teslacrypt | 65de2df558ebb2488ba1e50bc6fa2ccd2a168fa322b86387e9849b24772fef61

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_6e1521accd328e43641c8c71ebbde64c.exe
Size

360KB
MD5

6e1521accd328e43641c8c71ebbde64c
SHA1

7a82cfbb067c0b189dc1fa10e916fe763a5e8356
SHA256

65de2df558ebb2488ba1e50bc6fa2ccd2a168fa322b86387e9849b24772fef61
SHA512

827cc80559b04443904fdee9aea46ef7bc22dc28f89369b83a9508a9b54de7d30b627c71740f6a8ac9f89f49d9a614dc3fa84bad57d9fbb934b4e00ced60e4e2
SSDEEP

6144:z6qgoL9xGn4FfcPhe6szbYKMGFtOf7ipZz/aYIZC3FqTzELSyH5vuNAvwu:h9xGbKMAIf7i7vF3FqnEpvmAvB

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECOVERY_+tkbtj.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/628B419D863ED 2. http://tes543berda73i48fsdfsd.keratadze.at/628B419D863ED 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/628B419D863ED If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/628B419D863ED 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/628B419D863ED http://tes543berda73i48fsdfsd.keratadze.at/628B419D863ED http://tt54rfdjhb34rfbnknaerg.milerteddy.com/628B419D863ED *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/628B419D863ED

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/628B419D863ED

http://tes543berda73i48fsdfsd.keratadze.at/628B419D863ED

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/628B419D863ED

http://xlowfznrg4wf7dli.ONION/628B419D863ED

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (858) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare_6e1521accd328e43641c8c71ebbde64c.exepwpxndkmchnu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	pwpxndkmchnu.exe

Drops startup file 6 IoCs

Processes:

pwpxndkmchnu.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+tkbtj.png	pwpxndkmchnu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+tkbtj.txt	pwpxndkmchnu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+tkbtj.png	pwpxndkmchnu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+tkbtj.txt	pwpxndkmchnu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe

Executes dropped EXE 1 IoCs

Processes:

pwpxndkmchnu.exe

pid process

3744 pwpxndkmchnu.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pwpxndkmchnu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xoqljjhkyglf = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\pwpxndkmchnu.exe\""	pwpxndkmchnu.exe

Drops file in Program Files directory 64 IoCs

Processes:

pwpxndkmchnu.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-black_scale-100.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\_RECOVERY_+tkbtj.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\1px.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Fonts\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-100.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsBadgeLogo.scale-100.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\_RECOVERY_+tkbtj.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\_RECOVERY_+tkbtj.txt	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-150.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\_RECOVERY_+tkbtj.txt	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_RECOVERY_+tkbtj.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-125.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\8080_36x36x32.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-200_contrast-black.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_RECOVERY_+tkbtj.txt	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+tkbtj.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\_RECOVERY_+tkbtj.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\_RECOVERY_+tkbtj.txt	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\SearchPlaceholder-dark.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\_RECOVERY_+tkbtj.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\_RECOVERY_+tkbtj.txt	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptySearch.scale-200.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-150.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\LargeTile.scale-100_contrast-black.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\_RECOVERY_+tkbtj.txt	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\IsoRight.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_NinjaCat.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-48_altform-unplated.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_RECOVERY_+tkbtj.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-40_altform-unplated.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-150.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-150.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-150.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_RECOVERY_+tkbtj.txt	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\_RECOVERY_+tkbtj.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-16_altform-unplated_contrast-black.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\_RECOVERY_+tkbtj.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.scale-100.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-24_contrast-black.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\_RECOVERY_+tkbtj.txt	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\BadgeLogo.scale-100.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125_contrast-white.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-125.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200_contrast-black.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\4.jpg	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\SmallTile.scale-200.png	pwpxndkmchnu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\_RECOVERY_+tkbtj.html	pwpxndkmchnu.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_6e1521accd328e43641c8c71ebbde64c.exe

description	ioc	process
File created	C:\Windows\pwpxndkmchnu.exe	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe
File opened for modification	C:\Windows\pwpxndkmchnu.exe	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

pwpxndkmchnu.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings pwpxndkmchnu.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

