teslacrypt | 43c2e02552224325d2794aa77736bc2ceec565144dc0bb2c07ccdfbfb85f52c2

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_6d3919774e2c47108f89572ac4edfd36.exe
Size

368KB
MD5

6d3919774e2c47108f89572ac4edfd36
SHA1

b8906a6ce0db3a312b48eb683210193fe1c79797
SHA256

43c2e02552224325d2794aa77736bc2ceec565144dc0bb2c07ccdfbfb85f52c2
SHA512

406dcc50c2cd9c2815db796d63e6d50d0c244fdabfd1f9b6c05e9090a45abe1adeca6ab889982f4b28bba3fcad05f1b6bddb0b75d90cfd05f63c57c8da11051c
SSDEEP

6144:Vdp8rEHy/RucZDj7tR49k1dMflnnnl8nq5sIDc9IQ4rmSfZd+nDKuNAvwu:Vd+Ky/RucZT6uYnnnl8q2IDc9IQ4rjm4

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+kkomk.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/F178ACF58528737C 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F178ACF58528737C 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F178ACF58528737C If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/F178ACF58528737C 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/F178ACF58528737C http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F178ACF58528737C http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F178ACF58528737C *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/F178ACF58528737C

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/F178ACF58528737C

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F178ACF58528737C

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F178ACF58528737C

http://xlowfznrg4wf7dli.ONION/F178ACF58528737C

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (876) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare_6d3919774e2c47108f89572ac4edfd36.exekbtjvfaywlpo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	VirusShare_6d3919774e2c47108f89572ac4edfd36.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	kbtjvfaywlpo.exe

Drops startup file 6 IoCs

Processes:

kbtjvfaywlpo.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+kkomk.png	kbtjvfaywlpo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+kkomk.txt	kbtjvfaywlpo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+kkomk.html	kbtjvfaywlpo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+kkomk.png	kbtjvfaywlpo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+kkomk.txt	kbtjvfaywlpo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+kkomk.html	kbtjvfaywlpo.exe

Executes dropped EXE 1 IoCs

Processes:

kbtjvfaywlpo.exe

pid process

1720 kbtjvfaywlpo.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kbtjvfaywlpo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csxoekiakvxs = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\kbtjvfaywlpo.exe\""	kbtjvfaywlpo.exe

Drops file in Program Files directory 64 IoCs

Processes:

kbtjvfaywlpo.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-200.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_RECoVERY_+kkomk.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+kkomk.txt	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-64.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_AppList.scale-125.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-100.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_RECoVERY_+kkomk.txt	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-100.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\9.jpg	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-150_contrast-black.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-256.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-125.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_RECoVERY_+kkomk.txt	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+kkomk.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-250.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\_RECoVERY_+kkomk.txt	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_RECoVERY_+kkomk.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+kkomk.html	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-80.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_RECoVERY_+kkomk.txt	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\MobileUpsellImage-dark.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker31.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-40_altform-unplated.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\_RECoVERY_+kkomk.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\_RECoVERY_+kkomk.html	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\_RECoVERY_+kkomk.txt	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ArchiveToastQuickAction.scale-80.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\_RECoVERY_+kkomk.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-16_contrast-black.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\_RECoVERY_+kkomk.html	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_contrast-white.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Logo.scale-125_contrast-white.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteMedTile.scale-400.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_RECoVERY_+kkomk.html	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECoVERY_+kkomk.txt	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+kkomk.txt	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Preview.scale-200_layoutdir-LTR.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_CarReservation_Light.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-100.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\ValueProp_Shadow.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\_RECoVERY_+kkomk.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_RECoVERY_+kkomk.txt	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_RECoVERY_+kkomk.txt	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-150_contrast-white.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircle.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\_RECoVERY_+kkomk.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-30_contrast-black.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-100.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-250.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-black_scale-125.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-200.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\_RECoVERY_+kkomk.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\_RECoVERY_+kkomk.html	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+kkomk.txt	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\_RECoVERY_+kkomk.html	kbtjvfaywlpo.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-100.png	kbtjvfaywlpo.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_6d3919774e2c47108f89572ac4edfd36.exe

description	ioc	process
File created	C:\Windows\kbtjvfaywlpo.exe	VirusShare_6d3919774e2c47108f89572ac4edfd36.exe
File opened for modification	C:\Windows\kbtjvfaywlpo.exe	VirusShare_6d3919774e2c47108f89572ac4edfd36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

kbtjvfaywlpo.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings kbtjvfaywlpo.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

408 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	kbtjvfaywlpo.exe

pid	process
408	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kbtjvfaywlpo.exe

pid	process
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe
1720	kbtjvfaywlpo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

