Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 08:30
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe
-
Size
251KB
-
MD5
e24753999a765babb180217ea49affa1
-
SHA1
7a5f87c0a78d6c20d7b7e35569eb30224b507908
-
SHA256
2726d7000a2c36a93b6bf336314628b1a8571c2365b36cd8df899f2fc156975e
-
SHA512
173de2f5afd1f5dfa376926bbe34ede5c06f3dc601e8b3fbbe7ba5612e3003f9747c5ab9d99bbb948cc270d03aa3b2ca520cd57af11e550e3a336180292d37df
-
SSDEEP
3072:yP36YQgDABWbDFp7yz5hwXZwnt+XOCGNjYQohl5ZieMhJP7p9ie3ESTRpA6:OZyTntxVYQE5ehJP7p9p3EcXA6
Malware Config
Extracted
C:\Users\Recovery+vgxfx.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/32A7241F51FA1B9
http://tes543berda73i48fsdfsd.keratadze.at/32A7241F51FA1B9
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/32A7241F51FA1B9
http://xlowfznrg4wf7dli.ONION/32A7241F51FA1B9
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (888) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation fiaggivjudpy.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation 2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vgxfx.html fiaggivjudpy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vgxfx.txt fiaggivjudpy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vgxfx.html fiaggivjudpy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vgxfx.txt fiaggivjudpy.exe -
Executes dropped EXE 1 IoCs
pid Process 4640 fiaggivjudpy.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xpkrhrfirsmc = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\fiaggivjudpy.exe\"" fiaggivjudpy.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\Recovery+vgxfx.html fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\View3d\Recovery+vgxfx.txt fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Ear.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a_thumb.png fiaggivjudpy.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-200.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\de\Recovery+vgxfx.txt fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\ringless_calls\Ringlesscalling_25more_360x120_2x.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.scale-200.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\Recovery+vgxfx.txt fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-200.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Recovery+vgxfx.txt fiaggivjudpy.exe File opened for modification C:\Program Files\Google\Chrome\Application\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\[email protected] fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-unplated.png fiaggivjudpy.exe File opened for modification C:\Program Files\MSBuild\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_contrast-black.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-100.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+vgxfx.html fiaggivjudpy.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\7px.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\2876_24x24x32.png fiaggivjudpy.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\Windows Photo Viewer\uk-UA\Recovery+vgxfx.txt fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Recovery+vgxfx.txt fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-unplated_contrast-black.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\ringless_calls\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe805.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+vgxfx.html fiaggivjudpy.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_altform-unplated_contrast-white.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\View3d\Recovery+vgxfx.txt fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\Recovery+vgxfx.txt fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-16.