736 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	pwpxndkmchnu.exe

pid	process
736	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pwpxndkmchnu.exe

pid	process
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe
3744	pwpxndkmchnu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1296 msedge.exe
1296 msedge.exe
1296 msedge.exe
1296 msedge.exe
1296 msedge.exe
1296 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_6e1521accd328e43641c8c71ebbde64c.exepwpxndkmchnu.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4112	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe
Token: SeDebugPrivilege	3744	pwpxndkmchnu.exe
Token: SeIncreaseQuotaPrivilege	3000	WMIC.exe
Token: SeSecurityPrivilege	3000	WMIC.exe
Token: SeTakeOwnershipPrivilege	3000	WMIC.exe
Token: SeLoadDriverPrivilege	3000	WMIC.exe
Token: SeSystemProfilePrivilege	3000	WMIC.exe
Token: SeSystemtimePrivilege	3000	WMIC.exe
Token: SeProfSingleProcessPrivilege	3000	WMIC.exe
Token: SeIncBasePriorityPrivilege	3000	WMIC.exe
Token: SeCreatePagefilePrivilege	3000	WMIC.exe
Token: SeBackupPrivilege	3000	WMIC.exe
Token: SeRestorePrivilege	3000	WMIC.exe
Token: SeShutdownPrivilege	3000	WMIC.exe
Token: SeDebugPrivilege	3000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3000	WMIC.exe
Token: SeRemoteShutdownPrivilege	3000	WMIC.exe
Token: SeUndockPrivilege	3000	WMIC.exe
Token: SeManageVolumePrivilege	3000	WMIC.exe
Token: 33	3000	WMIC.exe
Token: 34	3000	WMIC.exe
Token: 35	3000	WMIC.exe
Token: 36	3000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3000	WMIC.exe
Token: SeSecurityPrivilege	3000	WMIC.exe
Token: SeTakeOwnershipPrivilege	3000	WMIC.exe
Token: SeLoadDriverPrivilege	3000	WMIC.exe
Token: SeSystemProfilePrivilege	3000	WMIC.exe
Token: SeSystemtimePrivilege	3000	WMIC.exe
Token: SeProfSingleProcessPrivilege	3000	WMIC.exe
Token: SeIncBasePriorityPrivilege	3000	WMIC.exe
Token: SeCreatePagefilePrivilege	3000	WMIC.exe
Token: SeBackupPrivilege	3000	WMIC.exe
Token: SeRestorePrivilege	3000	WMIC.exe
Token: SeShutdownPrivilege	3000	WMIC.exe
Token: SeDebugPrivilege	3000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3000	WMIC.exe
Token: SeRemoteShutdownPrivilege	3000	WMIC.exe
Token: SeUndockPrivilege	3000	WMIC.exe
Token: SeManageVolumePrivilege	3000	WMIC.exe
Token: 33	3000	WMIC.exe
Token: 34	3000	WMIC.exe
Token: 35	3000	WMIC.exe
Token: 36	3000	WMIC.exe
Token: SeBackupPrivilege	4384	vssvc.exe
Token: SeRestorePrivilege	4384	vssvc.exe
Token: SeAuditPrivilege	4384	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1976	WMIC.exe
Token: SeSecurityPrivilege	1976	WMIC.exe
Token: SeTakeOwnershipPrivilege	1976	WMIC.exe
Token: SeLoadDriverPrivilege	1976	WMIC.exe
Token: SeSystemProfilePrivilege	1976	WMIC.exe
Token: SeSystemtimePrivilege	1976	WMIC.exe
Token: SeProfSingleProcessPrivilege	1976	WMIC.exe
Token: SeIncBasePriorityPrivilege	1976	WMIC.exe
Token: SeCreatePagefilePrivilege	1976	WMIC.exe
Token: SeBackupPrivilege	1976	WMIC.exe
Token: SeRestorePrivilege	1976	WMIC.exe
Token: SeShutdownPrivilege	1976	WMIC.exe
Token: SeDebugPrivilege	1976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1976	WMIC.exe
Token: SeRemoteShutdownPrivilege	1976	WMIC.exe
Token: SeUndockPrivilege	1976	WMIC.exe
Token: SeManageVolumePrivilege	1976	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_6e1521accd328e43641c8c71ebbde64c.exepwpxndkmchnu.exemsedge.exe

