teslacrypt | 56cf195bd7fc140caef4a59132cca2d1499783d473633c0384d1b350606731ab

Analysis

max time kernel
146s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_4e826024050255ddf739c2656f2d9a77.exe
Size

368KB
MD5

4e826024050255ddf739c2656f2d9a77
SHA1

856eca0fb51d6994d9d472dfe5358b4c9b5293d7
SHA256

56cf195bd7fc140caef4a59132cca2d1499783d473633c0384d1b350606731ab
SHA512

fb25c55a9710133214b97bbd9492f39df0f2f43ea9e056cf05f6f4943d9f26031e7832d77df5dd2f69f49c97de92b3d9fbb2d3477215d9f405dcf178488ea8ff
SSDEEP

6144:r/VDu6UsyDUOxfDiyQhbw4tRN7eD7Lct/jG2kOREwMunfHAbxwcLNT:hDu6UsibiPbNt370Lcta9OSCnfPuNT

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+nkwyo.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/E5FF8E8ADE9ABE1A 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/E5FF8E8ADE9ABE1A 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/E5FF8E8ADE9ABE1A If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/E5FF8E8ADE9ABE1A 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/E5FF8E8ADE9ABE1A http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/E5FF8E8ADE9ABE1A http://yyre45dbvn2nhbefbmh.begumvelic.at/E5FF8E8ADE9ABE1A Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/E5FF8E8ADE9ABE1A

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/E5FF8E8ADE9ABE1A

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/E5FF8E8ADE9ABE1A

http://yyre45dbvn2nhbefbmh.begumvelic.at/E5FF8E8ADE9ABE1A

http://xlowfznrg4wf7dli.ONION/E5FF8E8ADE9ABE1A

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (865) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	xmvexmxwfbcv.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+nkwyo.html	xmvexmxwfbcv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+nkwyo.txt	xmvexmxwfbcv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+nkwyo.html	xmvexmxwfbcv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+nkwyo.txt	xmvexmxwfbcv.exe

Executes dropped EXE 2 IoCs

pid	Process
1688	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\popguqr = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\xmvexmxwfbcv.exe"	xmvexmxwfbcv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 2984	2572	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	89
PID 1688 set thread context of 2128	1688	xmvexmxwfbcv.exe	93

