teslacrypt | f8ca5b6292d40161f56b244b642279e216cbb5aa55fec58c40ec8113b01db710

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_91330d07fcc97e162180ba8126bfc7ee.exe
Size

424KB
MD5

91330d07fcc97e162180ba8126bfc7ee
SHA1

97aa11b5eeebf25a068f6fa431543b1547285fa0
SHA256

f8ca5b6292d40161f56b244b642279e216cbb5aa55fec58c40ec8113b01db710
SHA512

3b1d559771580365e71b49ea91ebbfc4dced753087b7c70a7a706b16bde4b17dd38f5a2dbe33000df4dfa0a3cdcdebb336e6551ad089bb196efd964eee06522c
SSDEEP

12288:oj6qMoki2//HuarKqen05/QexvmBG3zbblCJxfS6:ojPQ/HdQoq2fOR1

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+jndgx.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/6FD458B44519C852 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/6FD458B44519C852 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6FD458B44519C852 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/6FD458B44519C852 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/6FD458B44519C852 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/6FD458B44519C852 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6FD458B44519C852 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/6FD458B44519C852

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/6FD458B44519C852

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/6FD458B44519C852

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6FD458B44519C852

http://xlowfznrg4wf7dli.ONION/6FD458B44519C852

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (871) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

owlbkbjvfayw.exeVirusShare_91330d07fcc97e162180ba8126bfc7ee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	owlbkbjvfayw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	VirusShare_91330d07fcc97e162180ba8126bfc7ee.exe

Drops startup file 6 IoCs

Processes:

owlbkbjvfayw.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+jndgx.html	owlbkbjvfayw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+jndgx.png	owlbkbjvfayw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+jndgx.html	owlbkbjvfayw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+jndgx.png	owlbkbjvfayw.exe

Executes dropped EXE 1 IoCs

Processes:

owlbkbjvfayw.exe

pid process

3432 owlbkbjvfayw.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

owlbkbjvfayw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tsertwwiuyep = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\owlbkbjvfayw.exe\""	owlbkbjvfayw.exe

Drops file in Program Files directory 64 IoCs

Processes:

owlbkbjvfayw.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-100.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lo-LA\View3d\_RECoVERY_+jndgx.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-125_contrast-black.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-125.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\MobileUpsellImage-dark.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteWideTile.scale-200.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_RECoVERY_+jndgx.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-100.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_RECoVERY_+jndgx.html	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_RECoVERY_+jndgx.html	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\_RECoVERY_+jndgx.html	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-100.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\_RECoVERY_+jndgx.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_RECoVERY_+jndgx.html	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_RECoVERY_+jndgx.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\_RECoVERY_+jndgx.html	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-20_contrast-black.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-256.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-100.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\_RECoVERY_+jndgx.html	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\_RECoVERY_+jndgx.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-200_contrast-black.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\Square150x150Logo.scale-125.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\_RECoVERY_+jndgx.html	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-100.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\_RECoVERY_+jndgx.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-125_contrast-high.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-40_altform-lightunplated.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-20.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_RECoVERY_+jndgx.html	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_RECoVERY_+jndgx.html	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+jndgx.html	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100_contrast-white.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_start_a_coversation_v2.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-100.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\Windows Media Player\_RECoVERY_+jndgx.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\_RECoVERY_+jndgx.html	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\LargeTile.scale-125.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\LargeTile.scale-100_contrast-white.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ta-IN\View3d\_RECoVERY_+jndgx.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_altform-colorize.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-125.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+jndgx.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-unplated_contrast-white.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-ES\_RECoVERY_+jndgx.txt	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-200_contrast-black.png	owlbkbjvfayw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\js\_RECoVERY_+jndgx.png	owlbkbjvfayw.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_91330d07fcc97e162180ba8126bfc7ee.exe

description	ioc	process
File created	C:\Windows\owlbkbjvfayw.exe	VirusShare_91330d07fcc97e162180ba8126bfc7ee.exe
File opened for modification	C:\Windows\owlbkbjvfayw.exe	VirusShare_91330d07fcc97e162180ba8126bfc7ee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

owlbkbjvfayw.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings owlbkbjvfayw.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2984 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	owlbkbjvfayw.exe

pid	process
2984	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

owlbkbjvfayw.exe

pid	process
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe
3432	owlbkbjvfayw.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

