Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:59
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe
Resource
win10v2004-20250313-en
General
-
Target
2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe
-
Size
251KB
-
MD5
8fa787e817cf01cfdb0b287de2ee39c9
-
SHA1
37f6f0b73983d7d61a5393ded3ffd3eec5f6f0b8
-
SHA256
4dbd942433b4510cec4998e8447aef56c776753d6b23c3690e19fc6d573fc8af
-
SHA512
5d6f734eb82254b303f81776dc161d4409597c986298ed0e95f0fe4752a16a0fb07d95823adeb6943fa7d11a801cbef53b1cf19168a3ce8af3cea86f12a3468e
-
SSDEEP
3072:iLhtgSlZAeKoNhb64VzKRJWpLXOe/TYUAk/M2lH0+6m6MU0N/nr+rtnd9mTRpcr:qsxWp9TYUzX6Zm6MU0N6gXcr
Malware Config
Extracted
C:\ebea8a0c5b7ebb8dc5b60da7\_ReCoVeRy_+jndgx.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9FEFE98BC0BFB9AA
http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/9FEFE98BC0BFB9AA
http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/9FEFE98BC0BFB9AA
http://xlowfznrg4wf7dli.ONION/9FEFE98BC0BFB9AA
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (887) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation 2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe Key value queried \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation xdpxegnijily.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+jndgx.txt xdpxegnijily.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jndgx.png xdpxegnijily.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jndgx.txt xdpxegnijily.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+jndgx.png xdpxegnijily.exe -
Executes dropped EXE 1 IoCs
pid Process 3120 xdpxegnijily.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pthbeil = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\xdpxegnijily.exe" xdpxegnijily.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\_ReCoVeRy_+jndgx.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+jndgx.txt xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_CatEye.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-150.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-200.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200_contrast-black.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\View3d\_ReCoVeRy_+jndgx.txt xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\font\_ReCoVeRy_+jndgx.txt xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-200_contrast-white.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsSplashLogo.scale-100.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-40.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_ReCoVeRy_+jndgx.txt xdpxegnijily.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt xdpxegnijily.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-24_altform-unplated_contrast-black.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-150.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteFirstRunCarousel_Animation2.mp4 xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleSmallTile.scale-100.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\_ReCoVeRy_+jndgx.png xdpxegnijily.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\_ReCoVeRy_+jndgx.txt xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-125.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-32_altform-unplated.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-100.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteMedTile.scale-400.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-36.png xdpxegnijily.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80_altform-unplated.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_gameDVR.targetsize-48.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLogo.scale-100_contrast-white.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_ReCoVeRy_+jndgx.txt xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_ReCoVeRy_+jndgx.