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-400.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-100_contrast-black.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Video_Msg_Record.m4a	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-125.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\LargeTile.scale-100.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_light_environment.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-150.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Tongue.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-125.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\_ReCoVeRy_+nkwyo.html	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_ReCoVeRy_+nkwyo.txt	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\weatherdotcom.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\_ReCoVeRy_+nkwyo.html	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\jit_moments.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsPowerShell\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\_ReCoVeRy_+nkwyo.txt	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\_ReCoVeRy_+nkwyo.html	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-200_contrast-white.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\_ReCoVeRy_+nkwyo.html	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-100.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-100.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-60.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-lightunplated.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\Common Files\System\uk-UA\_ReCoVeRy_+nkwyo.txt	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\_ReCoVeRy_+nkwyo.txt	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_ReCoVeRy_+nkwyo.txt	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-64.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-125.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileWide.scale-100.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-36_contrast-white.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\_ReCoVeRy_+nkwyo.txt	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+nkwyo.html	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireSmallTile.scale-100.jpg	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-200.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-unplated_contrast-black.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\_ReCoVeRy_+nkwyo.html	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\SmallTile.scale-100.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-black_scale-100.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\_ReCoVeRy_+nkwyo.html	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_ReCoVeRy_+nkwyo.txt	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-125.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\_ReCoVeRy_+nkwyo.html	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-200.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png	xmvexmxwfbcv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\View3d\_ReCoVeRy_+nkwyo.png	xmvexmxwfbcv.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\xmvexmxwfbcv.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
File opened for modification	C:\Windows\xmvexmxwfbcv.exe	VirusShare_4e826024050255ddf739c2656f2d9a77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	xmvexmxwfbcv.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3012	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe
2128	xmvexmxwfbcv.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	VirusShare_4e826024050255ddf739c2656f2d9a77.exe
Token: SeDebugPrivilege	2128	xmvexmxwfbcv.exe
Token: SeIncreaseQuotaPrivilege	4560	WMIC.exe
Token: SeSecurityPrivilege	4560	WMIC.exe
Token: SeTakeOwnershipPrivilege	4560	WMIC.exe
Token: SeLoadDriverPrivilege	4560	WMIC.exe
Token: SeSystemProfilePrivilege	4560	WMIC.exe
Token: SeSystemtimePrivilege	4560	WMIC.exe
Token: SeProfSingleProcessPrivilege	4560	WMIC.exe
Token: SeIncBasePriorityPrivilege	4560	WMIC.exe
Token: SeCreatePagefilePrivilege	4560	WMIC.exe
Token: SeBackupPrivilege	4560	WMIC.exe
Token: SeRestorePrivilege	4560	WMIC.exe
Token: SeShutdownPrivilege	4560	WMIC.exe
Token: SeDebugPrivilege	4560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4560	WMIC.exe
Token: SeRemoteShutdownPrivilege	4560	WMIC.exe
Token: SeUndockPrivilege	4560	WMIC.exe
Token: SeManageVolumePrivilege	4560	WMIC.exe
Token: 33	4560	WMIC.exe
Token: 34	4560	WMIC.exe
Token: 35	4560	WMIC.exe
Token: 36	4560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4560	WMIC.exe
Token: SeSecurityPrivilege	4560	WMIC.exe
Token: SeTakeOwnershipPrivilege	4560	WMIC.exe
Token: SeLoadDriverPrivilege	4560	WMIC.exe
Token: SeSystemProfilePrivilege	4560	WMIC.exe
Token: SeSystemtimePrivilege	4560	WMIC.exe
Token: SeProfSingleProcessPrivilege	4560	WMIC.exe
Token: SeIncBasePriorityPrivilege	4560	WMIC.exe
Token: SeCreatePagefilePrivilege	4560	WMIC.exe
Token: SeBackupPrivilege	4560	WMIC.exe
Token: SeRestorePrivilege	4560	WMIC.exe
Token: SeShutdownPrivilege	4560	WMIC.exe
Token: SeDebugPrivilege	4560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4560	WMIC.exe
Token: SeRemoteShutdownPrivilege	4560	WMIC.exe
Token: SeUndockPrivilege	4560	WMIC.exe
Token: SeManageVolumePrivilege	4560	WMIC.exe
Token: 33	4560	WMIC.exe
Token: 34	4560	WMIC.exe
Token: 35	4560	WMIC.exe
Token: 36	4560	WMIC.exe
Token: SeBackupPrivilege	1076	vssvc.exe
Token: SeRestorePrivilege	1076	vssvc.exe
Token: SeAuditPrivilege	1076	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2984	2572	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	89
PID 2572 wrote to memory of 2984	2572	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	89
PID 2572 wrote to memory of 2984	2572	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	89
PID 2572 wrote to memory of 2984	2572	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	89
PID 2572 wrote to memory of 2984	2572	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	89
PID 2572 wrote to memory of 2984	2572	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	89
PID 2572 wrote to memory of 2984	2572	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	89
PID 2572 wrote to memory of 2984	2572	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	89
PID 2572 wrote to memory of 2984	2572	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	89
PID 2572 wrote to memory of 2984	2572	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	89
PID 2984 wrote to memory of 1688	2984	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	90
PID 2984 wrote to memory of 1688	2984	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	90
PID 2984 wrote to memory of 1688	2984	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	90
PID 2984 wrote to memory of 2636	2984	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	91
PID 2984 wrote to memory of 2636	2984	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	91
PID 2984 wrote to memory of 2636	2984	VirusShare_4e826024050255ddf739c2656f2d9a77.exe	91
PID 1688 wrote to memory of 2128	1688	xmvexmxwfbcv.exe	93
PID 1688 wrote to memory of 2128	1688	xmvexmxwfbcv.exe	93
PID 1688 wrote to memory of 2128	1688	xmvexmxwfbcv.exe	93
PID 1688 wrote to memory of 2128	1688	xmvexmxwfbcv.exe	93
PID 1688 wrote to memory of 2128	1688	xmvexmxwfbcv.exe	93
PID 1688 wrote to memory of 2128	1688	xmvexmxwfbcv.exe	93
PID 1688 wrote to memory of 2128	1688	xmvexmxwfbcv.exe	93
PID 1688 wrote to memory of 2128	1688	xmvexmxwfbcv.exe	93
PID 1688 wrote to memory of 2128	1688	xmvexmxwfbcv.exe	93
PID 1688 wrote to memory of 2128	1688	xmvexmxwfbcv.exe	93
PID 2128 wrote to memory of 4560	2128	xmvexmxwfbcv.exe	94
PID 2128 wrote to memory of 4560	2128	xmvexmxwfbcv.exe	94
PID 2128 wrote to memory of 3012	2128	xmvexmxwfbcv.exe	99
PID 2128 wrote to memory of 3012	2128	xmvexmxwfbcv.exe	99
PID 2128 wrote to memory of 3012	2128	xmvexmxwfbcv.exe	99
PID 2128 wrote to memory of 2976	2128	xmvexmxwfbcv.exe	100
PID 2128 wrote to memory of 2976	2128	xmvexmxwfbcv.exe	100
PID 2976 wrote to memory of 2204	2976	msedge.exe	101
PID 2976 wrote to memory of 2204	2976	msedge.exe	101
PID 2128 wrote to memory of 3448	2128	xmvexmxwfbcv.exe	102
PID 2128 wrote to memory of 3448	2128	xmvexmxwfbcv.exe	102
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104
PID 2976 wrote to memory of 4820	2976	msedge.exe	104