5100 msedge.exe
5100 msedge.exe
5100 msedge.exe
5100 msedge.exe
5100 msedge.exe
5100 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_91330d07fcc97e162180ba8126bfc7ee.exeowlbkbjvfayw.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4680	VirusShare_91330d07fcc97e162180ba8126bfc7ee.exe
Token: SeDebugPrivilege	3432	owlbkbjvfayw.exe
Token: SeIncreaseQuotaPrivilege	4888	WMIC.exe
Token: SeSecurityPrivilege	4888	WMIC.exe
Token: SeTakeOwnershipPrivilege	4888	WMIC.exe
Token: SeLoadDriverPrivilege	4888	WMIC.exe
Token: SeSystemProfilePrivilege	4888	WMIC.exe
Token: SeSystemtimePrivilege	4888	WMIC.exe
Token: SeProfSingleProcessPrivilege	4888	WMIC.exe
Token: SeIncBasePriorityPrivilege	4888	WMIC.exe
Token: SeCreatePagefilePrivilege	4888	WMIC.exe
Token: SeBackupPrivilege	4888	WMIC.exe
Token: SeRestorePrivilege	4888	WMIC.exe
Token: SeShutdownPrivilege	4888	WMIC.exe
Token: SeDebugPrivilege	4888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4888	WMIC.exe
Token: SeRemoteShutdownPrivilege	4888	WMIC.exe
Token: SeUndockPrivilege	4888	WMIC.exe
Token: SeManageVolumePrivilege	4888	WMIC.exe
Token: 33	4888	WMIC.exe
Token: 34	4888	WMIC.exe
Token: 35	4888	WMIC.exe
Token: 36	4888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4888	WMIC.exe
Token: SeSecurityPrivilege	4888	WMIC.exe
Token: SeTakeOwnershipPrivilege	4888	WMIC.exe
Token: SeLoadDriverPrivilege	4888	WMIC.exe
Token: SeSystemProfilePrivilege	4888	WMIC.exe
Token: SeSystemtimePrivilege	4888	WMIC.exe
Token: SeProfSingleProcessPrivilege	4888	WMIC.exe
Token: SeIncBasePriorityPrivilege	4888	WMIC.exe
Token: SeCreatePagefilePrivilege	4888	WMIC.exe
Token: SeBackupPrivilege	4888	WMIC.exe
Token: SeRestorePrivilege	4888	WMIC.exe
Token: SeShutdownPrivilege	4888	WMIC.exe
Token: SeDebugPrivilege	4888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4888	WMIC.exe
Token: SeRemoteShutdownPrivilege	4888	WMIC.exe
Token: SeUndockPrivilege	4888	WMIC.exe
Token: SeManageVolumePrivilege	4888	WMIC.exe
Token: 33	4888	WMIC.exe
Token: 34	4888	WMIC.exe
Token: 35	4888	WMIC.exe
Token: 36	4888	WMIC.exe
Token: SeBackupPrivilege	4500	vssvc.exe
Token: SeRestorePrivilege	4500	vssvc.exe
Token: SeAuditPrivilege	4500	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4904	WMIC.exe
Token: SeSecurityPrivilege	4904	WMIC.exe
Token: SeTakeOwnershipPrivilege	4904	WMIC.exe
Token: SeLoadDriverPrivilege	4904	WMIC.exe
Token: SeSystemProfilePrivilege	4904	WMIC.exe
Token: SeSystemtimePrivilege	4904	WMIC.exe
Token: SeProfSingleProcessPrivilege	4904	WMIC.exe
Token: SeIncBasePriorityPrivilege	4904	WMIC.exe
Token: SeCreatePagefilePrivilege	4904	WMIC.exe
Token: SeBackupPrivilege	4904	WMIC.exe
Token: SeRestorePrivilege	4904	WMIC.exe
Token: SeShutdownPrivilege	4904	WMIC.exe
Token: SeDebugPrivilege	4904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4904	WMIC.exe
Token: SeRemoteShutdownPrivilege	4904	WMIC.exe
Token: SeUndockPrivilege	4904	WMIC.exe
Token: SeManageVolumePrivilege	4904	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_91330d07fcc97e162180ba8126bfc7ee.exeowlbkbjvfayw.exemsedge.exe

