teslacrypt | 0cfff9ddd855236e2c89d1778e88bd87db965a29d0e4e6b75178add06fd4fdb0

Analysis

max time kernel
146s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe
Size

388KB
MD5

7a4d85a1bef0ca4cecfe376e0ee91090
SHA1

0eaab4a4cf009d2d0d2d525bad4742356ca06317
SHA256

0cfff9ddd855236e2c89d1778e88bd87db965a29d0e4e6b75178add06fd4fdb0
SHA512

963509e2871858ba356a6b1e2af71b05c22019ffe4172a3ed8d70d54597bf10a67607d8083fef90e549521cf194d76af1112f7628b23943d0da0ebde0704e280
SSDEEP

6144:VPHkQ4ydZZb+Q7Qf4+4/X+8PvjAsYcHte9qYJkIb/VNIFNgQfo/Xse6+pA+Z0S:BrZZbJu4+Q+8RBe9qYacVNyN/l+pn5

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+pguwi.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9CD01F824DE9BE1A 2. http://tes543berda73i48fsdfsd.keratadze.at/9CD01F824DE9BE1A 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9CD01F824DE9BE1A If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/9CD01F824DE9BE1A 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9CD01F824DE9BE1A http://tes543berda73i48fsdfsd.keratadze.at/9CD01F824DE9BE1A http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9CD01F824DE9BE1A *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/9CD01F824DE9BE1A

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9CD01F824DE9BE1A

http://tes543berda73i48fsdfsd.keratadze.at/9CD01F824DE9BE1A

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9CD01F824DE9BE1A

http://xlowfznrg4wf7dli.ONION/9CD01F824DE9BE1A

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (873) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	haolmjvtikuv.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+pguwi.png	haolmjvtikuv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+pguwi.txt	haolmjvtikuv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+pguwi.html	haolmjvtikuv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+pguwi.png	haolmjvtikuv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+pguwi.txt	haolmjvtikuv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+pguwi.html	haolmjvtikuv.exe

Executes dropped EXE 2 IoCs

pid	Process
4948	haolmjvtikuv.exe
4556	haolmjvtikuv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjsewjtnsbao = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\haolmjvtikuv.exe\""	haolmjvtikuv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3548 set thread context of 1748	3548	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	86
PID 4948 set thread context of 4556	4948	haolmjvtikuv.exe	91

