teslacrypt | ae50c1a234d07eb39859cf7aea9361d9b54397d477866ae38bb61ad904298315

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_58999b891c115ca4cd983c9675724890.exe
Size

376KB
MD5

58999b891c115ca4cd983c9675724890
SHA1

8157379d1d1a40de5dfd00ea70c2cacc6b5d2f5e
SHA256

ae50c1a234d07eb39859cf7aea9361d9b54397d477866ae38bb61ad904298315
SHA512

6773b60e8ad7e940724daf5aa81cd1c08c113b4087c6ff69b21a12fd3c684e441007ab2968780ad5c0425a45ee1b2f3b8f486cc832415ce21f75da0b65e522ed
SSDEEP

6144:ue3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:uY5hMfqwTsTKcmTV5kINEx+d

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+bswcp.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/121DFC6C611F4ECE 2. http://kkd47eh4hdjshb5t.angortra.at/121DFC6C611F4ECE 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/121DFC6C611F4ECE If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/121DFC6C611F4ECE 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/121DFC6C611F4ECE http://kkd47eh4hdjshb5t.angortra.at/121DFC6C611F4ECE http://ytrest84y5i456hghadefdsd.pontogrot.com/121DFC6C611F4ECE *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/121DFC6C611F4ECE

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/121DFC6C611F4ECE

http://kkd47eh4hdjshb5t.angortra.at/121DFC6C611F4ECE

http://ytrest84y5i456hghadefdsd.pontogrot.com/121DFC6C611F4ECE

http://xlowfznrg4wf7dli.ONION/121DFC6C611F4ECE

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (871) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

hhliqcrhhgeh.exeVirusShare_58999b891c115ca4cd983c9675724890.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	hhliqcrhhgeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	VirusShare_58999b891c115ca4cd983c9675724890.exe

Drops startup file 6 IoCs

Processes:

hhliqcrhhgeh.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+bswcp.html	hhliqcrhhgeh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bswcp.png	hhliqcrhhgeh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bswcp.txt	hhliqcrhhgeh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+bswcp.html	hhliqcrhhgeh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+bswcp.png	hhliqcrhhgeh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+bswcp.txt	hhliqcrhhgeh.exe

Executes dropped EXE 2 IoCs

Processes:

hhliqcrhhgeh.exehhliqcrhhgeh.exe

pid process

3248 hhliqcrhhgeh.exe
3260 hhliqcrhhgeh.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3248	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hhliqcrhhgeh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pnhcruivratg = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\hhliqcrhhgeh.exe\""	hhliqcrhhgeh.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_58999b891c115ca4cd983c9675724890.exehhliqcrhhgeh.exe

description	pid	process	target process
PID 1240 set thread context of 2076	1240	VirusShare_58999b891c115ca4cd983c9675724890.exe	VirusShare_58999b891c115ca4cd983c9675724890.exe
PID 3248 set thread context of 3260	3248	hhliqcrhhgeh.exe	hhliqcrhhgeh.exe

Drops file in Program Files directory 64 IoCs

Processes:

hhliqcrhhgeh.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-100.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-150.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\Recovery+bswcp.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\Recovery+bswcp.txt	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-256_altform-unplated.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\Recovery+bswcp.txt	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Recovery+bswcp.html	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail.scale-150.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\Recovery+bswcp.html	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\256x256.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\iheart-radio.scale-100.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Recovery+bswcp.html	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Recovery+bswcp.txt	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\Recovery+bswcp.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\Recovery+bswcp.html	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\Recovery+bswcp.txt	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\VideoThumbnail.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Retail_Feedback_icon.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\THMBNAIL.PNG	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\191.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\Google\Chrome\Recovery+bswcp.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\Recovery+bswcp.txt	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\Recovery+bswcp.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\Cavalier.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\js\Recovery+bswcp.html	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-150.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Recovery+bswcp.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-100.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\Recovery+bswcp.txt	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-100.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-400.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-200.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-32_altform-unplated.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\Recovery+bswcp.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Recovery+bswcp.html	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\Recovery+bswcp.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\Recovery+bswcp.txt	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\Recovery+bswcp.html	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\Recovery+bswcp.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-16_altform-unplated.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-96.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Recovery+bswcp.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\View3d\Recovery+bswcp.txt	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-125.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\Recovery+bswcp.txt	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\chats_emptystate_v3.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-400.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\Recovery+bswcp.html	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-100_contrast-white.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Concrete.jpg	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-32_altform-unplated.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+bswcp.png	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\Recovery+bswcp.html	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\Recovery+bswcp.txt	hhliqcrhhgeh.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ta-IN\View3d\Recovery+bswcp.html	hhliqcrhhgeh.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_58999b891c115ca4cd983c9675724890.exe