description	pid	process	target process
PID 4680 wrote to memory of 3432	4680	VirusShare_91330d07fcc97e162180ba8126bfc7ee.exe	owlbkbjvfayw.exe
PID 4680 wrote to memory of 3432	4680	VirusShare_91330d07fcc97e162180ba8126bfc7ee.exe	owlbkbjvfayw.exe
PID 4680 wrote to memory of 3432	4680	VirusShare_91330d07fcc97e162180ba8126bfc7ee.exe	owlbkbjvfayw.exe
PID 4680 wrote to memory of 1036	4680	VirusShare_91330d07fcc97e162180ba8126bfc7ee.exe	cmd.exe
PID 4680 wrote to memory of 1036	4680	VirusShare_91330d07fcc97e162180ba8126bfc7ee.exe	cmd.exe
PID 4680 wrote to memory of 1036	4680	VirusShare_91330d07fcc97e162180ba8126bfc7ee.exe	cmd.exe
PID 3432 wrote to memory of 4888	3432	owlbkbjvfayw.exe	WMIC.exe
PID 3432 wrote to memory of 4888	3432	owlbkbjvfayw.exe	WMIC.exe
PID 3432 wrote to memory of 2984	3432	owlbkbjvfayw.exe	NOTEPAD.EXE
PID 3432 wrote to memory of 2984	3432	owlbkbjvfayw.exe	NOTEPAD.EXE
PID 3432 wrote to memory of 2984	3432	owlbkbjvfayw.exe	NOTEPAD.EXE
PID 3432 wrote to memory of 5100	3432	owlbkbjvfayw.exe	msedge.exe
PID 3432 wrote to memory of 5100	3432	owlbkbjvfayw.exe	msedge.exe
PID 5100 wrote to memory of 1392	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 1392	5100	msedge.exe	msedge.exe
PID 3432 wrote to memory of 4904	3432	owlbkbjvfayw.exe	WMIC.exe
PID 3432 wrote to memory of 4904	3432	owlbkbjvfayw.exe	WMIC.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4972	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4660	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 4660	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 5076	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 5076	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 5076	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 5076	5100	msedge.exe	msedge.exe
PID 5100 wrote to memory of 5076	5100	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

owlbkbjvfayw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	owlbkbjvfayw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	owlbkbjvfayw.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_91330d07fcc97e162180ba8126bfc7ee.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_91330d07fcc97e162180ba8126bfc7ee.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\owlbkbjvfayw.exe
  C:\Windows\owlbkbjvfayw.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3432
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4888
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc676a46f8,0x7ffc676a4708,0x7ffc676a4718
      4⤵
      PID:1392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,999604554949570565,15006646983700788239,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
      4⤵
      PID:4972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,999604554949570565,15006646983700788239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
      4⤵
      PID:4660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,999604554949570565,15006646983700788239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
      4⤵
      PID:5076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,999604554949570565,15006646983700788239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      PID:2292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,999604554949570565,15006646983700788239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
      4⤵
      PID:2192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,999604554949570565,15006646983700788239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
      4⤵
      PID:1204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,999604554949570565,15006646983700788239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
      4⤵
      PID:4680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,999604554949570565,15006646983700788239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
      4⤵
      PID:3640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,999604554949570565,15006646983700788239,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
      4⤵
      PID:2452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,999604554949570565,15006646983700788239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
      4⤵
      PID:4264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,999604554949570565,15006646983700788239,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
      4⤵
      PID:3280
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\OWLBKB~1.EXE
    3⤵
    PID:4988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:1036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+jndgx.html

Filesize
8KB

MD5
dc2d6a8fffda198a46a679fe3091781a

SHA1
245504301698e3d9611f79a479d801a1257c689c

SHA256
aedd6c6ef03902b843b8dc8926e2238a721a468c1472bd0d292b683a389b993b

SHA512
fca18b6dcfe8f4cda89ba5c553e851691216ffaf606adba8f1d0d6b18a107ff46cb9b9426fbad7e4d0dcc27540b67820f68b7b2470d3b413e6662dada53348fc

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+jndgx.png

Filesize
66KB

MD5
ba1964356b37c8ad28172eb109a2b855

SHA1
1cee117aaaacd41153ddba944c6408a1acc2da3a

SHA256
2391d9c32e082dfe233009b53f8558dc12c5c398377b091ce7cba01c0b090959

SHA512
ec27f89d24a0a45c2b7cb0856165c9889a2de646197d6d844f9a05d65ee93df9fd496503d3d7cbe09f5a102ee225ca4b09496d2c0406ee16d554369e8c3c6e6e

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+jndgx.txt

Filesize
1KB

MD5
2631d8f9695deb59e7233766d4651c84

SHA1
3d61ee852de897309f767ecca414debdf9db7cd1

SHA256
cfb7d518406f640f92b14499f1e2854124ed8286713e6b5937c2e644f40f86ba

SHA512
49459d978f640b764ee94a636b86f0c3903b227a10aa32d1a5e718af2185161f97d299ebfaf9f773f79f5525c45eb44fef236937661274cb0f24b378b013e39c

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
8fd7883882b39aeff116808b2e88ce72

SHA1
50420fcab382e1d363f5dd6ca4ce3f3fdd971018

SHA256
839eefd54b31f412bb05cb7a7aa79dce2a5481a2b7041d877b8ce433ba81c6e0

SHA512
c63d0ee3359afa48f27d63d938055429d69addd9419f900b1cc43a99c50f2831245b99fea4e541d2ed8239159deacbff97fc06712ffce13ae5de6f10d378233e