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Recovery+pguwi.txt	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-125.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sw-KE\View3d\Recovery+pguwi.txt	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\Recovery+pguwi.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-150.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+pguwi.html	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\Recovery+pguwi.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\WideTile.scale-100.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-125.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\Recovery+pguwi.txt	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-white.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-unplated_contrast-white.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\Recovery+pguwi.txt	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-100_contrast-black.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\50.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-125.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Recovery+pguwi.html	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-16_altform-unplated.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_altform-unplated_contrast-white.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-125_contrast-white.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-200_contrast-white.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\Recovery+pguwi.html	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Recovery+pguwi.txt	haolmjvtikuv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\Recovery+pguwi.txt	haolmjvtikuv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\THMBNAIL.PNG	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80_altform-unplated.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\Recovery+pguwi.txt	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-125.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lt-LT\Recovery+pguwi.txt	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-400_contrast-black.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-30_altform-unplated.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-100_contrast-white.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-125.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\x86\Recovery+pguwi.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-125.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\Recovery+pguwi.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-100_contrast-white.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\151.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+pguwi.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+pguwi.html	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_contrast-white.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlCone.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\Recovery+pguwi.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-150.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-96_altform-unplated.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\StoreLogo.scale-100.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\Recovery+pguwi.html	haolmjvtikuv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\Recovery+pguwi.html	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-200.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-64_altform-unplated.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\Pages\Recovery+pguwi.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\29.jpg	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32_altform-lightunplated.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\Recovery+pguwi.html	haolmjvtikuv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\Recovery+pguwi.html	haolmjvtikuv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\Recovery+pguwi.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-125.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\Assets\Recovery+pguwi.png	haolmjvtikuv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png	haolmjvtikuv.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\haolmjvtikuv.exe	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe
File created	C:\Windows\haolmjvtikuv.exe	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	haolmjvtikuv.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2508	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe
4556	haolmjvtikuv.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe
Token: SeDebugPrivilege	4556	haolmjvtikuv.exe
Token: SeIncreaseQuotaPrivilege	180	WMIC.exe
Token: SeSecurityPrivilege	180	WMIC.exe
Token: SeTakeOwnershipPrivilege	180	WMIC.exe
Token: SeLoadDriverPrivilege	180	WMIC.exe
Token: SeSystemProfilePrivilege	180	WMIC.exe
Token: SeSystemtimePrivilege	180	WMIC.exe
Token: SeProfSingleProcessPrivilege	180	WMIC.exe
Token: SeIncBasePriorityPrivilege	180	WMIC.exe
Token: SeCreatePagefilePrivilege	180	WMIC.exe
Token: SeBackupPrivilege	180	WMIC.exe
Token: SeRestorePrivilege	180	WMIC.exe
Token: SeShutdownPrivilege	180	WMIC.exe
Token: SeDebugPrivilege	180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	180	WMIC.exe
Token: SeRemoteShutdownPrivilege	180	WMIC.exe
Token: SeUndockPrivilege	180	WMIC.exe
Token: SeManageVolumePrivilege	180	WMIC.exe
Token: 33	180	WMIC.exe
Token: 34	180	WMIC.exe
Token: 35	180	WMIC.exe
Token: 36	180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	180	WMIC.exe
Token: SeSecurityPrivilege	180	WMIC.exe
Token: SeTakeOwnershipPrivilege	180	WMIC.exe
Token: SeLoadDriverPrivilege	180	WMIC.exe
Token: SeSystemProfilePrivilege	180	WMIC.exe
Token: SeSystemtimePrivilege	180	WMIC.exe
Token: SeProfSingleProcessPrivilege	180	WMIC.exe
Token: SeIncBasePriorityPrivilege	180	WMIC.exe
Token: SeCreatePagefilePrivilege	180	WMIC.exe
Token: SeBackupPrivilege	180	WMIC.exe
Token: SeRestorePrivilege	180	WMIC.exe
Token: SeShutdownPrivilege	180	WMIC.exe
Token: SeDebugPrivilege	180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	180	WMIC.exe
Token: SeRemoteShutdownPrivilege	180	WMIC.exe
Token: SeUndockPrivilege	180	WMIC.exe
Token: SeManageVolumePrivilege	180	WMIC.exe
Token: 33	180	WMIC.exe
Token: 34	180	WMIC.exe
Token: 35	180	WMIC.exe
Token: 36	180	WMIC.exe
Token: SeBackupPrivilege	1548	vssvc.exe
Token: SeRestorePrivilege	1548	vssvc.exe
Token: SeAuditPrivilege	1548	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1884	WMIC.exe
Token: SeSecurityPrivilege	1884	WMIC.exe
Token: SeTakeOwnershipPrivilege	1884	WMIC.exe
Token: SeLoadDriverPrivilege	1884	WMIC.exe
Token: SeSystemProfilePrivilege	1884	WMIC.exe
Token: SeSystemtimePrivilege	1884	WMIC.exe
Token: SeProfSingleProcessPrivilege	1884	WMIC.exe
Token: SeIncBasePriorityPrivilege	1884	WMIC.exe
Token: SeCreatePagefilePrivilege	1884	WMIC.exe
Token: SeBackupPrivilege	1884	WMIC.exe
Token: SeRestorePrivilege	1884	WMIC.exe
Token: SeShutdownPrivilege	1884	WMIC.exe
Token: SeDebugPrivilege	1884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1884	WMIC.exe
Token: SeRemoteShutdownPrivilege	1884	WMIC.exe
Token: SeUndockPrivilege	1884	WMIC.exe
Token: SeManageVolumePrivilege	1884	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 1748	3548	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	86
PID 3548 wrote to memory of 1748	3548	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	86
PID 3548 wrote to memory of 1748	3548	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	86
PID 3548 wrote to memory of 1748	3548	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	86
PID 3548 wrote to memory of 1748	3548	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	86
PID 3548 wrote to memory of 1748	3548	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	86
PID 3548 wrote to memory of 1748	3548	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	86
PID 3548 wrote to memory of 1748	3548	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	86
PID 3548 wrote to memory of 1748	3548	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	86
PID 3548 wrote to memory of 1748	3548	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	86
PID 1748 wrote to memory of 4948	1748	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	87
PID 1748 wrote to memory of 4948	1748	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	87
PID 1748 wrote to memory of 4948	1748	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	87
PID 1748 wrote to memory of 4356	1748	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	88
PID 1748 wrote to memory of 4356	1748	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	88
PID 1748 wrote to memory of 4356	1748	7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe	88
PID 4948 wrote to memory of 4556	4948	haolmjvtikuv.exe	91
PID 4948 wrote to memory of 4556	4948	haolmjvtikuv.exe	91
PID 4948 wrote to memory of 4556	4948	haolmjvtikuv.exe	91
PID 4948 wrote to memory of 4556	4948	haolmjvtikuv.exe	91
PID 4948 wrote to memory of 4556	4948	haolmjvtikuv.exe	91
PID 4948 wrote to memory of 4556	4948	haolmjvtikuv.exe	91
PID 4948 wrote to memory of 4556	4948	haolmjvtikuv.exe	91
PID 4948 wrote to memory of 4556	4948	haolmjvtikuv.exe	91
PID 4948 wrote to memory of 4556	4948	haolmjvtikuv.exe	91
PID 4948 wrote to memory of 4556	4948	haolmjvtikuv.exe	91
PID 4556 wrote to memory of 180	4556	haolmjvtikuv.exe	92
PID 4556 wrote to memory of 180	4556	haolmjvtikuv.exe	92
PID 4556 wrote to memory of 2508	4556	haolmjvtikuv.exe	97
PID 4556 wrote to memory of 2508	4556	haolmjvtikuv.exe	97
PID 4556 wrote to memory of 2508	4556	haolmjvtikuv.exe	97
PID 4556 wrote to memory of 3528	4556	haolmjvtikuv.exe	98
PID 4556 wrote to memory of 3528	4556	haolmjvtikuv.exe	98
PID 3528 wrote to memory of 3452	3528	msedge.exe	99
PID 3528 wrote to memory of 3452	3528	msedge.exe	99
PID 4556 wrote to memory of 1884	4556	haolmjvtikuv.exe	100
PID 4556 wrote to memory of 1884	4556	haolmjvtikuv.exe	100
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102
PID 3528 wrote to memory of 3768	3528	msedge.exe	102

