teslacrypt | 6f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f

Analysis

max time kernel
136s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
Size

388KB
MD5

40707cdcd4220213b9ef2545043d6c99
SHA1

7f9d3ad1125de47368644e29b5d5cd515c6497e8
SHA256

6f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f
SHA512

0a3cda582f1a444ad78d5f09d4e204a753c74863bcbbbdf5c6ffcafa523b195ac4c6aa7922973cf2687b673e4e346f94b6525402db7380a4e53c3f8855480088
SSDEEP

6144:tYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:tnSdO0iNEPn+TGOoYzwscMSOXUIJ

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+xayru.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8A3762341DD7EB3E 2. http://kkd47eh4hdjshb5t.angortra.at/8A3762341DD7EB3E 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/8A3762341DD7EB3E If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/8A3762341DD7EB3E 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8A3762341DD7EB3E http://kkd47eh4hdjshb5t.angortra.at/8A3762341DD7EB3E http://ytrest84y5i456hghadefdsd.pontogrot.com/8A3762341DD7EB3E *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/8A3762341DD7EB3E

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8A3762341DD7EB3E

http://kkd47eh4hdjshb5t.angortra.at/8A3762341DD7EB3E

http://ytrest84y5i456hghadefdsd.pontogrot.com/8A3762341DD7EB3E

http://xlowfznrg4wf7dli.ONION/8A3762341DD7EB3E

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (890) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare_40707cdcd4220213b9ef2545043d6c99.exefwsldpmiydoi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	fwsldpmiydoi.exe

Drops startup file 6 IoCs

Processes:

fwsldpmiydoi.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+xayru.png	fwsldpmiydoi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+xayru.txt	fwsldpmiydoi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+xayru.html	fwsldpmiydoi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+xayru.png	fwsldpmiydoi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+xayru.txt	fwsldpmiydoi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+xayru.html	fwsldpmiydoi.exe

Executes dropped EXE 2 IoCs

Processes:

fwsldpmiydoi.exefwsldpmiydoi.exe

pid process

4488 fwsldpmiydoi.exe
4028 fwsldpmiydoi.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4488	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fwsldpmiydoi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyokhcyjxetw = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\fwsldpmiydoi.exe\""	fwsldpmiydoi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_40707cdcd4220213b9ef2545043d6c99.exefwsldpmiydoi.exe

description	pid	process	target process
PID 4524 set thread context of 4104	4524	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
PID 4488 set thread context of 4028	4488	fwsldpmiydoi.exe	fwsldpmiydoi.exe

Drops file in Program Files directory 64 IoCs

Processes:

fwsldpmiydoi.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\MediumTile.scale-200_contrast-white.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\Images\Recovery+xayru.html	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-100.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-16_contrast-black.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-100_contrast-white.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-125_contrast-white.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-60.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\Recovery+xayru.html	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\Recovery+xayru.html	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_SplashScreen.scale-200.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\LargeTile.scale-125.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-unplated.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-150.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLargeTile.scale-150.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ta.pak	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\Recovery+xayru.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-300.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\Square44x44Logo.scale-125.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+xayru.txt	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-125.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-36_altform-unplated.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\WideTile.scale-200.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1036\Recovery+xayru.txt	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Wood.jpg	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-colorize.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Recovery+xayru.txt	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-white_scale-100.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Recovery+xayru.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\Java\jre8\Recovery+xayru.txt	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\Recovery+xayru.txt	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-200.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\View3d\Recovery+xayru.html	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-100.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Fonts\Recovery+xayru.html	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Recovery+xayru.html	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\Recovery+xayru.txt	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\Recovery+xayru.html	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-125.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\Recovery+xayru.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\Recovery+xayru.txt	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\Recovery+xayru.html	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreMedTile.scale-100.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-200.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\applet\Recovery+xayru.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\Recovery+xayru.html	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Recovery+xayru.html	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.scale-200.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Recovery+xayru.html	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\6445_48x48x32.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-64_altform-lightunplated.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\Recovery+xayru.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\8041_48x48x32.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\Recovery+xayru.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\156.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-125.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\9BD09B5C-84D7-4E40-BF8C-CACD6EE1539F\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\Recovery+xayru.txt	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png	fwsldpmiydoi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png	fwsldpmiydoi.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_40707cdcd4220213b9ef2545043d6c99.exe