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlOuterCircleHover.png xdpxegnijily.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt xdpxegnijily.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lv-LV\_ReCoVeRy_+jndgx.png xdpxegnijily.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png xdpxegnijily.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\VideoThumbnail.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100_contrast-white.png xdpxegnijily.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt xdpxegnijily.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_ReCoVeRy_+jndgx.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FaceReco_Illustration_SM.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-300.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\edge_BITS_4700_1893608584\_ReCoVeRy_+jndgx.png xdpxegnijily.exe File opened for modification C:\Program Files\Internet Explorer\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-64_altform-lightunplated.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\fonts\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-24_altform-unplated_contrast-black.png xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker17.png xdpxegnijily.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hu-HU\_ReCoVeRy_+jndgx.html xdpxegnijily.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\_ReCoVeRy_+jndgx.html xdpxegnijily.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xdpxegnijily.exe 2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe File created C:\Windows\xdpxegnijily.exe 2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdpxegnijily.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133871004557996602" msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings xdpxegnijily.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3446877943-4095308722-756223633-1000\{F30A980C-B590-452A-A401-EF6B76173C35} msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4220 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe 3120 xdpxegnijily.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3268 2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe Token: SeDebugPrivilege 3120 xdpxegnijily.exe Token: SeIncreaseQuotaPrivilege 2892 WMIC.exe Token: SeSecurityPrivilege 2892 WMIC.exe Token: SeTakeOwnershipPrivilege 2892 WMIC.exe Token: SeLoadDriverPrivilege 2892 WMIC.exe Token: SeSystemProfilePrivilege 2892 WMIC.exe Token: SeSystemtimePrivilege 2892 WMIC.exe Token: SeProfSingleProcessPrivilege 2892 WMIC.exe Token: SeIncBasePriorityPrivilege 2892 WMIC.exe Token: SeCreatePagefilePrivilege 2892 WMIC.exe Token: SeBackupPrivilege 2892 WMIC.exe Token: SeRestorePrivilege 2892 WMIC.exe Token: SeShutdownPrivilege 2892 WMIC.exe Token: SeDebugPrivilege 2892 WMIC.exe Token: SeSystemEnvironmentPrivilege 2892 WMIC.exe Token: SeRemoteShutdownPrivilege 2892 WMIC.exe Token: SeUndockPrivilege 2892 WMIC.exe Token: SeManageVolumePrivilege 2892 WMIC.exe Token: 33 2892 WMIC.exe Token: 34 2892 WMIC.exe Token: 35 2892 WMIC.exe Token: 36 2892 WMIC.exe Token: SeIncreaseQuotaPrivilege 2892 WMIC.exe Token: SeSecurityPrivilege 2892 WMIC.exe Token: SeTakeOwnershipPrivilege 2892 WMIC.exe Token: SeLoadDriverPrivilege 2892 WMIC.exe Token: SeSystemProfilePrivilege 2892 WMIC.exe Token: SeSystemtimePrivilege 2892 WMIC.exe Token: SeProfSingleProcessPrivilege 2892 WMIC.exe Token: SeIncBasePriorityPrivilege 2892 WMIC.exe Token: SeCreatePagefilePrivilege 2892 WMIC.exe Token: SeBackupPrivilege 2892 WMIC.exe Token: SeRestorePrivilege 2892 WMIC.exe Token: SeShutdownPrivilege 2892 WMIC.exe Token: SeDebugPrivilege 2892 WMIC.exe Token: SeSystemEnvironmentPrivilege 2892 WMIC.exe Token: SeRemoteShutdownPrivilege 2892 WMIC.exe