description	ioc	process
File created	C:\Windows\hhliqcrhhgeh.exe	VirusShare_58999b891c115ca4cd983c9675724890.exe
File opened for modification	C:\Windows\hhliqcrhhgeh.exe	VirusShare_58999b891c115ca4cd983c9675724890.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

hhliqcrhhgeh.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings hhliqcrhhgeh.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4384 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	hhliqcrhhgeh.exe

pid	process
4384	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hhliqcrhhgeh.exe

pid	process
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe
3260	hhliqcrhhgeh.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4724 msedge.exe
4724 msedge.exe
4724 msedge.exe
4724 msedge.exe
4724 msedge.exe
4724 msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

VirusShare_58999b891c115ca4cd983c9675724890.exehhliqcrhhgeh.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2076	VirusShare_58999b891c115ca4cd983c9675724890.exe
Token: SeDebugPrivilege	3260	hhliqcrhhgeh.exe
Token: SeIncreaseQuotaPrivilege	2916	WMIC.exe
Token: SeSecurityPrivilege	2916	WMIC.exe
Token: SeTakeOwnershipPrivilege	2916	WMIC.exe
Token: SeLoadDriverPrivilege	2916	WMIC.exe
Token: SeSystemProfilePrivilege	2916	WMIC.exe
Token: SeSystemtimePrivilege	2916	WMIC.exe
Token: SeProfSingleProcessPrivilege	2916	WMIC.exe
Token: SeIncBasePriorityPrivilege	2916	WMIC.exe
Token: SeCreatePagefilePrivilege	2916	WMIC.exe
Token: SeBackupPrivilege	2916	WMIC.exe
Token: SeRestorePrivilege	2916	WMIC.exe
Token: SeShutdownPrivilege	2916	WMIC.exe
Token: SeDebugPrivilege	2916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2916	WMIC.exe
Token: SeRemoteShutdownPrivilege	2916	WMIC.exe
Token: SeUndockPrivilege	2916	WMIC.exe
Token: SeManageVolumePrivilege	2916	WMIC.exe
Token: 33	2916	WMIC.exe
Token: 34	2916	WMIC.exe
Token: 35	2916	WMIC.exe
Token: 36	2916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4640	WMIC.exe
Token: SeSecurityPrivilege	4640	WMIC.exe
Token: SeTakeOwnershipPrivilege	4640	WMIC.exe
Token: SeLoadDriverPrivilege	4640	WMIC.exe
Token: SeSystemProfilePrivilege	4640	WMIC.exe
Token: SeSystemtimePrivilege	4640	WMIC.exe
Token: SeProfSingleProcessPrivilege	4640	WMIC.exe
Token: SeIncBasePriorityPrivilege	4640	WMIC.exe
Token: SeCreatePagefilePrivilege	4640	WMIC.exe
Token: SeBackupPrivilege	4640	WMIC.exe
Token: SeRestorePrivilege	4640	WMIC.exe
Token: SeShutdownPrivilege	4640	WMIC.exe
Token: SeDebugPrivilege	4640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4640	WMIC.exe
Token: SeRemoteShutdownPrivilege	4640	WMIC.exe
Token: SeUndockPrivilege	4640	WMIC.exe
Token: SeManageVolumePrivilege	4640	WMIC.exe
Token: 33	4640	WMIC.exe
Token: 34	4640	WMIC.exe
Token: 35	4640	WMIC.exe
Token: 36	4640	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_58999b891c115ca4cd983c9675724890.exeVirusShare_58999b891c115ca4cd983c9675724890.exehhliqcrhhgeh.exehhliqcrhhgeh.exemsedge.exe