description	ioc	process
File created	C:\Windows\fwsldpmiydoi.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
File opened for modification	C:\Windows\fwsldpmiydoi.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

fwsldpmiydoi.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings fwsldpmiydoi.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

880 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	fwsldpmiydoi.exe

pid	process
880	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fwsldpmiydoi.exe

pid	process
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe
4028	fwsldpmiydoi.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4920 msedge.exe
4920 msedge.exe
4920 msedge.exe
4920 msedge.exe
4920 msedge.exe
4920 msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

VirusShare_40707cdcd4220213b9ef2545043d6c99.exefwsldpmiydoi.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4104	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
Token: SeDebugPrivilege	4028	fwsldpmiydoi.exe
Token: SeIncreaseQuotaPrivilege	4024	WMIC.exe
Token: SeSecurityPrivilege	4024	WMIC.exe
Token: SeTakeOwnershipPrivilege	4024	WMIC.exe
Token: SeLoadDriverPrivilege	4024	WMIC.exe
Token: SeSystemProfilePrivilege	4024	WMIC.exe
Token: SeSystemtimePrivilege	4024	WMIC.exe
Token: SeProfSingleProcessPrivilege	4024	WMIC.exe
Token: SeIncBasePriorityPrivilege	4024	WMIC.exe
Token: SeCreatePagefilePrivilege	4024	WMIC.exe
Token: SeBackupPrivilege	4024	WMIC.exe
Token: SeRestorePrivilege	4024	WMIC.exe
Token: SeShutdownPrivilege	4024	WMIC.exe
Token: SeDebugPrivilege	4024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4024	WMIC.exe
Token: SeRemoteShutdownPrivilege	4024	WMIC.exe
Token: SeUndockPrivilege	4024	WMIC.exe
Token: SeManageVolumePrivilege	4024	WMIC.exe
Token: 33	4024	WMIC.exe
Token: 34	4024	WMIC.exe
Token: 35	4024	WMIC.exe
Token: 36	4024	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1588	WMIC.exe
Token: SeSecurityPrivilege	1588	WMIC.exe
Token: SeTakeOwnershipPrivilege	1588	WMIC.exe
Token: SeLoadDriverPrivilege	1588	WMIC.exe
Token: SeSystemProfilePrivilege	1588	WMIC.exe
Token: SeSystemtimePrivilege	1588	WMIC.exe
Token: SeProfSingleProcessPrivilege	1588	WMIC.exe
Token: SeIncBasePriorityPrivilege	1588	WMIC.exe
Token: SeCreatePagefilePrivilege	1588	WMIC.exe
Token: SeBackupPrivilege	1588	WMIC.exe
Token: SeRestorePrivilege	1588	WMIC.exe
Token: SeShutdownPrivilege	1588	WMIC.exe
Token: SeDebugPrivilege	1588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1588	WMIC.exe
Token: SeRemoteShutdownPrivilege	1588	WMIC.exe
Token: SeUndockPrivilege	1588	WMIC.exe
Token: SeManageVolumePrivilege	1588	WMIC.exe
Token: 33	1588	WMIC.exe
Token: 34	1588	WMIC.exe
Token: 35	1588	WMIC.exe
Token: 36	1588	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_40707cdcd4220213b9ef2545043d6c99.exeVirusShare_40707cdcd4220213b9ef2545043d6c99.exefwsldpmiydoi.exefwsldpmiydoi.exemsedge.exe