Token: SeUndockPrivilege 2892 WMIC.exe Token: SeManageVolumePrivilege 2892 WMIC.exe Token: 33 2892 WMIC.exe Token: 34 2892 WMIC.exe Token: 35 2892 WMIC.exe Token: 36 2892 WMIC.exe Token: SeBackupPrivilege 4832 vssvc.exe Token: SeRestorePrivilege 4832 vssvc.exe Token: SeAuditPrivilege 4832 vssvc.exe Token: SeIncreaseQuotaPrivilege 4392 WMIC.exe Token: SeSecurityPrivilege 4392 WMIC.exe Token: SeTakeOwnershipPrivilege 4392 WMIC.exe Token: SeLoadDriverPrivilege 4392 WMIC.exe Token: SeSystemProfilePrivilege 4392 WMIC.exe Token: SeSystemtimePrivilege 4392 WMIC.exe Token: SeProfSingleProcessPrivilege 4392 WMIC.exe Token: SeIncBasePriorityPrivilege 4392 WMIC.exe Token: SeCreatePagefilePrivilege 4392 WMIC.exe Token: SeBackupPrivilege 4392 WMIC.exe Token: SeRestorePrivilege 4392 WMIC.exe Token: SeShutdownPrivilege 4392 WMIC.exe Token: SeDebugPrivilege 4392 WMIC.exe Token: SeSystemEnvironmentPrivilege 4392 WMIC.exe Token: SeRemoteShutdownPrivilege 4392 WMIC.exe Token: SeUndockPrivilege 4392 WMIC.exe Token: SeManageVolumePrivilege 4392 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5044 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3268 wrote to memory of 3120 3268 2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe 89 PID 3268 wrote to memory of 3120 3268 2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe 89 PID 3268 wrote to memory of 3120 3268 2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe 89 PID 3268 wrote to memory of 4220 3268 2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe 90 PID 3268 wrote to memory of 4220 3268 2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe 90 PID 3268 wrote to memory of 4220 3268 2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe 90 PID 3120 wrote to memory of 2892 3120 xdpxegnijily.exe 92 PID 3120 wrote to memory of 2892 3120 xdpxegnijily.exe 92 PID 3120 wrote to memory of 4220 3120 xdpxegnijily.exe 112 PID 3120 wrote to memory of 4220 3120 xdpxegnijily.exe 112 PID 3120 wrote to memory of 4220 3120 xdpxegnijily.exe 112 PID 3120 wrote to memory of 5044 3120 xdpxegnijily.exe 113 PID 3120 wrote to memory of 5044 3120 xdpxegnijily.exe 113 PID 5044 wrote to memory of 448 5044 msedge.exe 114 PID 5044 wrote to memory of 448 5044 msedge.exe 114 PID 3120 wrote to memory of 4392 3120 xdpxegnijily.exe 115 PID 3120 wrote to memory of 4392 3120 xdpxegnijily.exe 115 PID 5044 wrote to memory of 4416 5044 msedge.exe 117 PID 5044 wrote to memory of 4416 5044 msedge.exe 117 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 3880 5044 msedge.exe 119 PID 5044 wrote to memory of 3880 5044 msedge.exe 119 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 PID 5044 wrote to memory of 224 5044 msedge.exe 118 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xdpxegnijily.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" xdpxegnijily.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-22_8fa787e817cf01cfdb0b287de2ee39c9_amadey_teslacrypt.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\xdpxegnijily.exeC:\Windows\xdpxegnijily.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3120 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:4220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x338,0x7ffdece6f208,0x7ffdece6f214,0x7ffdece6f2204⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1720,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=2564 /prefetch:34⤵PID:4416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1580,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=2492 /prefetch:24⤵PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1384,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:84⤵PID:3880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3476,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:14⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3484,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:14⤵PID:5260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5008,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:84⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5004,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=5012 /prefetch:84⤵PID:3660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4288,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=5104 /prefetch:84⤵PID:5784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5676,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=5744 /prefetch:84⤵PID:2252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5676,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=5744 /prefetch:84⤵PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5892,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:84⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6004,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=5952 /prefetch:84⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6152,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=6176 /prefetch:84⤵PID:5544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6156,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=6168 /prefetch:84⤵PID:928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5824,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:84⤵PID:5132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6268,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=6296 /prefetch:84⤵PID:2056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6308,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:84⤵PID:1048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5048,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=5012 /prefetch:84⤵PID:1104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2340,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=5688 /prefetch:84⤵PID:1896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5640,i,13525470731441489335,9416220373873421158,262144 --variations-seed-version --mojo-platform-channel-handle=5104 /prefetch:84⤵PID:5224
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\XDPXEG~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:1848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2025-0~1.EXE2⤵
- System Location Discovery: System Language Discovery
PID:4220
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:6104
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
560B
MD5ba04f6a58daf12657c546a47f995b7a6
SHA1ef9a1e050e848202214d71795d8c9f2d8dd48384
SHA256f21ce90e98bcf437c94775800bc5bb97b95305fe93a3b5f3b560813820fe17f8
SHA5122d68178b7e2dc9f9bb05722e3ca7913a9c8684099e8852a43d627a500a80f2a5fff0cf2d417a49976da9e15982f3f85476c9ccb493c90caf29a6a873f344d702
-
Filesize
560B
MD5fd36078e3f6acbc17d8709484d0e6f71
SHA1e257a85478071e9c133f5bd93d5da4c30675d4d8
SHA2561a632930df005ea62b36a26996bfa3334c1b38ce45edea0f5521bbc590e98f47
SHA51246065f265ae01646a8ba2c81a54830a635e43f678d2f12ade23473df0ffb5c98c3f9bebb2f5e014fa57b0d5bab0af8ad4a165bec498c60d945716f42df0724ba
-
Filesize
416B
MD5ceff33dab7961322d2574fe8c7916409
SHA1a97c18f55e8e9292d46c85cdcca44d9ebec1f03d
SHA2566915460220bd0f1d63a9736cf2f878705347eb0647088ad2a6b12eb8d3557f67
SHA512010304b9bc8313d49af77ddd9e3b784c4b0fa39b4df06ebd3f69357c01431fcdb41664b038617ec73e67cb07126f12c42bfdf85fa50d100964fa69b9c8e5a312
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
79B
MD57f4b594a35d631af0e37fea02df71e72
SHA1f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57
SHA256530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1
SHA512bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360
-
Filesize
280B
MD57b0736a36bad51260e5db322736df2e9
SHA130af14ed09d3f769230d67f51e0adb955833673e