description	pid	process	target process
PID 4112 wrote to memory of 3744	4112	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe	pwpxndkmchnu.exe
PID 4112 wrote to memory of 3744	4112	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe	pwpxndkmchnu.exe
PID 4112 wrote to memory of 3744	4112	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe	pwpxndkmchnu.exe
PID 4112 wrote to memory of 2752	4112	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe	cmd.exe
PID 4112 wrote to memory of 2752	4112	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe	cmd.exe
PID 4112 wrote to memory of 2752	4112	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe	cmd.exe
PID 3744 wrote to memory of 3000	3744	pwpxndkmchnu.exe	WMIC.exe
PID 3744 wrote to memory of 3000	3744	pwpxndkmchnu.exe	WMIC.exe
PID 3744 wrote to memory of 736	3744	pwpxndkmchnu.exe	NOTEPAD.EXE
PID 3744 wrote to memory of 736	3744	pwpxndkmchnu.exe	NOTEPAD.EXE
PID 3744 wrote to memory of 736	3744	pwpxndkmchnu.exe	NOTEPAD.EXE
PID 3744 wrote to memory of 1296	3744	pwpxndkmchnu.exe	msedge.exe
PID 3744 wrote to memory of 1296	3744	pwpxndkmchnu.exe	msedge.exe
PID 1296 wrote to memory of 1616	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 1616	1296	msedge.exe	msedge.exe
PID 3744 wrote to memory of 1976	3744	pwpxndkmchnu.exe	WMIC.exe
PID 3744 wrote to memory of 1976	3744	pwpxndkmchnu.exe	WMIC.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4536	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 3308	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 3308	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 3964	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 3964	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 3964	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 3964	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 3964	1296	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

pwpxndkmchnu.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pwpxndkmchnu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	pwpxndkmchnu.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_6e1521accd328e43641c8c71ebbde64c.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_6e1521accd328e43641c8c71ebbde64c.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\pwpxndkmchnu.exe
  C:\Windows\pwpxndkmchnu.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3744
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffadb9246f8,0x7ffadb924708,0x7ffadb924718
      4⤵
      PID:1616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,11990964270176981877,12608918039030460906,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
      4⤵
      PID:4536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,11990964270176981877,12608918039030460906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
      4⤵
      PID:3308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,11990964270176981877,12608918039030460906,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
      4⤵
      PID:3964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11990964270176981877,12608918039030460906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      PID:1708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11990964270176981877,12608918039030460906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:4024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,11990964270176981877,12608918039030460906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
      4⤵
      PID:4772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,11990964270176981877,12608918039030460906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
      4⤵
      PID:4668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11990964270176981877,12608918039030460906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
      4⤵
      PID:2216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11990964270176981877,12608918039030460906,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
      4⤵
      PID:3452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11990964270176981877,12608918039030460906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
      4⤵
      PID:4700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11990964270176981877,12608918039030460906,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
      4⤵
      PID:3488
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\PWPXND~1.EXE
    3⤵
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:2752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECOVERY_+tkbtj.html

Filesize
11KB

MD5
2e2c3f6511ab6dc0a640be06db111894

SHA1
c4a606468d24479d408bdc5d490cefed36ba8d23

SHA256
f79e5c955a28634b8fc951ece0f39c3557de7f2987b68f086c38310c4fb310de

SHA512
dda9a40ed061bc89dca6ec85810cfbe618514ca857874e50c6dd8ba06abb63def7e421e9d142a2815b68b61a054725913df8e8693e6cc9a8b3be78fa63bc6c0c

Download Submit
C:\Program Files\7-Zip\Lang\_RECOVERY_+tkbtj.png

Filesize
61KB

MD5
c6d087d6d72150d031a698515e96c07d

SHA1
a8c6ac7045a04e8826a1b38de262b2303ed584fe

SHA256
7943bd4f9c6d4e10e1982d4d151ca7d4f818a7fb3a0df557801d9caefa5bb133

SHA512
12a8f835cecd5ff7accb434de6e96ac8b361e7c5d68551aea0c909a82027c9517e8864eac9aa8c342000ca3a8702b8e0e6ae058e5770eb254354ef9e1cd53245

Download Submit
C:\Program Files\7-Zip\Lang\_RECOVERY_+tkbtj.txt

Filesize
1KB

MD5
5e56c5fc6d9e17446b7de7e53ca80028

SHA1
78112b5fd9fdbeb789d70d16ab4f58ff60066f48

SHA256
1362ba6e3d2e31a5be2482019d0bf889631a988c730f6565254d98b1236a2327

SHA512
9b4e78482dec361ecd7e3ea8fb389122c3861c64316d1387e5b3ff06095efa1f135109173193cedacba70f5c69752f66cce0098f4c0aaeac37711db10db30119

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
1d752ca3331984f09e9ab2bda4ec4061