description	pid	process	target process
PID 4524 wrote to memory of 4104	4524	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
PID 4524 wrote to memory of 4104	4524	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
PID 4524 wrote to memory of 4104	4524	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
PID 4524 wrote to memory of 4104	4524	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
PID 4524 wrote to memory of 4104	4524	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
PID 4524 wrote to memory of 4104	4524	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
PID 4524 wrote to memory of 4104	4524	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
PID 4524 wrote to memory of 4104	4524	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
PID 4524 wrote to memory of 4104	4524	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
PID 4524 wrote to memory of 4104	4524	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
PID 4104 wrote to memory of 4488	4104	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	fwsldpmiydoi.exe
PID 4104 wrote to memory of 4488	4104	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	fwsldpmiydoi.exe
PID 4104 wrote to memory of 4488	4104	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	fwsldpmiydoi.exe
PID 4104 wrote to memory of 4276	4104	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	cmd.exe
PID 4104 wrote to memory of 4276	4104	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	cmd.exe
PID 4104 wrote to memory of 4276	4104	VirusShare_40707cdcd4220213b9ef2545043d6c99.exe	cmd.exe
PID 4488 wrote to memory of 4028	4488	fwsldpmiydoi.exe	fwsldpmiydoi.exe
PID 4488 wrote to memory of 4028	4488	fwsldpmiydoi.exe	fwsldpmiydoi.exe
PID 4488 wrote to memory of 4028	4488	fwsldpmiydoi.exe	fwsldpmiydoi.exe
PID 4488 wrote to memory of 4028	4488	fwsldpmiydoi.exe	fwsldpmiydoi.exe
PID 4488 wrote to memory of 4028	4488	fwsldpmiydoi.exe	fwsldpmiydoi.exe
PID 4488 wrote to memory of 4028	4488	fwsldpmiydoi.exe	fwsldpmiydoi.exe
PID 4488 wrote to memory of 4028	4488	fwsldpmiydoi.exe	fwsldpmiydoi.exe
PID 4488 wrote to memory of 4028	4488	fwsldpmiydoi.exe	fwsldpmiydoi.exe
PID 4488 wrote to memory of 4028	4488	fwsldpmiydoi.exe	fwsldpmiydoi.exe
PID 4488 wrote to memory of 4028	4488	fwsldpmiydoi.exe	fwsldpmiydoi.exe
PID 4028 wrote to memory of 4024	4028	fwsldpmiydoi.exe	WMIC.exe
PID 4028 wrote to memory of 4024	4028	fwsldpmiydoi.exe	WMIC.exe
PID 4028 wrote to memory of 880	4028	fwsldpmiydoi.exe	NOTEPAD.EXE
PID 4028 wrote to memory of 880	4028	fwsldpmiydoi.exe	NOTEPAD.EXE
PID 4028 wrote to memory of 880	4028	fwsldpmiydoi.exe	NOTEPAD.EXE
PID 4028 wrote to memory of 4920	4028	fwsldpmiydoi.exe	msedge.exe
PID 4028 wrote to memory of 4920	4028	fwsldpmiydoi.exe	msedge.exe
PID 4920 wrote to memory of 3580	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3580	4920	msedge.exe	msedge.exe
PID 4028 wrote to memory of 1588	4028	fwsldpmiydoi.exe	WMIC.exe
PID 4028 wrote to memory of 1588	4028	fwsldpmiydoi.exe	WMIC.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe
PID 4920 wrote to memory of 3684	4920	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

fwsldpmiydoi.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fwsldpmiydoi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	fwsldpmiydoi.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_40707cdcd4220213b9ef2545043d6c99.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\VirusShare_40707cdcd4220213b9ef2545043d6c99.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_40707cdcd4220213b9ef2545043d6c99.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\fwsldpmiydoi.exe
    C:\Windows\fwsldpmiydoi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\fwsldpmiydoi.exe
      C:\Windows\fwsldpmiydoi.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4028
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcff8c46f8,0x7ffcff8c4708,0x7ffcff8c4718
        6⤵
        