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	haolmjvtikuv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	haolmjvtikuv.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\haolmjvtikuv.exe
    C:\Windows\haolmjvtikuv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\haolmjvtikuv.exe
      C:\Windows\haolmjvtikuv.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4556
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:180
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe0d646f8,0x7fffe0d64708,0x7fffe0d64718
        6⤵
        
        PID:3452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        6⤵
        
        PID:3768
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        6⤵
        
        PID:2524
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
        6⤵
        
        PID:1144
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
        6⤵
        
        PID:4372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
        6⤵
        
        PID:1356
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
        6⤵
        
        PID:608
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
        6⤵
        
        PID:1988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
        6⤵
        
        PID:2256
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
        6⤵
        
        PID:3736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
        6⤵
        
        PID:2288
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11130293806627434293,6930355806015513551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
        6⤵
        
        PID:2348
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\HAOLMJ~1.EXE
        5⤵
        
        PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\7A4D85~1.EXE
    3⤵
    PID:4356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+pguwi.html

Filesize
11KB

MD5
46d530352ac2da4cf30c739589dab2a6

SHA1
df811bbe29b211d2c3e1176643c2f4359c4aea18

SHA256
c96a5eb3007c355bce48755b18c0c9c4b0c851058f19785b2dc7475eabb15cec

SHA512
2ba159d0f7e69e84818570d6d004e3847fbea418ebf1feaafdae959a53550ecfcf05f4fb88ab53a279b7696c6f82d6cf6d58919b45bbd7d5f24368bbc34f404e

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+pguwi.png

Filesize
64KB

MD5
6716cfa8310dc7c1db07588a8811cf58

SHA1
f2d52335a6d98938e8d56897cacd01af37ede579

SHA256
e5d26e5a89e454e3c59fa10686db093ab8cd093e6cbb1b32790ec9d5617b7874

SHA512
cd333863acbc6839cbf5efc931349fbb21360cd6d87d5609f73303d6dc246d2be49e77ffbdbf7e1aa85439cd64424126c4fde9159dadeae692a602869f6e5847

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+pguwi.txt

Filesize
1KB

MD5
480b51180ca3e75751cf1136c8e6eec3

SHA1
011d83fa281ddc6f11c334d20928631b96927dbf

SHA256
587c932049e785b0e97d429b7c480bb9e3a405485a07c6570804587d92b9e838

SHA512
9876b2f0effd3222156a0a2493d50437484517835069a8c11540d99663e97a454d13842acb0f8625cd6e6f82a703999baa9560bc2b9bc3e56f562f25c5b195f2

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
acb21e6e429c340b15f00104510a52df

SHA1
f6570d45d46be6bc2bd8483add7950e8280a0791

SHA256
047522b87320e7a94f62f88a8ae8db3362f99aa8d5d88534ef622da09e47ea1d

SHA512
31ff872830bf6f8dfbfa7ca3d8e0a28cb988602ea96fad45498681825da35d7e7047a052f2ba66948b726e1bf282de2cd74110dfcd9cc0bd036ac8bb29612acd

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
2c28ef6e3c24d7d56dec00dcc2c679a2

