teslacrypt | b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e

Analysis

max time kernel
142s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
Size

356KB
MD5

5ef1fdd422951c153db8c39b87e84e5d
SHA1

a89966004343653b2d20c06b373b1390ed0450d3
SHA256

b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e
SHA512

94a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871
SSDEEP

6144:nOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:nFeq0F+PzcOLyWRsHA93/oswe

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rkjmi.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8BBE1AC44D5EC344 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/8BBE1AC44D5EC344 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/8BBE1AC44D5EC344 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/8BBE1AC44D5EC344 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8BBE1AC44D5EC344 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/8BBE1AC44D5EC344 http://yyre45dbvn2nhbefbmh.begumvelic.at/8BBE1AC44D5EC344 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/8BBE1AC44D5EC344

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8BBE1AC44D5EC344

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/8BBE1AC44D5EC344

http://yyre45dbvn2nhbefbmh.begumvelic.at/8BBE1AC44D5EC344

http://xlowfznrg4wf7dli.ONION/8BBE1AC44D5EC344

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (867) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exeubhvmvfanjcs.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ubhvmvfanjcs.exe

Drops startup file 6 IoCs

Processes:

ubhvmvfanjcs.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+rkjmi.txt	ubhvmvfanjcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+rkjmi.html	ubhvmvfanjcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+rkjmi.png	ubhvmvfanjcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+rkjmi.txt	ubhvmvfanjcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+rkjmi.html	ubhvmvfanjcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+rkjmi.png	ubhvmvfanjcs.exe

Executes dropped EXE 2 IoCs

Processes:

ubhvmvfanjcs.exeubhvmvfanjcs.exe

pid	Process
1844	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ubhvmvfanjcs.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\furcppq = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\ubhvmvfanjcs.exe"	ubhvmvfanjcs.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exeubhvmvfanjcs.exe

description	pid	Process	procid_target
PID 4308 set thread context of 5004	4308	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	94
PID 1844 set thread context of 4916	1844	ubhvmvfanjcs.exe	98

Drops file in Program Files directory 64 IoCs

Processes:

ubhvmvfanjcs.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\Data\BrushProfile\_ReCoVeRy_+rkjmi.html	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\39.jpg	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_contrast-white.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_altform-unplated_contrast-black.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-100.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-400_contrast-white.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+rkjmi.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\microsoft.system.package.metadata\_ReCoVeRy_+rkjmi.txt	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_ReCoVeRy_+rkjmi.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+rkjmi.txt	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\_ReCoVeRy_+rkjmi.html	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-125.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-100.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\_ReCoVeRy_+rkjmi.html	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\_ReCoVeRy_+rkjmi.txt	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\AppExcel32x32.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+rkjmi.html	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\View3d\_ReCoVeRy_+rkjmi.html	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-150.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pl-PL\_ReCoVeRy_+rkjmi.txt	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-20_altform-unplated.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+rkjmi.txt	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\_ReCoVeRy_+rkjmi.txt	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-100_contrast-black.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-250.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\_ReCoVeRy_+rkjmi.html	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\_ReCoVeRy_+rkjmi.html	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-100.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\_ReCoVeRy_+rkjmi.html	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-125_contrast-white.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-100.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100_contrast-white.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-24.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\_ReCoVeRy_+rkjmi.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.GrayF.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\_ReCoVeRy_+rkjmi.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\ERRORREP\QHEADLES\_ReCoVeRy_+rkjmi.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.js	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+rkjmi.txt	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\_ReCoVeRy_+rkjmi.html	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\WideTile.scale-200.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\_ReCoVeRy_+rkjmi.txt	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\_ReCoVeRy_+rkjmi.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_ReCoVeRy_+rkjmi.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-100.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+rkjmi.txt	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\Windows Media Player\_ReCoVeRy_+rkjmi.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100_contrast-white.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\_ReCoVeRy_+rkjmi.txt	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\_ReCoVeRy_+rkjmi.html	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-16.png	ubhvmvfanjcs.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-200.png	ubhvmvfanjcs.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe

description	ioc	Process
File created	C:\Windows\ubhvmvfanjcs.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
File opened for modification	C:\Windows\ubhvmvfanjcs.exe	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

ubhvmvfanjcs.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	ubhvmvfanjcs.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
3592	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ubhvmvfanjcs.exe

pid	Process
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe
4916	ubhvmvfanjcs.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid	Process
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exeubhvmvfanjcs.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	5004	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
Token: SeDebugPrivilege	4916	ubhvmvfanjcs.exe
Token: SeIncreaseQuotaPrivilege	644	WMIC.exe
Token: SeSecurityPrivilege	644	WMIC.exe
Token: SeTakeOwnershipPrivilege	644	WMIC.exe
Token: SeLoadDriverPrivilege	644	WMIC.exe
Token: SeSystemProfilePrivilege	644	WMIC.exe
Token: SeSystemtimePrivilege	644	WMIC.exe
Token: SeProfSingleProcessPrivilege	644	WMIC.exe
Token: SeIncBasePriorityPrivilege	644	WMIC.exe
Token: SeCreatePagefilePrivilege	644	WMIC.exe
Token: SeBackupPrivilege	644	WMIC.exe
Token: SeRestorePrivilege	644	WMIC.exe
Token: SeShutdownPrivilege	644	WMIC.exe
Token: SeDebugPrivilege	644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	644	WMIC.exe
Token: SeRemoteShutdownPrivilege	644	WMIC.exe
Token: SeUndockPrivilege	644	WMIC.exe
Token: SeManageVolumePrivilege	644	WMIC.exe
Token: 33	644	WMIC.exe
Token: 34	644	WMIC.exe
Token: 35	644	WMIC.exe
Token: 36	644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	644	WMIC.exe
Token: SeSecurityPrivilege	644	WMIC.exe
Token: SeTakeOwnershipPrivilege	644	WMIC.exe
Token: SeLoadDriverPrivilege	644	WMIC.exe
Token: SeSystemProfilePrivilege	644	WMIC.exe
Token: SeSystemtimePrivilege	644	WMIC.exe
Token: SeProfSingleProcessPrivilege	644	WMIC.exe
Token: SeIncBasePriorityPrivilege	644	WMIC.exe
Token: SeCreatePagefilePrivilege	644	WMIC.exe
Token: SeBackupPrivilege	644	WMIC.exe
Token: SeRestorePrivilege	644	WMIC.exe
Token: SeShutdownPrivilege	644	WMIC.exe
Token: SeDebugPrivilege	644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	644	WMIC.exe
Token: SeRemoteShutdownPrivilege	644	WMIC.exe
Token: SeUndockPrivilege	644	WMIC.exe
Token: SeManageVolumePrivilege	644	WMIC.exe
Token: 33	644	WMIC.exe
Token: 34	644	WMIC.exe
Token: 35	644	WMIC.exe
Token: 36	644	WMIC.exe
Token: SeBackupPrivilege	4852	vssvc.exe
Token: SeRestorePrivilege	4852	vssvc.exe
Token: SeAuditPrivilege	4852	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1224	WMIC.exe
Token: SeSecurityPrivilege	1224	WMIC.exe
Token: SeTakeOwnershipPrivilege	1224	WMIC.exe
Token: SeLoadDriverPrivilege	1224	WMIC.exe
Token: SeSystemProfilePrivilege	1224	WMIC.exe
Token: SeSystemtimePrivilege	1224	WMIC.exe
Token: SeProfSingleProcessPrivilege	1224	WMIC.exe
Token: SeIncBasePriorityPrivilege	1224	WMIC.exe
Token: SeCreatePagefilePrivilege	1224	WMIC.exe
Token: SeBackupPrivilege	1224	WMIC.exe
Token: SeRestorePrivilege	1224	WMIC.exe
Token: SeShutdownPrivilege	1224	WMIC.exe
Token: SeDebugPrivilege	1224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1224	WMIC.exe
Token: SeRemoteShutdownPrivilege	1224	WMIC.exe
Token: SeUndockPrivilege	1224	WMIC.exe
Token: SeManageVolumePrivilege	1224	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	Process
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exeVirusShare_5ef1fdd422951c153db8c39b87e84e5d.exeubhvmvfanjcs.exeubhvmvfanjcs.exemsedge.exe