        PID:3580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,14075615409661810948,17701916675162624637,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
        6⤵
        
        PID:3684
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,14075615409661810948,17701916675162624637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        6⤵
        
        PID:4472
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,14075615409661810948,17701916675162624637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
        6⤵
        
        PID:3012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14075615409661810948,17701916675162624637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
        6⤵
        
        PID:3972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14075615409661810948,17701916675162624637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        6⤵
        
        PID:2264
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14075615409661810948,17701916675162624637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
        6⤵
        
        PID:5004
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14075615409661810948,17701916675162624637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
        6⤵
        
        PID:2104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14075615409661810948,17701916675162624637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
        6⤵
        
        PID:4184
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14075615409661810948,17701916675162624637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
        6⤵
        
        PID:3408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14075615409661810948,17701916675162624637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
        6⤵
        
        PID:3844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14075615409661810948,17701916675162624637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
        6⤵
        
        PID:2996
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FWSLDP~1.EXE
        5⤵
        
        PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    PID:4276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+xayru.html

Filesize
9KB

MD5
ba8035b61af9d34bf8ad1da56bc55eea

SHA1
1b4838c8e388592374ca936783d621aadf48aa86

SHA256
7bc2433518030332dd947f633dc310256e70b925c4da8bfb20ff2eb01d6bfc6b

SHA512
c6612b43794644a1aa95be6c1a5dded4dd8a530228071ce8c4cb439ac1df7048d5d4444da22503eacb94beb9d162478468a4c6e35f14d0ddbe23054156ab6d70

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+xayru.png

Filesize
63KB

MD5
aa51ec295cd438962a507bd8dc496d16

SHA1
127f3a8d235289f163681e921345f9b7488b7089

SHA256
f6c85acafe7f56b66409047d50eaf9060e51e2716e37665a7460f11ae4088b2c

SHA512
cdc694c35ebb8c4fe4f487ff296e87c9a3d76b897db09703704e2669d0a2e32d00fc9265baa7668b17977c2820b1ac7d827889443ed30e1bfcba5b26f0283f34

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+xayru.txt

Filesize
1KB

MD5
f8d5a77e5743aaf7943c8bbe47aaaa33

SHA1
1a882e9da0a5620e95440e302c08e413c8ae8594

SHA256
4b15b48cf6f546cedc29028da4c7d1a6077edfd27a8f0b29226bfb223d85dba0

SHA512
eab5359f748a925ce23333e8c9b99cff5261322084895f658bea2a46ed6316cd4f88cd08b6f6f3ca26b84e115cb56180517184c0c9d788db01314e384ab8ae90

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
8d0dd5fe1959501c6d244c1a682bc68d

SHA1
bbfae8c8a8cfd194141892c84aeafd807ddb2db5

SHA256
ed7e4a456a462a58643b84a04028d00befa2eb53a368e94f45d66b22ec4217dc

SHA512
5882831a83d04e1a173194b9e1fd0dc18c48f094475f3df42d3dd01da1d650396060b52423dfcebaf2ba49a3766ac957d73590cebe5aa1fdaca62ab7a41203bc

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
4eb50d0df2e670b0f15fde6f19ea2941

SHA1
31de4609295a7b082e451b137fb822e8013ac94d

SHA256
c1169b10ceed5cc2db63118ce56e7de79594d46c59a1d33918cd488c1c2ce5df

SHA512
1062ef187d4e9268aedfb2eaf0944c52d938922ceca2fa98e0f342b95ff237976aa250d2864cbbd401ad7b86c8897912263cc56f493eae63baa9ce42628c739f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
b1b7929efcc9e9829c1baf37fcf6a306

SHA1
8ce6546f0aeb2fcaaf389a340d87f58f722c27f9

SHA256
89bb82bfdbfec5a678fb8a154d8c6595e86e69c9ad4ab64f5fded4ff8e224100

SHA512
5c932bb363fab6c896f486acc59ef99834d84749c5e9916e61e807d02a3b9252944e2301f45de87a6c1d7ba52ba23dd117a13c5b7df2f2e6a4fd5cf467d0c951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d05208f4b17e60dc0ca80b66edd781a7