620 msedge.exe
620 msedge.exe
620 msedge.exe
620 msedge.exe
620 msedge.exe
620 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_6d3919774e2c47108f89572ac4edfd36.exekbtjvfaywlpo.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2540	VirusShare_6d3919774e2c47108f89572ac4edfd36.exe
Token: SeDebugPrivilege	1720	kbtjvfaywlpo.exe
Token: SeIncreaseQuotaPrivilege	4964	WMIC.exe
Token: SeSecurityPrivilege	4964	WMIC.exe
Token: SeTakeOwnershipPrivilege	4964	WMIC.exe
Token: SeLoadDriverPrivilege	4964	WMIC.exe
Token: SeSystemProfilePrivilege	4964	WMIC.exe
Token: SeSystemtimePrivilege	4964	WMIC.exe
Token: SeProfSingleProcessPrivilege	4964	WMIC.exe
Token: SeIncBasePriorityPrivilege	4964	WMIC.exe
Token: SeCreatePagefilePrivilege	4964	WMIC.exe
Token: SeBackupPrivilege	4964	WMIC.exe
Token: SeRestorePrivilege	4964	WMIC.exe
Token: SeShutdownPrivilege	4964	WMIC.exe
Token: SeDebugPrivilege	4964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4964	WMIC.exe
Token: SeRemoteShutdownPrivilege	4964	WMIC.exe
Token: SeUndockPrivilege	4964	WMIC.exe
Token: SeManageVolumePrivilege	4964	WMIC.exe
Token: 33	4964	WMIC.exe
Token: 34	4964	WMIC.exe
Token: 35	4964	WMIC.exe
Token: 36	4964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4964	WMIC.exe
Token: SeSecurityPrivilege	4964	WMIC.exe
Token: SeTakeOwnershipPrivilege	4964	WMIC.exe
Token: SeLoadDriverPrivilege	4964	WMIC.exe
Token: SeSystemProfilePrivilege	4964	WMIC.exe
Token: SeSystemtimePrivilege	4964	WMIC.exe
Token: SeProfSingleProcessPrivilege	4964	WMIC.exe
Token: SeIncBasePriorityPrivilege	4964	WMIC.exe
Token: SeCreatePagefilePrivilege	4964	WMIC.exe
Token: SeBackupPrivilege	4964	WMIC.exe
Token: SeRestorePrivilege	4964	WMIC.exe
Token: SeShutdownPrivilege	4964	WMIC.exe
Token: SeDebugPrivilege	4964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4964	WMIC.exe
Token: SeRemoteShutdownPrivilege	4964	WMIC.exe
Token: SeUndockPrivilege	4964	WMIC.exe
Token: SeManageVolumePrivilege	4964	WMIC.exe
Token: 33	4964	WMIC.exe
Token: 34	4964	WMIC.exe
Token: 35	4964	WMIC.exe
Token: 36	4964	WMIC.exe
Token: SeBackupPrivilege	1956	vssvc.exe
Token: SeRestorePrivilege	1956	vssvc.exe
Token: SeAuditPrivilege	1956	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3576	WMIC.exe
Token: SeSecurityPrivilege	3576	WMIC.exe
Token: SeTakeOwnershipPrivilege	3576	WMIC.exe
Token: SeLoadDriverPrivilege	3576	WMIC.exe
Token: SeSystemProfilePrivilege	3576	WMIC.exe
Token: SeSystemtimePrivilege	3576	WMIC.exe
Token: SeProfSingleProcessPrivilege	3576	WMIC.exe
Token: SeIncBasePriorityPrivilege	3576	WMIC.exe
Token: SeCreatePagefilePrivilege	3576	WMIC.exe
Token: SeBackupPrivilege	3576	WMIC.exe
Token: SeRestorePrivilege	3576	WMIC.exe
Token: SeShutdownPrivilege	3576	WMIC.exe
Token: SeDebugPrivilege	3576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3576	WMIC.exe
Token: SeRemoteShutdownPrivilege	3576	WMIC.exe
Token: SeUndockPrivilege	3576	WMIC.exe
Token: SeManageVolumePrivilege	3576	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_6d3919774e2c47108f89572ac4edfd36.exekbtjvfaywlpo.exemsedge.exe