description	pid	process	target process
PID 1240 wrote to memory of 2076	1240	VirusShare_58999b891c115ca4cd983c9675724890.exe	VirusShare_58999b891c115ca4cd983c9675724890.exe
PID 1240 wrote to memory of 2076	1240	VirusShare_58999b891c115ca4cd983c9675724890.exe	VirusShare_58999b891c115ca4cd983c9675724890.exe
PID 1240 wrote to memory of 2076	1240	VirusShare_58999b891c115ca4cd983c9675724890.exe	VirusShare_58999b891c115ca4cd983c9675724890.exe
PID 1240 wrote to memory of 2076	1240	VirusShare_58999b891c115ca4cd983c9675724890.exe	VirusShare_58999b891c115ca4cd983c9675724890.exe
PID 1240 wrote to memory of 2076	1240	VirusShare_58999b891c115ca4cd983c9675724890.exe	VirusShare_58999b891c115ca4cd983c9675724890.exe
PID 1240 wrote to memory of 2076	1240	VirusShare_58999b891c115ca4cd983c9675724890.exe	VirusShare_58999b891c115ca4cd983c9675724890.exe
PID 1240 wrote to memory of 2076	1240	VirusShare_58999b891c115ca4cd983c9675724890.exe	VirusShare_58999b891c115ca4cd983c9675724890.exe
PID 1240 wrote to memory of 2076	1240	VirusShare_58999b891c115ca4cd983c9675724890.exe	VirusShare_58999b891c115ca4cd983c9675724890.exe
PID 1240 wrote to memory of 2076	1240	VirusShare_58999b891c115ca4cd983c9675724890.exe	VirusShare_58999b891c115ca4cd983c9675724890.exe
PID 1240 wrote to memory of 2076	1240	VirusShare_58999b891c115ca4cd983c9675724890.exe	VirusShare_58999b891c115ca4cd983c9675724890.exe
PID 2076 wrote to memory of 3248	2076	VirusShare_58999b891c115ca4cd983c9675724890.exe	hhliqcrhhgeh.exe
PID 2076 wrote to memory of 3248	2076	VirusShare_58999b891c115ca4cd983c9675724890.exe	hhliqcrhhgeh.exe
PID 2076 wrote to memory of 3248	2076	VirusShare_58999b891c115ca4cd983c9675724890.exe	hhliqcrhhgeh.exe
PID 2076 wrote to memory of 4740	2076	VirusShare_58999b891c115ca4cd983c9675724890.exe	cmd.exe
PID 2076 wrote to memory of 4740	2076	VirusShare_58999b891c115ca4cd983c9675724890.exe	cmd.exe
PID 2076 wrote to memory of 4740	2076	VirusShare_58999b891c115ca4cd983c9675724890.exe	cmd.exe
PID 3248 wrote to memory of 3260	3248	hhliqcrhhgeh.exe	hhliqcrhhgeh.exe
PID 3248 wrote to memory of 3260	3248	hhliqcrhhgeh.exe	hhliqcrhhgeh.exe
PID 3248 wrote to memory of 3260	3248	hhliqcrhhgeh.exe	hhliqcrhhgeh.exe
PID 3248 wrote to memory of 3260	3248	hhliqcrhhgeh.exe	hhliqcrhhgeh.exe
PID 3248 wrote to memory of 3260	3248	hhliqcrhhgeh.exe	hhliqcrhhgeh.exe
PID 3248 wrote to memory of 3260	3248	hhliqcrhhgeh.exe	hhliqcrhhgeh.exe
PID 3248 wrote to memory of 3260	3248	hhliqcrhhgeh.exe	hhliqcrhhgeh.exe
PID 3248 wrote to memory of 3260	3248	hhliqcrhhgeh.exe	hhliqcrhhgeh.exe
PID 3248 wrote to memory of 3260	3248	hhliqcrhhgeh.exe	hhliqcrhhgeh.exe
PID 3248 wrote to memory of 3260	3248	hhliqcrhhgeh.exe	hhliqcrhhgeh.exe
PID 3260 wrote to memory of 2916	3260	hhliqcrhhgeh.exe	WMIC.exe
PID 3260 wrote to memory of 2916	3260	hhliqcrhhgeh.exe	WMIC.exe
PID 3260 wrote to memory of 4384	3260	hhliqcrhhgeh.exe	NOTEPAD.EXE
PID 3260 wrote to memory of 4384	3260	hhliqcrhhgeh.exe	NOTEPAD.EXE
PID 3260 wrote to memory of 4384	3260	hhliqcrhhgeh.exe	NOTEPAD.EXE
PID 3260 wrote to memory of 4724	3260	hhliqcrhhgeh.exe	msedge.exe
PID 3260 wrote to memory of 4724	3260	hhliqcrhhgeh.exe	msedge.exe
PID 4724 wrote to memory of 4736	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 4736	4724	msedge.exe	msedge.exe
PID 3260 wrote to memory of 4640	3260	hhliqcrhhgeh.exe	WMIC.exe
PID 3260 wrote to memory of 4640	3260	hhliqcrhhgeh.exe	WMIC.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe
PID 4724 wrote to memory of 3160	4724	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