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xmvexmxwfbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	xmvexmxwfbcv.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_4e826024050255ddf739c2656f2d9a77.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_4e826024050255ddf739c2656f2d9a77.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Local\Temp\VirusShare_4e826024050255ddf739c2656f2d9a77.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_4e826024050255ddf739c2656f2d9a77.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\xmvexmxwfbcv.exe
    C:\Windows\xmvexmxwfbcv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\xmvexmxwfbcv.exe
      C:\Windows\xmvexmxwfbcv.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2128
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:3012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffa95d346f8,0x7ffa95d34708,0x7ffa95d34718
        6⤵
        
        PID:2204
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,16986275178072160085,10771048247829694891,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
        6⤵
        
        PID:4820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,16986275178072160085,10771048247829694891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
        6⤵
        
        PID:3108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,16986275178072160085,10771048247829694891,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
        6⤵
        
        PID:3348
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,16986275178072160085,10771048247829694891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
        6⤵
        
        PID:2360
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,16986275178072160085,10771048247829694891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
        6⤵
        
        PID:4232
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,16986275178072160085,10771048247829694891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
        6⤵
        
        PID:760
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,16986275178072160085,10771048247829694891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
        6⤵
        
        PID:3256
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,16986275178072160085,10771048247829694891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
        6⤵
        
        PID:3120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,16986275178072160085,10771048247829694891,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
        6⤵
        
        PID:2200
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,16986275178072160085,10771048247829694891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
        6⤵
        
        PID:288
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,16986275178072160085,10771048247829694891,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
        6⤵
        
        PID:4588
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\XMVEXM~1.EXE
        5⤵
        
        PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    PID:2636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+nkwyo.html

Filesize
12KB

MD5
226de34a30c36e36c2ecb1900e37d04f

SHA1
3b21054b058edc6ca9faad644982996d8280dd82

SHA256
24178338e3e62a298736e5b021d30d16ad9f8bb7b3a28ea78caa359237768476

SHA512
fc8237b32fb8f3fb46b8d308227540752450b6eaf7bc2651da86e659a0376227af822ec005924b30c412a9c939ddb36ccfc0af04768d19052ba36bf7c173ed42

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+nkwyo.png

Filesize
64KB

MD5
f73759dba8f83f881779aea0f51b466e

SHA1
d78be020903abfff6319a61ac9a6c05fff0ba251

SHA256
bedbe21cd5f0f43c735a11e002bb3bb43d91c773437cfe551b233d399ef8e4c8

SHA512
98422dca17ce2c4bc93ba19a526d8a6c6990d853aa46cdf3ca56c79da36c8be89073f98e061ee6cca30000bf13f5d2e9bca0b1799cc6759f115f0db5aaabbf8e

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+nkwyo.txt

Filesize
1KB

MD5
7742f6680ddf58f6697a05674d4bd7e5

SHA1
4b558a87ad7d239e0877528a02ce4cef40d923c1

SHA256
669e51d52e71389035d0b3f03c7731dbf874a45d5b04da9b378bdfec6568375b

SHA512
b284db63f4193c6fcf9f65ef3f0fac2cc5a54ef54ce1dd81df0e1b6b9a16db40e7ff81f6e7412db4fdbca0d1c5e67424970be77397575aef41f5a9783234d323

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
d2a71ac1a719d63a3d8c7db277193711