description	pid	Process	procid_target
PID 4308 wrote to memory of 5004	4308	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	94
PID 4308 wrote to memory of 5004	4308	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	94
PID 4308 wrote to memory of 5004	4308	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	94
PID 4308 wrote to memory of 5004	4308	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	94
PID 4308 wrote to memory of 5004	4308	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	94
PID 4308 wrote to memory of 5004	4308	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	94
PID 4308 wrote to memory of 5004	4308	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	94
PID 4308 wrote to memory of 5004	4308	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	94
PID 4308 wrote to memory of 5004	4308	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	94
PID 4308 wrote to memory of 5004	4308	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	94
PID 5004 wrote to memory of 1844	5004	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	95
PID 5004 wrote to memory of 1844	5004	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	95
PID 5004 wrote to memory of 1844	5004	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	95
PID 5004 wrote to memory of 1000	5004	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	96
PID 5004 wrote to memory of 1000	5004	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	96
PID 5004 wrote to memory of 1000	5004	VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe	96
PID 1844 wrote to memory of 4916	1844	ubhvmvfanjcs.exe	98
PID 1844 wrote to memory of 4916	1844	ubhvmvfanjcs.exe	98
PID 1844 wrote to memory of 4916	1844	ubhvmvfanjcs.exe	98
PID 1844 wrote to memory of 4916	1844	ubhvmvfanjcs.exe	98
PID 1844 wrote to memory of 4916	1844	ubhvmvfanjcs.exe	98
PID 1844 wrote to memory of 4916	1844	ubhvmvfanjcs.exe	98
PID 1844 wrote to memory of 4916	1844	ubhvmvfanjcs.exe	98
PID 1844 wrote to memory of 4916	1844	ubhvmvfanjcs.exe	98
PID 1844 wrote to memory of 4916	1844	ubhvmvfanjcs.exe	98
PID 1844 wrote to memory of 4916	1844	ubhvmvfanjcs.exe	98
PID 4916 wrote to memory of 644	4916	ubhvmvfanjcs.exe	99
PID 4916 wrote to memory of 644	4916	ubhvmvfanjcs.exe	99
PID 4916 wrote to memory of 3592	4916	ubhvmvfanjcs.exe	104
PID 4916 wrote to memory of 3592	4916	ubhvmvfanjcs.exe	104
PID 4916 wrote to memory of 3592	4916	ubhvmvfanjcs.exe	104
PID 4916 wrote to memory of 4900	4916	ubhvmvfanjcs.exe	105
PID 4916 wrote to memory of 4900	4916	ubhvmvfanjcs.exe	105
PID 4900 wrote to memory of 5064	4900	msedge.exe	106
PID 4900 wrote to memory of 5064	4900	msedge.exe	106
PID 4916 wrote to memory of 1224	4916	ubhvmvfanjcs.exe	107
PID 4916 wrote to memory of 1224	4916	ubhvmvfanjcs.exe	107
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109
PID 4900 wrote to memory of 280	4900	msedge.exe	109

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ubhvmvfanjcs.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ubhvmvfanjcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ubhvmvfanjcs.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Local\Temp\VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_5ef1fdd422951c153db8c39b87e84e5d.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\ubhvmvfanjcs.exe
    C:\Windows\ubhvmvfanjcs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\ubhvmvfanjcs.exe
      C:\Windows\ubhvmvfanjcs.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4916
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:644
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:3592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa19e846f8,0x7ffa19e84708,0x7ffa19e84718
        6⤵
        