SHA1
d5c40a7ac641c429a0735490868e0c5606115e81

SHA256
c5ed7e16ee10d4de49dd11afff3f0ef0bdee6aa3fb798ed8f225762953e432bb

SHA512
985118c02aa36c841ece7235feb57c7945a7976ddc72a9a7ece4ba3c637eb00a31ed5397eda8585bc2b5af86d56875b323f3ea7c9b6ae8fd8b77d0c9544e8bad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
711bf8abe3ea8d09fe1f33532e33566e

SHA1
e3c201d52aa444537df6b9d48dfa75aa18c7698a

SHA256
b362ed77d55df665112c160f4b67f3141be6b30300df32f3b5bab4f3c068288f

SHA512
e43b43934bc31592e01f20485df88b107578da29245b28f8dc656c455142ccbdd3dc87a3d60d6a968466897aa1dd5af79aa36c6b3728803ecd3d0e869755ab02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9eb3a427d0daba0465d7ead3148fbb10

SHA1
0f6a741621601fbba2ca6943d68ef8b06b476f7a

SHA256
10ded07e30aedd8a28646be615cc0bb50a18fd7ea9ae8e5163e4b4fba368bd6a

SHA512
2d0369d3fcfcb031258726dc98de1cbb62576056ef86164d481e3ea7ff83e171cb40950a14810acb2da92a264a78146a0319446151f5e42ec271a6f77b535c59

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586088054759135.txt

Filesize
47KB

MD5
ffe7299c4c0bc657c2e54637778f501f

SHA1
08a0ade0fa023bf9d88ead464f4d35940da4d41f

SHA256
c9b3d7561c0c1fcf191e869966afa716adc3db19e22f23752ef20785d95da05d

SHA512
7aa75628e50a04fac7cbddf0dab35a5f5d1039d4adb3b3f1824b58c6dba31847616d00c6a2b99cbd94335e3c86ee484daf6e3b6015a963bf7038f2cd58fb3e6e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586135347904641.txt

Filesize
75KB

MD5
9763a83c109d99d2f0ee2c892f7332e0

SHA1
66fc4f0243715c12ca034d9b88aff8a27b378e2e

SHA256
b47dbb25ff6da62660e786560b421bbec82df86823ca290ee617a801276e5352

SHA512
ee81b1ed4f5d4c20dbf312dad8b4fd02b0e65489fe7a68b3da947cdf9a8a096c5fbf9f0c245acba827bb7003507ad56beb0629a2fa39ee3e8c133fdb2946201d

Download Submit
C:\Windows\fwsldpmiydoi.exe

Filesize
388KB

MD5
40707cdcd4220213b9ef2545043d6c99

SHA1
7f9d3ad1125de47368644e29b5d5cd515c6497e8

SHA256
6f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f

SHA512
0a3cda582f1a444ad78d5f09d4e204a753c74863bcbbbdf5c6ffcafa523b195ac4c6aa7922973cf2687b673e4e346f94b6525402db7380a4e53c3f8855480088

Download Submit
\??\pipe\LOCAL\crashpad_4920_CZKOFOFWLKYNIGZC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4028-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4028-8827-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4028-22-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4028-613-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4028-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4028-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4028-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4028-2759-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4028-5372-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4028-10477-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4028-10436-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4028-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4028-10426-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4028-10427-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4028-10435-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4104-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4104-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4104-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4104-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4104-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4488-14-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/4524-4-0x0000000002650000-0x0000000002653000-memory.dmp

Filesize
12KB

Download
memory/4524-0-0x0000000002650000-0x0000000002653000-memory.dmp

Filesize
12KB

Download
memory/4524-1-0x0000000002650000-0x0000000002653000-memory.dmp

Filesize
12KB

Download