description	pid	process	target process
PID 2540 wrote to memory of 1720	2540	VirusShare_6d3919774e2c47108f89572ac4edfd36.exe	kbtjvfaywlpo.exe
PID 2540 wrote to memory of 1720	2540	VirusShare_6d3919774e2c47108f89572ac4edfd36.exe	kbtjvfaywlpo.exe
PID 2540 wrote to memory of 1720	2540	VirusShare_6d3919774e2c47108f89572ac4edfd36.exe	kbtjvfaywlpo.exe
PID 2540 wrote to memory of 2524	2540	VirusShare_6d3919774e2c47108f89572ac4edfd36.exe	cmd.exe
PID 2540 wrote to memory of 2524	2540	VirusShare_6d3919774e2c47108f89572ac4edfd36.exe	cmd.exe
PID 2540 wrote to memory of 2524	2540	VirusShare_6d3919774e2c47108f89572ac4edfd36.exe	cmd.exe
PID 1720 wrote to memory of 4964	1720	kbtjvfaywlpo.exe	WMIC.exe
PID 1720 wrote to memory of 4964	1720	kbtjvfaywlpo.exe	WMIC.exe
PID 1720 wrote to memory of 408	1720	kbtjvfaywlpo.exe	NOTEPAD.EXE
PID 1720 wrote to memory of 408	1720	kbtjvfaywlpo.exe	NOTEPAD.EXE
PID 1720 wrote to memory of 408	1720	kbtjvfaywlpo.exe	NOTEPAD.EXE
PID 1720 wrote to memory of 620	1720	kbtjvfaywlpo.exe	msedge.exe
PID 1720 wrote to memory of 620	1720	kbtjvfaywlpo.exe	msedge.exe
PID 620 wrote to memory of 1448	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 1448	620	msedge.exe	msedge.exe
PID 1720 wrote to memory of 3576	1720	kbtjvfaywlpo.exe	WMIC.exe
PID 1720 wrote to memory of 3576	1720	kbtjvfaywlpo.exe	WMIC.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 3788	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 1060	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 1060	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 2580	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 2580	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 2580	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 2580	620	msedge.exe	msedge.exe
PID 620 wrote to memory of 2580	620	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

kbtjvfaywlpo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	kbtjvfaywlpo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	kbtjvfaywlpo.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_6d3919774e2c47108f89572ac4edfd36.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_6d3919774e2c47108f89572ac4edfd36.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\kbtjvfaywlpo.exe
  C:\Windows\kbtjvfaywlpo.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1720
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb9c9546f8,0x7ffb9c954708,0x7ffb9c954718
      4⤵
      PID:1448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1444,2102642854655450527,1474193673454169112,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
      4⤵
      PID:3788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1444,2102642854655450527,1474193673454169112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
      4⤵
      PID:1060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1444,2102642854655450527,1474193673454169112,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
      4⤵
      PID:2580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,2102642854655450527,1474193673454169112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
      4⤵
      PID:3424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,2102642854655450527,1474193673454169112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      PID:1156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1444,2102642854655450527,1474193673454169112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
      4⤵
      PID:1372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1444,2102642854655450527,1474193673454169112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
      4⤵
      PID:3296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,2102642854655450527,1474193673454169112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
      4⤵
      PID:2420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,2102642854655450527,1474193673454169112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
      4⤵
      PID:5072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,2102642854655450527,1474193673454169112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
      4⤵
      PID:2112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,2102642854655450527,1474193673454169112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      PID:840
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\KBTJVF~1.EXE
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:2524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+kkomk.html

Filesize
9KB

MD5
9a613ce7636d21ff965c6eb02f94a157

SHA1
70c6e765e5bbefd6ddd5ee55ddd43ce9c2326659

SHA256
dc8f9324da7db1a10e51c9d5bb2864d04fb5b8bd8a97dd20d621342bfae3a861

SHA512
1ae571bd3a4c2a23a132fd1f343d8d2d6b9c3c25c619f1b7950a0b28fbea700146d25e3500c9c79ae9afbd258bf91aad1dd536f29ad2e61dabac49a93373864c

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+kkomk.png

Filesize
63KB

MD5
0b1c410699a20f2cbda9c5dff000240e

SHA1
7a0d3ddee7b391c3c8c0c869d1bd05da1defb74e

SHA256
880b28b6989bf3c1ad95c46918da34d80db01e3bc03dccf69e38a01c19c0eb25

SHA512
577f6196414dd8a7f78c35051483ec5ac6b77220242e7b5c8abca444c9b26170b1a137d2d3d686d06a6c0c27fec7ba9087f05b2037222d9cfd57da7179f6daa4

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+kkomk.txt

Filesize
1KB

MD5
fd18ef719074bebf6a21361fa8965c3c

SHA1
437dd80f55d5f1356f63fb99ab9cfcd53ca09558

SHA256
9a864e2cb26a0e49ccf55dc36b5764f086b583b61f567f6cb0a4882c7c473586

SHA512
8b5845fdd91164632e8009ff65399232efa639319d7a76505ceab8acd8a8f204efc2ef3dac47b449638586481dc13a780390c519bf5ce40d5b8f2109c1cdbd41

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
21e6c47e01f55ce5df969831163b11e0