        PID:5064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,2629353318122724382,11289137715838150565,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
        6⤵
        
        PID:280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,2629353318122724382,11289137715838150565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
        6⤵
        
        PID:1044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,2629353318122724382,11289137715838150565,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
        6⤵
        
        PID:4956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,2629353318122724382,11289137715838150565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
        6⤵
        
        PID:644
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,2629353318122724382,11289137715838150565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
        6⤵
        
        PID:1740
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,2629353318122724382,11289137715838150565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
        6⤵
        
        PID:4696
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,2629353318122724382,11289137715838150565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
        6⤵
        
        PID:2140
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,2629353318122724382,11289137715838150565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
        6⤵
        
        PID:1988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,2629353318122724382,11289137715838150565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
        6⤵
        
        PID:4324
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,2629353318122724382,11289137715838150565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
        6⤵
        
        PID:272
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,2629353318122724382,11289137715838150565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
        6⤵
        
        PID:4836
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\UBHVMV~1.EXE
        5⤵
        
        PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    PID:1000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rkjmi.html

Filesize
12KB

MD5
9535823ff1e5d92bfcbfdbcb619d0c69

SHA1
4da5de8fdadd530ad8b2faa39062ef58eebee06e

SHA256
1393dcdb1501ade83785ca3a5e851f527bd582bb31c4e90d63c3769045beca6f

SHA512
5e87c0968d71509a377a42349768e59b88cff1b4b536343d8e44ed2bf2228f3bb98758f9771eaebb9b76103bfbed4fd41e3a647ef4de492693f34693ca330d53

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rkjmi.png

Filesize
64KB

MD5
8c24f4c7a84fc2bf8a4b0ddc83ad426e

SHA1
270ce7343715ab8d23ff147cad8a6db5b62aa280

SHA256
44faa244133c48ae8cab6013efaaa149e63d89a6c5366a905d498ed689576e84

SHA512
08fa200bc1a5f24abafac2a2b7f36b7aa398f3af81ede328f5cff224fd6aa6338792895490475547b868cbfe79dd54072532d271f6c29cc838105f4a3ce3a90f

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rkjmi.txt

Filesize
1KB

MD5
09454fb67d56e73717f3535078229ceb

SHA1
374bf2cdf5bed523475b675bbd6f470c30caa192

SHA256
c2659ce4e25f63244a79547e4ad5d8b9cd87beed64f245b07a591843b6c0f6bd

SHA512
1b6a949eb386da14084c27787cd78cb4ced8585c3060a65da4184b07825ba0e621760e3d22634aa4e4a86dd158a64c4eeddfecd3a913b9d0d573e43db72f24e3

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
949cab64a7f888f1a8941a697c666708

SHA1
4b00a8d753b835d80b3c6d00a306a328ada7eb1f

SHA256
41d17df10eb394ff240675a995880a6f8b521558a76829a9b7394e75b52683a7

SHA512
4dda6d83a3d164e0b14f897214a79ad09ae3dad000e8f8ebf720b998a1a7a25b63e8d985902d7dbf4ed3f11a0064b253a1b13acff51aa93dc34129ab97da765e

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
1b15d448a320098fa0519185a71fdd2a

SHA1
a4461eb96f058ed34ed7b1c937bcc7834ecf23fd

SHA256
ff000d7a6459fb7db95701db73efe306498c0f312cc05953d9a4cb5c934951cb

SHA512
6da4851c59f6782d7fb94de77683c857a61a193c3cb5c03e8c8e01302d9c0d51479056d650198660a69d474b63345270ee7c125b95645f3d58921bd3e28118e9

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
1b8cdf26c4fd8706ca59d177744b84bf

