teslacrypt | 006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe
Size

553KB
MD5

f7030b13576de49beebb29da2d5c8890
SHA1

26ccbc9c36c030258d5e38d59bf09423e5204750
SHA256

006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786
SHA512

a29d7264c3040a04ca036641295670ca7c6678ad8b2092153c51acbf9cd91e05f273d0c7926f07f05d8569eb4e49d64bb3d2d31dd7741aea49aa5c2f5c9b38c6
SSDEEP

6144:oGyrwsYlcsaBx6ukx409hRpC75c7bx7+AeEgYXuRrPXCWvFza:bqwsYlc9jQ4cRA7W7bxqAeEgY+Zzvda

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+iipfp.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1326466A3AF4F51 2 - http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/1326466A3AF4F51 3 - http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/1326466A3AF4F51 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/1326466A3AF4F51 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1326466A3AF4F51 http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/1326466A3AF4F51 http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/1326466A3AF4F51 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/1326466A3AF4F51

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1326466A3AF4F51

http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/1326466A3AF4F51

http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/1326466A3AF4F51

http://xlowfznrg4wf7dli.ONION/1326466A3AF4F51

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (880) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exefhcwurslrloi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fhcwurslrloi.exe

Drops startup file 6 IoCs

Processes:

fhcwurslrloi.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+iipfp.txt	fhcwurslrloi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+iipfp.html	fhcwurslrloi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+iipfp.txt	fhcwurslrloi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+iipfp.html	fhcwurslrloi.exe

Executes dropped EXE 1 IoCs

Processes:

fhcwurslrloi.exe

pid process

660 fhcwurslrloi.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fhcwurslrloi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kvbdbvo = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\fhcwurslrloi.exe"	fhcwurslrloi.exe

Drops file in Program Files directory 64 IoCs

Processes:

fhcwurslrloi.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-150.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLSTART\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-16_contrast-white.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-20.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Tongue.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-high.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\_ReCoVeRy_+iipfp.html	fhcwurslrloi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\_ReCoVeRy_+iipfp.txt	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Mutable\_ReCoVeRy_+iipfp.html	fhcwurslrloi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\_ReCoVeRy_+iipfp.html	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\Magic_Select_crop_handles.mp4	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_ReCoVeRy_+iipfp.txt	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.scale-100_contrast-white.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\_ReCoVeRy_+iipfp.txt	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-30.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-black_scale-100.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlMiddleCircle.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\_ReCoVeRy_+iipfp.html	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-100_contrast-black.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-125.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-colorize.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-100.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+iipfp.txt	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-64_altform-unplated.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-32_altform-unplated.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+iipfp.html	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare71x71Logo.scale-100.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_ReCoVeRy_+iipfp.html	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-200.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_ReCoVeRy_+iipfp.html	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-100.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\Icons_Icon_Wind_sm.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionSmallTile.scale-100.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_ReCoVeRy_+iipfp.html	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\YellowAbstractNote.scale-100.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\_ReCoVeRy_+iipfp.txt	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+iipfp.txt	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\_ReCoVeRy_+iipfp.html	fhcwurslrloi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+iipfp.txt	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+iipfp.txt	fhcwurslrloi.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\_ReCoVeRy_+iipfp.html	fhcwurslrloi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.scale-200.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lo-LA\View3d\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-60_altform-unplated.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsMedTile.scale-200.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_ReCoVeRy_+iipfp.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-400.png	fhcwurslrloi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_MouseNose.png	fhcwurslrloi.exe

Drops file in Windows directory 2 IoCs

Processes:

006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\fhcwurslrloi.exe	006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe
File opened for modification	C:\Windows\fhcwurslrloi.exe	006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

fhcwurslrloi.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings fhcwurslrloi.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1840 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fhcwurslrloi.exe

pid	process
1840	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fhcwurslrloi.exe