hhliqcrhhgeh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hhliqcrhhgeh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	hhliqcrhhgeh.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_58999b891c115ca4cd983c9675724890.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_58999b891c115ca4cd983c9675724890.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\VirusShare_58999b891c115ca4cd983c9675724890.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_58999b891c115ca4cd983c9675724890.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\hhliqcrhhgeh.exe
    C:\Windows\hhliqcrhhgeh.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\hhliqcrhhgeh.exe
      C:\Windows\hhliqcrhhgeh.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3260
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:4384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a88746f8,0x7ff9a8874708,0x7ff9a8874718
        6⤵
        
        PID:4736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,10359983943286589090,10636597420358003248,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
        6⤵
        
        PID:3160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,10359983943286589090,10636597420358003248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
        6⤵
        
        PID:4148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,10359983943286589090,10636597420358003248,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
        6⤵
        
        PID:3232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10359983943286589090,10636597420358003248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
        6⤵
        
        PID:3932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10359983943286589090,10636597420358003248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        6⤵
        
        PID:4720
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,10359983943286589090,10636597420358003248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 /prefetch:8
        6⤵
        
        PID:4796
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,10359983943286589090,10636597420358003248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 /prefetch:8
        6⤵
        
        PID:2944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10359983943286589090,10636597420358003248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
        6⤵
        
        PID:3588
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10359983943286589090,10636597420358003248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
        6⤵
        
        PID:1012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10359983943286589090,10636597420358003248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
        6⤵
        
        PID:1616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10359983943286589090,10636597420358003248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
        6⤵
        
        PID:4272
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\HHLIQC~1.EXE
        5⤵
        
        PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    PID:4740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+bswcp.html

Filesize
7KB

MD5
d32d7bb559b9a15bc3b3ca41cde1c8a1

SHA1
bb56561dcd235cd372b94501f5bbfd372532b904

SHA256
228356cb01442900321d6a20cbad142786777c9193128a2f62b6dc76a651296a

SHA512
37bce7b55448283adecfabcf2f91a3a7927790028efabbc7ec1753e4ed50d77e869c0f4dfdd6d32cfdfb9c8f5c908d17c6a4c837a11ce64e16f8ac377d7bd25d

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+bswcp.png

Filesize
62KB

MD5
65f2bf26d398f7efbbbdd5eccac4d696

SHA1
9f145c342e075014738a393b90c77ef5c57ba750

SHA256
8bc5680f77074ac97c6e666c7a6e5cdf55d013ad387ee49ad5dce5bbc3a52f3e

SHA512
b32ef448b9ec381f5d008622ba61deeffe98f759d9dcf989a270572eeb22a9796e84c55f74dc5f0771b411008df71951f620fcdc1512cf7c0e8f95babbfeaa55

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+bswcp.txt

Filesize
1KB

MD5
06181a0a12d52e76c1a63fd90fec15f6

SHA1
0aaaed9e2f670c7df1f905b1ee115e847ff6d50d

SHA256
fa9a0974268c6feac8a4f166a787353f05dea04667720ac289191caaec023243

SHA512
4e7b3aa72dc81a09ff868d77021baa7594bfc4ddf850a4098659551b6b7b8eab8ccffda55bfbcb8c00b129a268ac73f2d6f04984f4392e8a54a51a35e263037e

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
6372cc74f489746790c323f0269f2ab8

SHA1
29ab501cdf52bcfc3c234c680442edb5264e9a17

SHA256
ea4d71e0a497dc27cf9544409b233be99e677629439af421058b46f48d1f86c8

SHA512
af73989b5168b477f5b84e491d60bc679ad95be45cfef4fb4edf756bbded0a38cdf821822b42680dcdc5557b0f4427baf7a580135da7c8b2c7bebef60412ce32

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
5a995d5314b6d2a4d5f6c964e5f1060f

SHA1
3a12e3d91fec831cfaf15ba82fa294c443648f2c

SHA256
c6f6e5e1927da8af14b4fb9eb691379f7007b8ed06f3d9ffe9852802b5f20c93

SHA512
9033e7a8371160800488e2bcdd5b4a56b4425dbfa9f518403110c001a9c221211486fac32df93abe4c5f651bc2dbab3ed9ec32c9e9134be7daa005a7002c8b7c