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-80.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-100.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MicrosoftLogo.scale-200.png fiaggivjudpy.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\Recovery+vgxfx.txt fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+vgxfx.html fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\WinMetadata\Recovery+vgxfx.txt fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-200.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Recovery+vgxfx.html fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\webviewBoot.min.js fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppCore\Location\Recovery+vgxfx.html fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\WideTile.scale-200.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\Bundle\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\Recovery+vgxfx.html fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\Recovery+vgxfx.html fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_altform-unplated_contrast-black.png fiaggivjudpy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\Recovery+vgxfx.png fiaggivjudpy.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Recovery+vgxfx.png fiaggivjudpy.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\fiaggivjudpy.exe 2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe File opened for modification C:\Windows\fiaggivjudpy.exe 2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fiaggivjudpy.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133871058708477395" msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings fiaggivjudpy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{2DABD3FE-3525-4352-A59F-5D8D93B653A7} msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3372 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe 4640 fiaggivjudpy.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3888 msedge.exe 3888 msedge.exe 3888 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4368 2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe Token: SeDebugPrivilege 4640 fiaggivjudpy.exe Token: SeIncreaseQuotaPrivilege 4504 WMIC.exe Token: SeSecurityPrivilege 4504 WMIC.exe Token: SeTakeOwnershipPrivilege 4504 WMIC.exe Token: SeLoadDriverPrivilege 4504 WMIC.exe Token: SeSystemProfilePrivilege 4504 WMIC.exe Token: SeSystemtimePrivilege 4504 WMIC.exe Token: SeProfSingleProcessPrivilege 4504 WMIC.exe Token: SeIncBasePriorityPrivilege 4504 WMIC.exe Token: SeCreatePagefilePrivilege 4504 WMIC.exe Token: SeBackupPrivilege 4504 WMIC.exe Token: SeRestorePrivilege 4504 WMIC.exe Token: SeShutdownPrivilege 4504 WMIC.exe Token: SeDebugPrivilege 4504 WMIC.exe Token: SeSystemEnvironmentPrivilege 4504 WMIC.exe Token: SeRemoteShutdownPrivilege 4504 WMIC.exe Token: SeUndockPrivilege 4504 WMIC.exe Token: SeManageVolumePrivilege 4504 WMIC.exe Token: 33 4504 WMIC.exe Token: 34 4504 WMIC.exe Token: 35 4504 WMIC.exe Token: 36 4504 WMIC.exe Token: SeIncreaseQuotaPrivilege 4504 WMIC.exe Token: SeSecurityPrivilege 4504 WMIC.exe Token: SeTakeOwnershipPrivilege 4504 WMIC.exe Token: SeLoadDriverPrivilege 4504 WMIC.exe Token: SeSystemProfilePrivilege 4504 WMIC.exe Token: SeSystemtimePrivilege 4504 WMIC.exe Token: SeProfSingleProcessPrivilege 4504 WMIC.exe Token: SeIncBasePriorityPrivilege 4504 WMIC.exe Token: SeCreatePagefilePrivilege 4504 WMIC.exe Token: SeBackupPrivilege 4504 WMIC.exe Token: SeRestorePrivilege 4504 WMIC.exe Token: SeShutdownPrivilege 4504 WMIC.exe Token: SeDebugPrivilege 4504 WMIC.exe Token: SeSystemEnvironmentPrivilege 4504 WMIC.exe Token: SeRemoteShutdownPrivilege 4504 WMIC.exe Token: SeUndockPrivilege 