SHA1
ba92c3d6a338e4f0e9a451fbf09ec5488b085a3d

SHA256
e6ae4296d79b46c662f6237494de07734f51804cb1e212f68319be41b80663d9

SHA512
e5050357f813180d94d4beff36dd057137cf06a540ca1fb27689e6eff1aa0b0212efac31d688666a39faf7635425b61e52ac82792057a1bbb0c5e28460092139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
05dc0356150a789b1e743ad487444fe6

SHA1
8fd086e538a63300a3cfe34fe8fec002d0bb0508

SHA256
bd469b8c6982eea15d903454e052c350553cc36bf1b9ebc8798aeb846495cc1f

SHA512
4e67934a36f1e000c332b04fdaa90eb6b15ed4708b5716d7527f15de23e1c0ab3079982c495844e93e7a49df4c8d3f19cc4bb1f0e8867276a90a9095094d150d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f6229307c9a7b4a0106e464b8ecb52eb

SHA1
b3dbd60eddf0a6442878da3ec1b1689bbf70f3a3

SHA256
49afa51ef22b7f7695408e35848fbed7069e9d2e9165924ff12313434f42b67b

SHA512
0188c4df13a97de98e550afa248efb5c2f4318f8a24f12a785f2ac06e5f910eca9eb78f8e45f4769c79602f51c451d09f9f470010478431b6bf3df778987a6cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f9bb42d55181bd758a50928dcf9a0651

SHA1
dba7232c205077877e262e281559ed0e095b307c

SHA256
15a3834f95d1684cca577557d90e28b7b2baace2410385c80dff11e4e1525e49

SHA512
f67b32cba9064685c5d6091e0b5b959444e40fce91eb5d782779c00f6fc4763938dd3dfef89c27d989be12bbb96f9d51610d385d6f22f5cf0bd37fd0bba04451

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596380890952339.txt

Filesize
47KB

MD5
97846489d074857257cf69b5cdb61dde

SHA1
9647c4e0b7fc61df706f9b2558c83cda0f619d30

SHA256
7abe7033ceb289b0b462781c925a448cc9de2fcd8c6ab16335001f8e48f28b0f

SHA512
d8c03a6744427aa9440abda2465468a5a083c27fb46186fed179b9316778797200925e8b98dfb4bfc6fc552cbc049229ecc3a9d09d85244456da5a8940d7ea05

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596405289853215.txt

Filesize
75KB

MD5
2ffa88621eb76cc8511a8d99842142bd

SHA1
d97fe777972bb72b83ebcbb38ad65fbfab6bf826

SHA256
d6ef116414d890a4610c2445118a5d072b1593b4ba8c79eb3c3e2eacee4e1efa

SHA512
6c4d1d72f03b9e57d62e4de0db1613dd9872ddfefbe2738b9ae655ce99a5deedfed33078b9f15674bfb53f9fb4ee20e8e10b8cf830f5d691d8e301fb88712f1e

Download Submit
C:\Windows\ubhvmvfanjcs.exe

Filesize
356KB

MD5
5ef1fdd422951c153db8c39b87e84e5d

SHA1
a89966004343653b2d20c06b373b1390ed0450d3

SHA256
b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e

SHA512
94a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871

Download Submit
\??\pipe\LOCAL\crashpad_4900_JZLVRUITSNLIZPXI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1844-12-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4308-0-0x0000000000740000-0x0000000000744000-memory.dmp

Filesize
16KB

Download
memory/4308-4-0x0000000000740000-0x0000000000744000-memory.dmp

Filesize
16KB

Download
memory/4308-1-0x0000000000740000-0x0000000000744000-memory.dmp

Filesize
16KB

Download
memory/4916-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-10444-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-25-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-2334-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-4576-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-7549-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-10364-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-10435-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-10436-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-595-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-10445-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4916-10484-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5004-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5004-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5004-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5004-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5004-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download