SHA2560d2adfd06d505b9020c292d30597083d808bfd90ddc0fe173def5db96832a087
SHA512caabdc6a8601b93f3c082e6506b3c9efe2242b90e92e86306dc0bd4857d33343ba395325fabb21f5db562d3e3932f52f77de547f379072d0154efd5f1b1cdeb3
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js.mp3
Filesize9KB
MD5941274668b5d8385c4e20adfe22a9a29
SHA149d9dd755c61fe520169b8b0b2d75e3ecdba4ce0
SHA256c0a57b3ec8656b0ed0f9afecf3b36156b3aa34143146e49e553590553cb94215
SHA51203b35633c5d0b4259431b0fe3462c06c91449d7074b0c2f85741e3e118ea4a680a678362fd97204825a443e4406a05de416719705ae740e0fd49ffdc8f72909d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content_new.js.mp3
Filesize10KB
MD54105b435c3261de2995e14468f484dda
SHA1488fb2f68fa0d92e87de62ca5490139675d58b90
SHA256c5077412c26001813aa435c0752b17189104fd5da6a3a39a47fa07acba4816e8
SHA512dc736f5ad1349a50fcadf7fecf56d13ef76ed2802770ec4350bb9f3ed077139efda01a607fb11f82f987e2b8c34d50d05c274a744eb1fd559083d103d578b5af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js
Filesize9KB
MD53d20584f7f6c8eac79e17cca4207fb79
SHA13c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA2560d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
2KB
MD5248c9d8c1746b07573d48e77a12c93b2
SHA167adc1cf2feba00743d6250e2ec048f4184aee8e
SHA256ee98f4debe0f122745c5de1fcf0cf08284ba870e63b916f6096773f8adb23ce7
SHA512bee4e225c91ee47aa8bd7ab0474ad6766921a005bfb69d87fd9f2920c06782fb262e2b545ad3cf2de0f44c5f787f8efed291d965242001e8fc076dda0fa31e11
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
17KB
MD58b8cb48fbc8db08fae31b3be319f19b9
SHA16ab6f40b7b043ebf427f17f7b875b0d9ffb8e42f
SHA25666fb60bb8b46da24854b1601fcc1170988edc9de79615a16ed7f548e8c4d2e7e
SHA512ad4823b80c3858e879e25eb596df44115a82f45ede0707dd2e82911d01ff9ba25037d1818acff36ec1098ab7a4a6a531861dd2e0e5ccdefea9ab29bbe59d6d19
-
Filesize
36KB
MD5963e35629fdebf78e33f4f8956a362ad
SHA1f8b7f3df1229e1955c3d605135bc91ed1565740e
SHA256186bf6443ad12e01974517be17dbaca401c74630d955953716507b24eb3b2713
SHA51216409149eff1bbeb0c511f0c731154aca956602d76b3eb5d4e54f7e995332c35324b8b8d1cf81f4c203773b9979a7947cd81855dbebead7ad98a93db08a87d8b
-
Filesize
22KB
MD53693a1e89f0b4ac50b153a898aab7b1e
SHA1f616919fcf215f4f1d0779476a41b7a52cf9dd52
SHA2567ca2d287f20ca94fedae1007d9869a2f7639b90c9720359709e2d2bc9e137c41
SHA51295fb60b6eed8c015b80b8a9572642faad54814275190cd2fd3b5ad7b376aa8abba5362d50b4de80a8bd3cb26cdb81b61d7f5e689207522f94bd20dbffc260808
-
Filesize
465B
MD5b8791c732f17171a1612538615bbeb69
SHA1e68cb7e737b5098024d6649629cd8679c87cb5fe
SHA256760aaa9bcc92622179af0e90b32d1d939042a3ef83cc7251c47d54328b652c8c
SHA51250e99b0195b004d35cb3e64209ba4affbde2dfaf7ec358ffe170dcbc345207561fbea0042276a9720ace6874d18ee029c92e99378347313c7a3df4c2d5e676ac
-
Filesize
22KB
MD5a69b1a499a194b3fc246697bfefbd407
SHA1ff04142d328401c59af16639d30f3240a1bd9dfa
SHA2562acca1899c0421bfa89a1a2565c41d1dfe669bdc080ec567c548eb4329a07d48
SHA512d3c9b55414194efdf75a8b60796b2076431d1b645a23fa3f315b82c308dfa6eb50b52470e0fbf5438838217ef4514afbd6a83f33428276e83aeabed5a0e67cab
-
Filesize
896B
MD53150567f9a516def1ce9302ae31e824e
SHA1b41b34441db45b8799b3136725ad6f24d41e6b95
SHA256c54dad7a7831e3f7c2d65909a1592f3c8e875c10efde3387fc0b9a79f9894636
SHA512a1adc28768428b77ab1799f611c89a73c94cf080cfb208680396fcadf70ada3af349fe29070d147968f10bfa5456588eef96e9fc4703a545729e190335a4fef9
-
Filesize
19KB
MD541c1930548d8b99ff1dbb64ba7fecb3d
SHA1d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA25616cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Notifications\0.0.0.46\arbitration_metadata.txt.mp3
Filesize344KB
MD5d6c5bf7914ee4cfbe9270e9051c43695
SHA1a8f2fc0cdaa900c3cd5c5f92412e150eb17723f4
SHA256eab557af653aaf78819dc9a7a3028de0403ef8d3619c4541b6fca16dab9011ea
SHA512bed8e85828a6c8d1134792634a4aa5e561380561638fa1d4d528eae2181bb37cbc777cbf0a0e9e82465edad8542e79f745b18dba510f3d2959b1ba56b924f083