4504 WMIC.exe Token: SeManageVolumePrivilege 4504 WMIC.exe Token: 33 4504 WMIC.exe Token: 34 4504 WMIC.exe Token: 35 4504 WMIC.exe Token: 36 4504 WMIC.exe Token: SeBackupPrivilege 5800 vssvc.exe Token: SeRestorePrivilege 5800 vssvc.exe Token: SeAuditPrivilege 5800 vssvc.exe Token: SeIncreaseQuotaPrivilege 4148 WMIC.exe Token: SeSecurityPrivilege 4148 WMIC.exe Token: SeTakeOwnershipPrivilege 4148 WMIC.exe Token: SeLoadDriverPrivilege 4148 WMIC.exe Token: SeSystemProfilePrivilege 4148 WMIC.exe Token: SeSystemtimePrivilege 4148 WMIC.exe Token: SeProfSingleProcessPrivilege 4148 WMIC.exe Token: SeIncBasePriorityPrivilege 4148 WMIC.exe Token: SeCreatePagefilePrivilege 4148 WMIC.exe Token: SeBackupPrivilege 4148 WMIC.exe Token: SeRestorePrivilege 4148 WMIC.exe Token: SeShutdownPrivilege 4148 WMIC.exe Token: SeDebugPrivilege 4148 WMIC.exe Token: SeSystemEnvironmentPrivilege 4148 WMIC.exe Token: SeRemoteShutdownPrivilege 4148 WMIC.exe Token: SeUndockPrivilege 4148 WMIC.exe Token: SeManageVolumePrivilege 4148 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3888 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4368 wrote to memory of 4640 4368 2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe 89 PID 4368 wrote to memory of 4640 4368 2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe 89 PID 4368 wrote to memory of 4640 4368 2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe 89 PID 4368 wrote to memory of 3560 4368 2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe 90 PID 4368 wrote to memory of 3560 4368 2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe 90 PID 4368 wrote to memory of 3560 4368 2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe 90 PID 4640 wrote to memory of 4504 4640 fiaggivjudpy.exe 92 PID 4640 wrote to memory of 4504 4640 fiaggivjudpy.exe 92 PID 4640 wrote to memory of 3372 4640 fiaggivjudpy.exe 112 PID 4640 wrote to memory of 3372 4640 fiaggivjudpy.exe 112 PID 4640 wrote to memory of 3372 4640 fiaggivjudpy.exe 112 PID 4640 wrote to memory of 3888 4640 fiaggivjudpy.exe 113 PID 4640 wrote to memory of 3888 4640 fiaggivjudpy.exe 113 PID 4640 wrote to memory of 4148 4640 fiaggivjudpy.exe 114 PID 4640 wrote to memory of 4148 4640 fiaggivjudpy.exe 114 PID 3888 wrote to memory of 4080 3888 msedge.exe 116 PID 3888 wrote to memory of 4080 3888 msedge.exe 116 PID 3888 wrote to memory of 5976 3888 msedge.exe 117 PID 3888 wrote to memory of 5976 3888 msedge.exe 117 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 PID 3888 wrote to memory of 3380 3888 msedge.exe 118 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" fiaggivjudpy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fiaggivjudpy.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\fiaggivjudpy.exeC:\Windows\fiaggivjudpy.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4640 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2f4,0x7ffd9c3df208,0x7ffd9c3df214,0x7ffd9c3df2204⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1920,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=2876 /prefetch:34⤵PID:5976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2840,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=2816 /prefetch:24⤵PID:3380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2188,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=2888 /prefetch:84⤵PID:932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3476,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:14⤵PID:1692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:14⤵PID:3192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4940,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:84⤵PID:5212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4856,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:84⤵PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4644,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:84⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5652,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:84⤵PID:5864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5652,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:84⤵PID:3012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5920,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:84⤵PID:5292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6172,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:84⤵PID:368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5936,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5968 /prefetch:84⤵PID:2356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5944,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=6324 /prefetch:84⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=704,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:84⤵PID:5968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5708,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=6284 /prefetch:84⤵PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5724,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=6280 /prefetch:84⤵PID:3568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5100,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:84⤵PID:2204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4772,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=6588 /prefetch:84⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5808 /prefetch:84⤵PID:6104
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FIAGGI~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:1340
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2025-0~1.EXE2⤵
- System Location Discovery: System Language Discovery
PID:3560
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5800
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:5416
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
560B
MD53db1292b8da093d45ade96f5473c4ce9
SHA1032a87967e68f7abe855c7919c3122f4cccb8134
SHA25664c5bfed5e9ca58bce21001afba9c374b616022f53d0fbeed128647ea09b368d
SHA51279f1e2c195dee4a4ede21678dcc7474a9b696673e25df0e4a8408890831d878c2ba7e6c01dc7f3fc68ca5f8989f985ff1ee357d7dacf03ce82a12b98bd820726
-
Filesize
560B
MD5d6d2efd3322dacf8a8939c8b5651f3ce
SHA1e73758c9bc00e1497e49c5de303f27a7c99b9658
SHA256aced7e85ae30ccbbff74706ea4b67554957d59548c826d862aa8ba8874c30811
SHA5127cd51f7295ec24661c08ea0cafadcd897ac16b0f690fb6e0b6784c327fd34f9b345adaa1afe99218371a6e90df415b78c9ef827bec95f02fe5c95f7fe096db84
-
Filesize
416B
MD55578ad22ebc7a19a519b5a14294f5e88
SHA16ce744c9c3df47f511be0001498ed042b3dc13d1
SHA256c2c60f06597b9280e81d893fd93d6919d7c88cd77e31ac29b7e789a123f78a26
SHA5127b6fd1e5b78a1c1e132d77d746414d26e88b33fb2cd7c82e3503e0c82f923a32c3464b728503d68332d47b973c63056f61c7912373c578d3f6cc287e1a73a0c5
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
79B
MD57f4b594a35d631af0e37fea02df71e72
SHA1f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57
SHA256530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1
SHA512bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360
-
Filesize
280B
MD501cc3a42395638ce669dd0d7aba1f929
SHA189aa0871fa8e25b55823dd0db9a028ef46dfbdd8
SHA256d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee
SHA512d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js
Filesize9KB
MD53d20584f7f6c8eac79e17cca4207fb79
SHA13c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA2560d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
1KB
MD5135cfaa231e15526985eb2761d3f0812