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
fdcd85337adef4a10542dfded62f2b69

SHA1
f5c41aa41a7479746ef65e14af3b33c574aefaa8

SHA256
f6cfcc27460933b9a7360f08a57b42937e23b68ec8c0e3ba99f48113ea71344d

SHA512
ecd440abb71fef20445015db833bd96567862aa812f99e0639e9b905fd43a89996bce4aa16de091a0bbeac29b6420d9d65db1997e3b931eb660dad252ab9c105

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
cf05a6806b688525cfc58ca82710f45f

SHA1
9ff356dde538742e7d16a6dd4533b908ebd0b264

SHA256
94ce481fc14bd99b24c65ae48f407208d3abaa45dd224f6a061f113b67960d27

SHA512
8381ff371ad3966a1900e5ddf9b1a4bbc8e5e7531015f8510cf2ddc72fcc6d1709413e9ba1e2177bea58332cf9602b88bf9feacf16e64ebf9160eae3b8648a32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b06943af994cfa3084dfe44295ce6c08

SHA1
fdc08d2573293ec7b12873cf23fb9828f76a5c7e

SHA256
4b39568d933e13bfbe3a1a470462f5f2ae50cdd117010f673fed7b453dab0cdf

SHA512
3d0ca8590235b4f61a5c6fcd0b5cdefab3fe6356979e12a5fb296ca00b9382b23907c3e5e8a2b29581f3f3d67f2b25e008b924ac33a57cd9d2b506aa09d35372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb18b77d14a682dedd70e10ed2c09c60

SHA1
d926d4aadf02dbaac4b40f0f5bf819f680d3b833

SHA256
2cfcbaf28f6e80ead44115d14595fc3beab8d6b333fd068629e6a541875746cb

SHA512
47960e75633c2535e717508cef4397af140d9a7a10b81683a6e9d99da4933fd266249d42940a28c779e9f743a00a6351940ffad1f4d596b3eb8b577676e9c475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
391b4a41c7a8b375bc8605be70a693c4

SHA1
478f72ca4e4518399b93fde865109bda43a33661

SHA256
f732379337dd0dce51cea384a5a10195acb505eca82af25a68262214fcead132

SHA512
ad66c727a5a13f7e4317ff454840926f55cacba5f597a33105480a7dd025a76d2fef90f2cd3d68496d3cd0b2ace83cf2bea75e0a94c43dc2233ea1e8a2be8ccd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596380890952339.txt

Filesize
47KB

MD5
850affaeef0418cecedd830d1a2ff66f

SHA1
ac5100dce50f6144bd953963187fd3ab225d0374

SHA256
212ab1836b7cc71e50720c1d51a1ef27b1ce4a0d58219d4564c8a8f1920d1219

SHA512
53a007e917570383f163c2cc46511dbb8a013b756b7fdbef2d89ec59419cbf6bae3145ae9140ae554fb336c9f3fdc6bde91f74a0d3afaa1651d71b41c234224f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596424345938675.txt

Filesize
75KB

MD5
78c7c8123052306581f63bc5b063e623

SHA1
ff80603d6227e80d024c5e0f25f0e8a7d03b56de

SHA256
15df51e5103fdb84060b12c9580c0e3d82fe7210ad7a3ffc317f1ba84f15f657

SHA512
7165740e389cd0586e13f6ba8c04550cae6aaf0eb2af219312579dfdde2680d4c603787e7ba0a09a508e27a2c8307bb462b864839eb95c01532e3bccedfaa083

Download Submit
C:\Windows\owlbkbjvfayw.exe

Filesize
424KB

MD5
91330d07fcc97e162180ba8126bfc7ee

SHA1
97aa11b5eeebf25a068f6fa431543b1547285fa0

SHA256
f8ca5b6292d40161f56b244b642279e216cbb5aa55fec58c40ec8113b01db710

SHA512
3b1d559771580365e71b49ea91ebbfc4dced753087b7c70a7a706b16bde4b17dd38f5a2dbe33000df4dfa0a3cdcdebb336e6551ad089bb196efd964eee06522c

Download Submit
\??\pipe\LOCAL\crashpad_5100_QDDJXSZVNHAISSZZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3432-10423-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3432-14-0x0000000002100000-0x0000000002184000-memory.dmp

Filesize
528KB

Download
memory/3432-9546-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3432-6642-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3432-10469-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3432-3917-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3432-927-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4680-1-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4680-0-0x00000000021B0000-0x0000000002234000-memory.dmp

Filesize
528KB

Download
memory/4680-9-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4680-10-0x00000000021B0000-0x0000000002234000-memory.dmp

Filesize
528KB

Download