-
Filesize
49KB
MD519491c926beb5441d78c93d9c9d8f6b3
SHA1e6e4128d1585f9dc34c1f710da1cfb61481fbcc1
SHA2560ca2566a2487a382ee912a80e994652b5948a98db2010bbc0ae3572f46f93fbe
SHA512d39592c68099e5fe45b6ed2b2a381bab7a283eb54f4f55e9bfdc0f6b509c241d0ab688ef2a3b7cf980df58d20712390d825ec8e072599b0186c801cf99b9442e
-
Filesize
49KB
MD549b84c0a2ed655cca522532e325e1714
SHA109c6aa949f541c4a618b8a8df90f7b791355cbd8
SHA25621d04f5138fad28b6032db278bc1f839f2889707a3d7e86a9d1c81575f0dab1a
SHA5120357b65f8e63c1df0c8acfbae38ef7f9d2315166bcbe09c411bc00b06a481f75624aa352bc7e4463a0b62ca85af0ff99fe662a3b75c08ce23d1955573fad88a2
-
Filesize
40KB
MD50bc9fa9f72bdcbaf4a1bbf5bfc2db8f6
SHA13b2fd54288f26b596cac2d6fdadd917761645bad
SHA256675ab2b19db5871cc35d0680b872f14274a9cccbf95db4fb705bc39ba8045e17
SHA512918622a5b564561ec38177cdbd045091aed623d98a58fd3d5c4f001b6c3ec32f2becdbe6e0916d3055f682d97d6f46a6ac43e3554c72f453a0d8b7b75b7288ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json
Filesize6KB
MD5bef4f9f856321c6dccb47a61f605e823
SHA18e60af5b17ed70db0505d7e1647a8bc9f7612939
SHA256fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5
SHA512bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD5cf78fe01d11783c695f401ed28eb7470
SHA1c6ce269b8a059e33e4741564e1f0dc04f1aaab8b
SHA2563eb155e588f530abefb46a9c9fc3f7ae793fdfdcd24b55a3909864cbc767c709
SHA512d1022f616109524235943c19f65a119bf17061fa0e417c76abddd9779416c316da038d1b00b9ef73174f4e116bf6d1202d901ace9339eaa8a6a427ee57672e56
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133863512399351925.txt
Filesize77KB
MD52834027f9e20e3bd2880fffcb6646970
SHA1845ef84dc355140fdff8e88493ce5a22baf5ae0e
SHA256550ec350daf5b2f4287e73267dfb9009058569d3995f968d3963ce4c9d2eb606
SHA51282dbdcbb5d3f5c75f897460e30c24165f7c91a7bceaf13715a6e8fe4e87e5dcc1b3e4e98767d6ffa4e27357b5224694c81dadf9c9bf1c0568d5187736a132b6f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133863553978119774.txt
Filesize87KB
MD50192cf8af64ef836cace24a0cbb8bdd0
SHA10e87064c3a46fc4c969bea60a38bd4a9d3bd99ca
SHA2563355a37b31fe46dc4a3563b3e5877b1d78ac975e2f861cf1d20e73b91d5edfc2
SHA51275bae6747b9fdb9f59708e31c7038008b95324e157d2b0ff581220108921409b4f33eddaa9f9c4a383a443608ee4e617d3be1db00c26f6347dd6f608fcd42e3e
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir5044_1555314158\98869cde-cfcd-4d94-b4f2-9428f6c9d355.tmp
Filesize10KB
MD578e47dda17341bed7be45dccfd89ac87
SHA11afde30e46997452d11e4a2adbbf35cce7a1404f
SHA25667d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA5129574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5
-
Filesize
251KB
MD58fa787e817cf01cfdb0b287de2ee39c9
SHA137f6f0b73983d7d61a5393ded3ffd3eec5f6f0b8
SHA2564dbd942433b4510cec4998e8447aef56c776753d6b23c3690e19fc6d573fc8af
SHA5125d6f734eb82254b303f81776dc161d4409597c986298ed0e95f0fe4752a16a0fb07d95823adeb6943fa7d11a801cbef53b1cf19168a3ce8af3cea86f12a3468e
-
Filesize
11KB
MD54bfc3cc669548e0a87e56921083ccab6
SHA11dd8e0a37256ea43de944554e19f41734fe1e342
SHA256baddb9a7445f64f9f1ca7588d811d70c69295a73228e5341b66ee3410c57f3d8
SHA512d87ddf88033efeaf6d36b38c88196fc656a4ea733ffeb566329a8f2432f7e187689fa4dda20a7cc18a00adec6f0991bf9a597f9edc28cfb11e4d8406bec9446d
-
Filesize
64KB
MD52a82aad25229334e5e38a210759f49e6
SHA11cb83c4d24dc1ddb1585cfc3939d02f3d5f4616e
SHA2563cf57a82c9c27927b5b789515c0a27b8c06dc3a5ccb62c1e49ab9b3cbdb51343
SHA512a23d9bc71c9116c24ce3e172bf2e583d4428210a062e74474fb2be94c8a9c1a68ce30864406f2bed772e4b362875197d97b8524e8b129738ee292f2b987d7a58
-
Filesize
1KB
MD5a5eb95e83a23dfaf1b759a7e4580ebf4
SHA1ea1824c3516ad31c3becae379aaa07037a03b4b9
SHA2566c2fc3ac718aaa53603111968322535139165624e4cf73f6fa513f2cc000f7a2
SHA512cf71af3412c7e651854a6b68acacc8e033101f9c6837ebd1ba4b67f4fa81d0c6376b8c2211fa06563d5a6e33b5e1c069057d4c17631f11e6b8c1fd5b9fb075f4