SHA1d94dc86e194e48d5dd81a32738fe5209df7f0ef5
SHA256961067b875eaabcf03f7ada38c370fafb37fc25ae66245821d82a01abe052dff
SHA512b4ec8660eff98679c9d9ac645adc7263eb8f3e7853a9db5f5a344f651aecb03b76a1cd85adef9e63e3a79ddecb5b5f4232d9505f3aa4277604a7bb6d50aa4773
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
16KB
MD537c68a85ca57bf2a4eb97bc81e4ccb35
SHA1231f99e99f00f2a223139bc07e3af49b3dc77d42
SHA256e5845f49292c032537204b5a8d56e3f4b31eecdc65915424b1972d6eee27416d
SHA5122b5c778d3dc4305e316bb36729e61a72376f9a2cff99babe8bccf0ed7c91aa3eebdfa9e43e6650b0812974114f36a78fa58729c09c956179ae874c50e214f0cd
-
Filesize
36KB
MD591976f68e9e10b48588b60ca0c1ad4a5
SHA1bc77f8f50c7421aeeb568ffe0e8cefb94429bd91
SHA2562654c9cab63d652482f0db473d29f15510226e275fb485145bb27738814cafa8
SHA512e3ab9ec32a6a2368ea85fe10e5248efa2dfead74415e418b7e4c9abf1db2cf214ab766eaa69ec226ce770ecc52958240559eb1542ac3dee0b31b7d7650446582
-
Filesize
22KB
MD555a448e0acf60836e6e83c68b6e445d0
SHA1ade777e86e74efbc7c16cc300a739627a9b5e9ee
SHA2560c11fe8fbf60750f50e30b2a9eb1fcb20549cee8c447a3fd277c62a7a1f8a38f
SHA5126b686c3c72b906126c8d3d3408471578c2cf272af5fbebf39727de1db15f89f2f4b9ac732d2f7f0a63a398fc34903c49de0d7467312935dc3f9af1dd2b88acfd
-
Filesize
113KB
MD51261024cbc368627f5a8d811be0f5429
SHA1ba2e91e14b22f255fca122184ded83d4ddcb2da6
SHA2562227890adcd5afb9654156042f86e1d59edd9afb8c074d2efee07e6c2d7ea007
SHA5120b0df95b0a7f24073d4eef335d2d9ee9ca7432ef1c5b8af574cb90a458c4df069e2b722d0e5c9d8630a6702bf1f9049301314c32b20d92e100b33d7c78d2abd4
-
Filesize
463B
MD521c47b9dff0d3c49392cae6300a19b68
SHA153b45928b5f05367830d7d1fddc0bec83db429d8
SHA2566691b581671bcfee6a479ba87f480b432d34b7e3320187d37d816de8d94e33a7
SHA51242cea29a898c0a58be78e55f744ffdfc24d79330a7d2841a0784e257dca8125e5d8519b47fa023d1491e77d3fcb559a42136830e2ea95b9bc9f1abf312c30cc9
-
Filesize
892B
MD551d0ba7bf08fd3c56d2c92d733bc8c3e
SHA10f3e9d8fcd1e6eec0ffd4331dc56b6e05a8a4a04
SHA25695d731771f9856d390d49f3afe02b181aa25f1496a3905a49aa330f1bdb9e11e
SHA512f95196d2589d5ef4d31492447534b15a9565cbf194ea7bce0f530efb13921004989097d2dd727db1635980c655eb98b9a7b20f12cda28aa0e6de87643c8fb5a7
-
Filesize
22KB
MD5bda18aa8fa0922bd7114401b6273b895
SHA1cde3c4b921d9950d88422b0817f86ccb006ab0fa
SHA256d154dc38d67273302f36c75866d3e54494a4caa47f56531469e72260e5822b2f
SHA512cc19fcfc373e40981597a402ed8a435cf8cfdde7e6ed6159aba48c5b7189ea8d301720eb3d8c43878b64f416fc984ccc655cb5134f3300c9bfa589745e78c402
-
Filesize
19KB
MD541c1930548d8b99ff1dbb64ba7fecb3d
SHA1d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA25616cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Notifications\0.0.0.46\arbitration_metadata.txt.mp3
Filesize344KB
MD543cedc2c662f076f35b5ec0e899a56a3
SHA1bf97213a70adc9fe9cedb241d9c1d9e2168c5258
SHA256ee32c7fa574b5f54f9aa110a3a5d61fac35034a622035d443c023a73692560ef
SHA51227d321a20e4fc3905c779fb05ab35f87225f07380da8fe5a3bfb68abcdc876be8fb9bd3b0b120f7540b461983bde0e97f46a39a923b1b6aac427ef043064a088
-
Filesize
49KB
MD562bd332105d6b7abe1c6ed7ab24f8eec
SHA14a8c6b80cd186d9e0844a1951584b21845bc56b6
SHA256d0606a2786ccf2c49034dabdde1ea40370d43670fabcae01920d39a22a1d7eae
SHA5127e04f244d1331cca26da3d83ee2c97df09c7db4f2d3712f5a9dcc728914d4799ffc25719f946f792a604c7a8a7a52aff68edb29ea878baa46c3dd900c92c46f6
-
Filesize
49KB
MD58f972c256ead1c8ad9b956fd4b7732dd
SHA11fca656e2e598c19931e9692d38aba4c66f8ae28
SHA25670f784daefc8d87cbe816774f9a3131300853438568f760c2d3cbdb375c1b7b7
SHA512b8d5580742e0a881998d8d66acd607c0b4093b92a0980fdefea2d24846559bebccc07c4715c5bd778e80694ecbf892bc736574f1092e97d09e676f9993494a09
-
Filesize
40KB
MD5a74d1e032045ab8477b2f6cca5f259e5
SHA1cadf7c7e5e1f8f58a6f88be92caa81ca4e59d563
SHA25645ea2ec883339c3e979572554226b0be22a62f5117ad6fe3da63bd6cdef89a64