SHA1
0cd9ad42111b2b81b64e906e3e857af16a285488

SHA256
cb4fd26086994bc8bf77f4eb392fe500ac6e2f861955775b224ccd550df1993c

SHA512
322cdeacad6a1c3f55fc33996dc6aefb7460b55f967fd9c9ecd8fca3ab63f6bd2dd043b2d0ac77201e149f3fb4630e91d3cdf860c2521625f2a247e5da2b037a

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
1745b46f03794ab18a578d1d999fdf38

SHA1
8ce4c8927c3e3b68c5f32ae075a17ab60c4bf45a

SHA256
22f9c7a61bc3dc6957eeb0cfa1bfbdf437e4c473afb492c52c20267dd4ebd673

SHA512
17bf436d710dda9f6c1e32caa9da1582d81c661d02dcf4f22a06df618d6b78573a01b465661fdc5212d6cb2be3d7fa345ab589bb831b6801dda650007dd5398f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
2e3592372e323657dd008c1d84d72933

SHA1
551f0ee87ebdcbaadbdf708fff6917a52c3db74b

SHA256
fbd8a101453c0c58888529a587a985c04459d34a7d49bb66ba6e96294dc85c25

SHA512
63f24b1df6c2ee96197084a4a82a72816c9dd1df76d9c024d3cf364357b8e5263e0c98b7309169d362a94caf9f06db2f01abc397823c858b83300a949dd19d72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3cc063711bdf6450ed294da8b33a2142

SHA1
fa6fda57d331dc5ff5b737777b3f396bd76c888d

SHA256
7354fa65e25218e90380706b0ca7c1073ce6a647a444520b4bf98519dc69ccfa

SHA512
351ec6267df55fd097efb0377c667b75aa98879726b9c95b1ca9af4df6ba969ce7208d01ea34e1495db5e71738139d18bd14f283709029bc0bd1f0c28ce579cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5b3995299cb80fefcd7ad10dacb6d35b

SHA1
18c667a94f7b7e15268dfd5ffa91710dc76e398f

SHA256
066210aefa9b9b87f2843fbd0c3e8e0399a964d3b272b92cc560ed8512979185

SHA512
f9cbb39d29025c4d3f6b8ada29623073d21e294c135f9d2902f6f8ecd3d91e887f20ec346f1fd22d16e472088938682b09d43888b28139a76840ff61ad7dbb2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e1d9311f1812f56494623daf43a2cc6b

SHA1
5b345f2bba81e4e4d3853270b127da04027ff438

SHA256
094ad8d030ae0739555e5525d4bd0f03554eaac6cc97181adb9078b40f3f37a0

SHA512
12d4dae5e3f287c2746df6e459e0195a24aecaef5f535ab9ebd5ded4b7543a64cffb9de1b1387ab9450e273a781614ac02653527d82da690f1b10be6b6c0a788

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586137639956233.txt

Filesize
75KB

MD5
d0ffce9154ff9fcb8e727aa7932d5848

SHA1
24cb8c81833cda46901a7ce3654244de6800897f

SHA256
beb83c369eb688a9c8df66e216d11d971f645f3a599f312b82c7c781e658449f

SHA512
deda53d86a7b1796a32745907a692e207325925fd2d0ed35f012af7d0a268d06a80afaf5047ac3e3ad102bb69948decd1a89c22bfbfbc085b61de4b427f1664a

Download Submit
C:\Windows\pwpxndkmchnu.exe

Filesize
360KB

MD5
6e1521accd328e43641c8c71ebbde64c

SHA1
7a82cfbb067c0b189dc1fa10e916fe763a5e8356

SHA256
65de2df558ebb2488ba1e50bc6fa2ccd2a168fa322b86387e9849b24772fef61

SHA512
827cc80559b04443904fdee9aea46ef7bc22dc28f89369b83a9508a9b54de7d30b627c71740f6a8ac9f89f49d9a614dc3fa84bad57d9fbb934b4e00ced60e4e2

Download Submit
\??\pipe\LOCAL\crashpad_1296_ISTQITUIVNAJQKFI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3744-1936-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3744-10095-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3744-10355-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3744-7026-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3744-4245-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3744-14-0x0000000002140000-0x00000000021C5000-memory.dmp

Filesize
532KB

Download
memory/3744-10417-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3744-10423-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4112-1-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4112-0-0x0000000000A90000-0x0000000000B15000-memory.dmp

Filesize
532KB

Download
memory/4112-9-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4112-10-0x0000000000A90000-0x0000000000B15000-memory.dmp

Filesize
532KB

Download