SHA1
7b92f972a4af76fb62ba82941c4f4ccf357f758b

SHA256
79cbde537624f3b87c60770e141215679d5b915dd893b76504517d5f5321e096

SHA512
72307e3e21ac3a2ceefc7c681ec28609b5ce6e50af3281c5c13a01397270e651a1d867f25e372ce91ccdc3be2e4d182b63ed0dab55e52695ebddcfb0dba54c47

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
ca011fb6ab02847ac0b9185f49426f83

SHA1
41234ab34b00fe9ca701ebaedf6695d5a884e589

SHA256
077ac4ba1bc3e4a73e6a4d75bfc7b249f8e91806e64ff7c7aadbbcaa7c39a149

SHA512
a6404fac17aefc812389d2c3e430d795977531d7bc64ce02e2b2c2eba55f4d29b6d0cee4cfe1b522fd0148115ced8485b978e8bc50d0e3a36f0bced0d3a04e1f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
7b61d7f2a86ea84e46869f8cc11a8cab

SHA1
3592bd14d38e6f0c008ef79a044468e59719d0bf

SHA256
849be94ad392e4c14350578cc46541341b8c3e9e0ec9bc5c93adb397cb9234a9

SHA512
5351380b0a00e42a71ccfc9f3ab18e5b986b9d6d949f2638dc52326642fa27d100017d51ad12ab8a7d1a5c7976df7c3522a0ac7b7b096fca2c0509877ea595f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\08ba7ce9-ce08-4a68-aad0-12492fe4598b.tmp

Filesize
6KB

MD5
118c97b5c7f5bf8bd26a77538943ed12

SHA1
507437f4397e35d886467b42f7a3959e2f3b7bc9

SHA256
8f56ea7c2c6ee15ff0f162dceb204d9f28bc957686b1589982c1f54a609e8811

SHA512
c6ca4c2db03cdc2ee32f1cee636c5771ca62efe7581c4a8a832a1ba945cb99b5a4b5890506aa09dce58c161dce8ffb7c7ad99f76fd20dd0d69594ba5d951e689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
16eaa31da1d6ee7056b01b1e721710dc

SHA1
1d42303a2db626e8c353a5e0b20cb0aeec981169

SHA256
8a5a8a846f007da2993020d2b5799506a21ac9102db351766a05fb57f3557540

SHA512
cc3f1764af221547420182808ce8cf23341d6fa7c15f0e57005c18fd967ea1416139a76181eae6e5159c31d15ceb95dd3b94a1277bd85a9976b45ed8f147df52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7a2d380ebbb927e83c375d7976f6d368

SHA1
13a8ad22350e649fdfe4f64149376ddbb3494379

SHA256
2d35b111d271de9102f7af9c52c2f5d305e5db7b235e1c598add0a4880e003d3

SHA512
28381a3cffb0214399a5b42e612d67beebce3cc451010066765e19c1fa5687284da89b4d43010fba4f3e487f0b84e3a1ec31d67e9470ddfeac5d709660af8fc3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586120609615741.txt

Filesize
75KB

MD5
660cda4778d2a8456b8a007b70bfe93c

SHA1
fe0a4b00361240147cc10c8600d2c039b59ff386

SHA256
83072ea109d303392f5f30b55e02148803b9f3cc7d8d9ce398ccb9955bb48367

SHA512
ea7114d715f52e6cab2f0eb1b8effb7eb081b8e4f2a4ae140afedd8e3f5631f76b1a20b3e05d881e8523be86acd947099eeeeb6eafe3126b2775523d1f22fb67

Download Submit
C:\Windows\kbtjvfaywlpo.exe

Filesize
368KB

MD5
6d3919774e2c47108f89572ac4edfd36

SHA1
b8906a6ce0db3a312b48eb683210193fe1c79797

SHA256
43c2e02552224325d2794aa77736bc2ceec565144dc0bb2c07ccdfbfb85f52c2

SHA512
406dcc50c2cd9c2815db796d63e6d50d0c244fdabfd1f9b6c05e9090a45abe1adeca6ab889982f4b28bba3fcad05f1b6bddb0b75d90cfd05f63c57c8da11051c

Download Submit
\??\pipe\LOCAL\crashpad_620_LRKBRWTATFIKIHDC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1720-2013-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1720-7133-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1720-9763-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1720-10392-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1720-5059-0x00000000021D0000-0x0000000002256000-memory.dmp

Filesize
536KB

Download
memory/1720-4390-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1720-10438-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1720-12-0x00000000021D0000-0x0000000002256000-memory.dmp

Filesize
536KB

Download
memory/2540-3-0x0000000002250000-0x00000000022D6000-memory.dmp

Filesize
536KB

Download
memory/2540-14-0x0000000002250000-0x00000000022D6000-memory.dmp

Filesize
536KB

Download
memory/2540-13-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2540-0-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download