SHA512995a8fb9cc4dd32c7e9c2b719b948bf34b73206c67b2d1932265bcf5d0ac99b7892776fcd048c2e83fa41d4b8e782b713bd7c1de4d7e43b2cdcca369c4b7a749
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json
Filesize6KB
MD5bef4f9f856321c6dccb47a61f605e823
SHA18e60af5b17ed70db0505d7e1647a8bc9f7612939
SHA256fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5
SHA512bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD5a777ffed1b57d1145f92e6e7374bd9bb
SHA1a1ed110a0738f99901a4a05552a0bb12d4048038
SHA2565bdaa3fa86277b931e49b46456ff9978876ee1c4f4a67aaa9607708da5655475
SHA512f6545e53785b29bb33924a024e4ad4c45ef683d43c5b3f433e36fe50d42c841766373438f789f9e9fccb90c581966b22ad0346365000812a38c1698bfc0eca21
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133864126132050660.txt
Filesize87KB
MD55a722688140cee7533aa6bf564f01ed2
SHA146d39b193278e08a8661f811a5ae0b6cc0348cbd
SHA25663368d2d789951544fa8ff405958114b7eb1c83890947439bb44c70b8b7b89c8
SHA51228722c72b7bc275adbc1fb723b3f536961877351dea379beb216a485081d50758ab4dd2510dddde3b034e06ba8e36eda5308ac3f46b9808d61ad5848e832faa2
-
Filesize
10KB
MD578e47dda17341bed7be45dccfd89ac87
SHA11afde30e46997452d11e4a2adbbf35cce7a1404f
SHA25667d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA5129574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5
-
Filesize
5KB
MD54ccd46c141b03093ed5971d5b331490b
SHA15bb2c8e11b48a5fa7aa2f5eb57f06778da5ba67a
SHA25642f25f37e2928c3466a6abea8d57ab0d6acf17e143299e18846c171eaddb5815
SHA512a69aeb00c1b270ef1ef3c292431361bc61b94a988702a91b738e23b7750be29a76ef9b5bf86f02eebec6bbb4ec8f9693075ac31af320507cc6e0e93d03f9ad8c
-
Filesize
119KB
MD549b77343cd01791be6b9fd5e10c0d5ba
SHA1c196fc949937d864072733d265b3647c7b99865d
SHA256e17cb18b4ad4a7097ccd7ec0c501db59e663f1f4a699675e55173aca2f629960
SHA5124421eb1bd1132e67438ff6fda5a8466d0ee1f64e4b5617117d58564d2a6380be323dfb707c6f9305ac616efc378b394a3aa4ba18009db17a9e00a7cfb0ad5a77
-
Filesize
720B
MD53f68c4d92f11a1f3cddb208199512df1
SHA194486bbabd8b5f54dacdce7f14331f96eb3f4508
SHA2568effdf1b872faa052d7f1bbd9150ec2dafadb632bdd91753efa59827479b4c69
SHA5126b9aa73183579b28fab70017030d912e43a4d4cb0064150d6c80eb40a89c9ed9f1ecc9ff21dd9bd4a8b26d6ac90e1a831155d145798d6ef7568510419c470b17
-
Filesize
128KB
MD56ae5a308ff9bcf901d9a1453c9f92fcc
SHA1b7de75e4f5c942653fbce5a5ed8c89109af842a8
SHA2560326e2a26f34b4c6a6bd129499423f03e833057294ad3264b4451af11f06a8e1
SHA512bbe4cb1fe4a60104a504e61b3a011f00abf0bd8b7cbc6f0d60a82d3b8ee05eff7b8a76e4601ece6707aceb0f1eb89f4d6bf57545ff8eb6715e7a63a62dffa4f1
-
Filesize
11KB
MD562604cdf7cc4184d1b01753c50132088
SHA1d846fd74ac55b5c0bb7c1af8bf71c8a718d2c518
SHA25685f305ddebcd596e10d86ac3e200ff2591d891fd83f21cf2fd3cc86976df4a02
SHA5127f0ede5e6d8a1362c9921152d44bd2a9911fdf9fe1f99d92429df63cb8f88376dd1426e9cdbce777a5068d26ee623dade395e4ee61f4fd09f4c82e7db4bc4843
-
Filesize
63KB
MD5f04e070c7fc50647a7b13240cc55742c
SHA1887042ab97e756fe4eebf360fe1900d9cabb0d72
SHA256bbd60d1a96166d8dcea60fa997ac95729c07881676fe4ee83da618b4a53a888e
SHA512f46848369a77b4410d636837acc4a6b49a850a0eb4cfdd8aedc59f663b1c0ae00975c0bc90ab40d5d70ac66586089ec1ab940306eb746d50959806f3a13246df
-
Filesize
1KB
MD5456faf0a97d43f0efdfe2707ea5dc1b1
SHA1d4a8aec5283639398538aee7395dfec4b19b0100
SHA256df1baac4f6445fe1e3c90f9bae2e7d37715560c38414682067ae096d6d9c8a62
SHA5126dea83c7a6778df6d9bcf3563505a4846d00b4dff240fe9633e53dd7a26466cd3539991097c622bc02915c062454a297463c3b413ece004b88fe2e2c35fc5100
-
Filesize
251KB
MD5e24753999a765babb180217ea49affa1
SHA17a5f87c0a78d6c20d7b7e35569eb30224b507908
SHA2562726d7000a2c36a93b6bf336314628b1a8571c2365b36cd8df899f2fc156975e
SHA512173de2f5afd1f5dfa376926bbe34ede5c06f3dc601e8b3fbbe7ba5612e3003f9747c5ab9d99bbb948cc270d03aa3b2ca520cd57af11e550e3a336180292d37df