SHA1
eac12f69ab0b1e37b792445630c3495e9bf9ec2d

SHA256
a9d5701aa6c91ce6014bb259a2645dd8b0012d2919a3b9e6a4a9560f92de697e

SHA512
42cb3dee986dc087123a39226d71c18b6943f063dc0d2366fbc0bb1b5ccea3aae4da33be0c5a60230b989024e564f2b120fa26e8baf27f65721ddaadedc6d1de

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
08b02d68ddf7930be30aa225566d94b5

SHA1
81df8364b6a1a01eb6aa4ced495528ca35b1f660

SHA256
83b0483e9e69016588a5ca2e24b4c8517d10d1a084987bbbc657415d99fa824c

SHA512
93e7eacca89fc6a516da46ed96091eda226a0d51123d9ddf3a42eb52ac04066495ef0a9e41dc55e87f9d041abac118312b4fff7994aa7ce9aec9026ce2c25e2f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
42acb76e5ac4ac073786262e3b4f5e48

SHA1
9254ce9ce8f6571481edc15af5e326a6a2ad7276

SHA256
0bc3a1329f36493902a48865f4134e122d18905d7f6c6a29c37ae29865e2f6c5

SHA512
64edb67a7c7925a3bc01899a9032d8a614961f65480624363167bdb65d935df958367bfeb5ecf66a638d4196e1f10104e113f3475a6c78d47d47092107bbf756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
016e65937461b0924e321710da0fcbf7

SHA1
c50cd12e45129ed8e552021849fc27ce546c5fec

SHA256
6339eff582a44f14aee0464ff840c39d7cf070f1d12d87e5176fbe972d583c80

SHA512
703b7214c52594d3de8af29ca2203e80efa5ef9b90eb1139b1817e4807fb7b3baa149e9373758ff654d5f9600e0042fe7f58d02a4c8b5a2b806a2188a72e1dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
81584c6a60a619d39404db0422eadb09

SHA1
98898c3090b67fa47859ea70508163262838f982

SHA256
6fb629b03d01ba793276a22cce44cf00da6bfb93f555219c71337470ae6992e9

SHA512
ad689a563150b28a28f39e95f796bda08692180e179af59885b1c77d62d84610f97852110683005fe65fb719a0321d91278196a406dbf006aed56418435bb14d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ec4e370e686fdbf5e7c27a695aec6f36

SHA1
9711d4587bf9a1920d5c2c4c192bd26a1ddb7cd7

SHA256
45e12a12e4171ef15bc55d8ae7fd5f4abf45a94a7286f9221ab4d7d3941801ce

SHA512
f1666d4b49a0c3d5402de46de40e73f1f565b30739d6ddf2a7e8453c52ca01a939cd8e1416318132b98e4739578e9e172209a8a149d14a5f1f3220bb9b90da9b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586137817185288.txt

Filesize
75KB

MD5
6fab92e6ae90a04427eca6afac7cd0d9

SHA1
463b5a7891f38053252f05d5068e873a56d2e8b6

SHA256
59dda637057fbb5c450e1a0ee1764731cafcffd545baabf00dc60bf5209ff2e7

SHA512
e10a2f149ff31395c4f331286f1278c0db4371235db34e66aeb6e10f9cf243da5541e6f2c580702ce4cabf8986a6e731879f36e83a6276eb50ba4d7feabff8a5

Download Submit
C:\Windows\xmvexmxwfbcv.exe

Filesize
368KB

MD5
4e826024050255ddf739c2656f2d9a77

SHA1
856eca0fb51d6994d9d472dfe5358b4c9b5293d7

SHA256
56cf195bd7fc140caef4a59132cca2d1499783d473633c0384d1b350606731ab

SHA512
fb25c55a9710133214b97bbd9492f39df0f2f43ea9e056cf05f6f4943d9f26031e7832d77df5dd2f69f49c97de92b3d9fbb2d3477215d9f405dcf178488ea8ff

Download Submit
memory/1688-12-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2128-10380-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-5299-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-2561-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-10468-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-8485-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-9373-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-26-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-10381-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-10389-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2128-10391-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2572-0-0x0000000000650000-0x0000000000655000-memory.dmp

Filesize
20KB

Download
memory/2572-4-0x0000000000650000-0x0000000000655000-memory.dmp

Filesize
20KB

Download
memory/2572-1-0x0000000000650000-0x0000000000655000-memory.dmp

Filesize
20KB

Download
memory/2984-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2984-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2984-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2984-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2984-15-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download