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
e9854d1aa3f1885d210022ae9caf4350

SHA1
2ede3d3a3a10053980e9cdf01ec08249b1d0ef94

SHA256
978129fab86d76e143b3e413151f8b0839b2d20f46367b00052d6ab201153ccc

SHA512
70a346c185ecff4374c8d2a090952c140437428e09918706eed7c8dd87c0b759e5a3b9615db85ae045236761bb19b4b6a4f250a3dee5910983711d7f847a4bda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e95f911d2f927282a89c62949c10bda9

SHA1
6d170bf462d964f5d367889c4010341d8fb325b9

SHA256
e5739f58bbe466b7190f05e7a2760620bc4e555bf2f88044e83beebda45d3655

SHA512
bedf2e916207df8b5bc38279ffbe0524fd2ed0d5bb4087514a0734a1e814cd2759e4644d0529d02d050fea52e1167e2021ccde8e7165838a25769fd70b0257bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
66ae4ba0823a45b047a941e50caffc3f

SHA1
31a2bace00e17ada0f62920f9eea42d6c535bf9f

SHA256
11e530bcf3fc1465ac4115da20604b32c724b2ec35ab790a0834a733beca6c5c

SHA512
cf5c0f49a2879ace303d3d26d2ff0de116a971ed1db3e581761357e18deb1c51d809849f8e7490de7e44991b5a537dad9acf1b8e4e132c17b26064543e9b082f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c11fccdade4f4c26658ec3bbc5cf868b

SHA1
e7b0e35eadb006308900168c45963395366b61af

SHA256
5ae30b8ddbf36fca8a77a1e0fdcd23595203faf1b0dd33c406a977967ed0faca

SHA512
1ec79953dd09baaf916fa356825bc301099dfa6af20c1026d3b71051f1d94a37413db45f9e4cad6c7c775cbe457b95a1ec920c95894d5f8d60f328956b21856a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596440659070499.txt

Filesize
47KB

MD5
c4178e86b1d5ec0b3d6db74bb6260c17

SHA1
d2100f2125400550cbcccb9c10c63e4f60d70695

SHA256
1f5b7dc3c6bc7b8b6983222f886fd27e2913d1f9370581ed37a2052aed0d90a2

SHA512
213ce3171c8cfd6f1a64f9d8cb2d10f618ea0065a7c97c94f4dc3f5e4ac3e9883a3d37f14cbc0b702e3e4e8e3c7ddf1ecf54048df7fc6a35398a703faf587753

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449628541770.txt

Filesize
75KB

MD5
89ecf7225a3820ef5037d6e41f6acde7

SHA1
8e55eb4fc73a790918525c0547b4d3fef38b678c

SHA256
4df50b37a890da3c734c0528a29978250c72a4a4525200e9863f9b7f25eab361

SHA512
52e5417febe3c04d0d7fb78353fa4ba06dd4d6ea4548d7ef938390f7e7c291a93fe4dff9f112dbab0693c45f52fc11266fff3bc9f8012ca2be20f81aeece9c95

Download Submit
C:\Windows\hhliqcrhhgeh.exe

Filesize
376KB

MD5
58999b891c115ca4cd983c9675724890

SHA1
8157379d1d1a40de5dfd00ea70c2cacc6b5d2f5e

SHA256
ae50c1a234d07eb39859cf7aea9361d9b54397d477866ae38bb61ad904298315

SHA512
6773b60e8ad7e940724daf5aa81cd1c08c113b4087c6ff69b21a12fd3c684e441007ab2968780ad5c0425a45ee1b2f3b8f486cc832415ce21f75da0b65e522ed

Download Submit
\??\pipe\LOCAL\crashpad_4724_DOIWKHRECMWXZQEP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1240-0-0x00000000007B0000-0x00000000007B3000-memory.dmp

Filesize
12KB

Download
memory/1240-1-0x00000000007B0000-0x00000000007B3000-memory.dmp

Filesize
12KB

Download
memory/1240-6-0x00000000007B0000-0x00000000007B3000-memory.dmp

Filesize
12KB

Download
memory/2076-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2076-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2076-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2076-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2076-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3248-12-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/3260-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-7062-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-4297-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-9982-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-10356-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-10357-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-10365-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-10366-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-1939-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-566-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-25-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-10429-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download