dmp

Filesize
12KB

Download
memory/4088-5-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4088-6-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4088-13-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4088-2-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4088-3-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download