SHA1
291deece0016fa50bda46f951f9de60cdda07de2

SHA256
cbc43dbf64b7fb949aeee17a6c1f3b319ae3653570413959459fa76d005de9ce

SHA512
69e37204691087600d4483ebfc62db9b9318a42a5e0e180e75712e5f268a91393c3c1033db2fa5571f5bb54d45e19adddd9859bf9c2b79b591fccfa782174223

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
4354b333b9313991c8f69986f24c64a7

SHA1
b5913fa559f5fc4ed528cc3d9acbec5e7c07de63

SHA256
f044636eb386f1dca7f34d75294f0548a0f2ff225e78f2b54466672f4c09699c

SHA512
a40093bdeb033d84a2058caa86ad2cdeefa14ce2264789e88822cbc7440254a3ca1d6ebd232a24535230a7b0ef6ea3a5dbd3856986e7d5da2a457ccee5770cee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de7ab097f2639242d0804c57c7710030

SHA1
3e7d45043f69b8eba8f44301c164395b93d16160

SHA256
b669452ff93910fd97ce00688f61c293c039dd44ac89ac40a28779ac4526908c

SHA512
d0ce1f0f8721f06249870d365821289d07a25f07a37b748e77cd8d46dba47f396a21bfd862495b4d0484f1d78b10fba4860f4921f7544182aefef0534fbfe24e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d39f8cc7b2a44d42a34eb9462ea5ba92

SHA1
d2212b0ea730033e863a1f08e683e909db7b1559

SHA256
bbb70f8131ff4a28c8a38b612c9179e13e6b08f0bf4f97b26e7b2c4810340846

SHA512
7afa5d4fe6b6a37def5566c61c85885643eac600c008700e24e304b62eb6fe6e9f9398aff1301ed38d82dead34da9ab4dc570a7abbc53554df7861be759b830c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b514e226a85f0bea2b8d5326f90e7a8b

SHA1
ccc7bc9da72aee6163e2cc652de4f6669935426f

SHA256
74995b375af74028883d3040dea265675a66820f52dffc1023639e079c582f6d

SHA512
20104ec965bb1e1aa0e4175528b26919ef0efe1c20d5a7492cbc9777950186ac24087cc5655206ee4d85c1bd7592479adacee7646364753ed761d26f3dafd34f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626047837275686.txt

Filesize
77KB

MD5
90b42883d56334cf99693be5909b6ec3

SHA1
6dcccde976cd2193a81c8f579128034e5118d5cc

SHA256
9872850e5a2ca986f232e23f89968487d4e52cdf44ca4c2364883a1c3001eee0

SHA512
0a3b3253e4cb6d73ac5045ceb5d9dfd152a7d46a9dce591e6bef46205edd005425023fc85703b7f9f92d01cdc820dc8d7bc1032c9118a9c0b13bb51ab06fd6fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626070414459428.txt

Filesize
75KB

MD5
65b39e7be0383e0fc6a7f3e3c0526f3d

SHA1
3396773904befc1d2d102de568c9e0989763cec2

SHA256
76e7f020678879a497c91beb0b43d8255933c2a8b4bd1c3329bfee915dd2f6fc

SHA512
8d8a77fbb837a60afcb44228392c638195b727058852816c3844b50d33bcd9d043ae448fa6ff0536747743813fde04fc1b02658d37427d98eb256a8bbc57424e

Download Submit
C:\Windows\haolmjvtikuv.exe

Filesize
388KB

MD5
7a4d85a1bef0ca4cecfe376e0ee91090

SHA1
0eaab4a4cf009d2d0d2d525bad4742356ca06317

SHA256
0cfff9ddd855236e2c89d1778e88bd87db965a29d0e4e6b75178add06fd4fdb0

SHA512
963509e2871858ba356a6b1e2af71b05c22019ffe4172a3ed8d70d54597bf10a67607d8083fef90e549521cf194d76af1112f7628b23943d0da0ebde0704e280

Download Submit
memory/1748-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1748-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1748-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1748-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1748-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3548-5-0x0000000000B70000-0x0000000000B73000-memory.dmp

Filesize
12KB

Download
memory/3548-1-0x0000000000B70000-0x0000000000B73000-memory.dmp

Filesize
12KB

Download
memory/3548-0-0x0000000000B70000-0x0000000000B73000-memory.dmp

Filesize
12KB

Download
memory/4556-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4556-5616-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4556-2843-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4556-9127-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4556-10395-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4556-10396-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4556-10404-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4556-10405-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4556-613-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4556-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4556-25-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4556-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4556-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4556-10460-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4556-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4948-12-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download