pid	process
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe
660	fhcwurslrloi.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3096 msedge.exe
3096 msedge.exe
3096 msedge.exe
3096 msedge.exe
3096 msedge.exe
3096 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exefhcwurslrloi.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	64	006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe
Token: SeDebugPrivilege	660	fhcwurslrloi.exe
Token: SeIncreaseQuotaPrivilege	4276	WMIC.exe
Token: SeSecurityPrivilege	4276	WMIC.exe
Token: SeTakeOwnershipPrivilege	4276	WMIC.exe
Token: SeLoadDriverPrivilege	4276	WMIC.exe
Token: SeSystemProfilePrivilege	4276	WMIC.exe
Token: SeSystemtimePrivilege	4276	WMIC.exe
Token: SeProfSingleProcessPrivilege	4276	WMIC.exe
Token: SeIncBasePriorityPrivilege	4276	WMIC.exe
Token: SeCreatePagefilePrivilege	4276	WMIC.exe
Token: SeBackupPrivilege	4276	WMIC.exe
Token: SeRestorePrivilege	4276	WMIC.exe
Token: SeShutdownPrivilege	4276	WMIC.exe
Token: SeDebugPrivilege	4276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4276	WMIC.exe
Token: SeRemoteShutdownPrivilege	4276	WMIC.exe
Token: SeUndockPrivilege	4276	WMIC.exe
Token: SeManageVolumePrivilege	4276	WMIC.exe
Token: 33	4276	WMIC.exe
Token: 34	4276	WMIC.exe
Token: 35	4276	WMIC.exe
Token: 36	4276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4276	WMIC.exe
Token: SeSecurityPrivilege	4276	WMIC.exe
Token: SeTakeOwnershipPrivilege	4276	WMIC.exe
Token: SeLoadDriverPrivilege	4276	WMIC.exe
Token: SeSystemProfilePrivilege	4276	WMIC.exe
Token: SeSystemtimePrivilege	4276	WMIC.exe
Token: SeProfSingleProcessPrivilege	4276	WMIC.exe
Token: SeIncBasePriorityPrivilege	4276	WMIC.exe
Token: SeCreatePagefilePrivilege	4276	WMIC.exe
Token: SeBackupPrivilege	4276	WMIC.exe
Token: SeRestorePrivilege	4276	WMIC.exe
Token: SeShutdownPrivilege	4276	WMIC.exe
Token: SeDebugPrivilege	4276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4276	WMIC.exe
Token: SeRemoteShutdownPrivilege	4276	WMIC.exe
Token: SeUndockPrivilege	4276	WMIC.exe
Token: SeManageVolumePrivilege	4276	WMIC.exe
Token: 33	4276	WMIC.exe
Token: 34	4276	WMIC.exe
Token: 35	4276	WMIC.exe
Token: 36	4276	WMIC.exe
Token: SeBackupPrivilege	3632	vssvc.exe
Token: SeRestorePrivilege	3632	vssvc.exe
Token: SeAuditPrivilege	3632	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4720	WMIC.exe
Token: SeSecurityPrivilege	4720	WMIC.exe
Token: SeTakeOwnershipPrivilege	4720	WMIC.exe
Token: SeLoadDriverPrivilege	4720	WMIC.exe
Token: SeSystemProfilePrivilege	4720	WMIC.exe
Token: SeSystemtimePrivilege	4720	WMIC.exe
Token: SeProfSingleProcessPrivilege	4720	WMIC.exe
Token: SeIncBasePriorityPrivilege	4720	WMIC.exe
Token: SeCreatePagefilePrivilege	4720	WMIC.exe
Token: SeBackupPrivilege	4720	WMIC.exe
Token: SeRestorePrivilege	4720	WMIC.exe
Token: SeShutdownPrivilege	4720	WMIC.exe
Token: SeDebugPrivilege	4720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4720	WMIC.exe
Token: SeRemoteShutdownPrivilege	4720	WMIC.exe
Token: SeUndockPrivilege	4720	WMIC.exe
Token: SeManageVolumePrivilege	4720	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exefhcwurslrloi.exemsedge.exe

description	pid	process	target process
PID 64 wrote to memory of 660	64	006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe	fhcwurslrloi.exe
PID 64 wrote to memory of 660	64	006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe	fhcwurslrloi.exe
PID 64 wrote to memory of 660	64	006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe	fhcwurslrloi.exe
PID 64 wrote to memory of 1324	64	006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe	cmd.exe
PID 64 wrote to memory of 1324	64	006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe	cmd.exe
PID 64 wrote to memory of 1324	64	006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe	cmd.exe
PID 660 wrote to memory of 4276	660	fhcwurslrloi.exe	WMIC.exe
PID 660 wrote to memory of 4276	660	fhcwurslrloi.exe	WMIC.exe
PID 660 wrote to memory of 1840	660	fhcwurslrloi.exe	NOTEPAD.EXE
PID 660 wrote to memory of 1840	660	fhcwurslrloi.exe	NOTEPAD.EXE
PID 660 wrote to memory of 1840	660	fhcwurslrloi.exe	NOTEPAD.EXE
PID 660 wrote to memory of 3096	660	fhcwurslrloi.exe	msedge.exe
PID 660 wrote to memory of 3096	660	fhcwurslrloi.exe	msedge.exe
PID 3096 wrote to memory of 4664	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4664	3096	msedge.exe	msedge.exe
PID 660 wrote to memory of 4720	660	fhcwurslrloi.exe	WMIC.exe
PID 660 wrote to memory of 4720	660	fhcwurslrloi.exe	WMIC.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 4636	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 3140	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 3140	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 3652	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 3652	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 3652	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 3652	3096	msedge.exe	msedge.exe
PID 3096 wrote to memory of 3652	3096	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

fhcwurslrloi.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fhcwurslrloi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	fhcwurslrloi.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\fhcwurslrloi.exe
  C:\Windows\fhcwurslrloi.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:660
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4276
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff982246f8,0x7fff98224708,0x7fff98224718
      4⤵
      PID:4664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
      4⤵
      PID:4636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      PID:3140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
      4⤵
      PID:3652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
      4⤵
      PID:3864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
      4⤵
      PID:2952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
      4⤵
      PID:3668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
      4⤵
      PID:4720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
      4⤵
      PID:2624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
      4⤵
      PID:1364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
      4⤵
      PID:1992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15816777723847367936,4557648813552864111,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
      4⤵
      PID:1432
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FHCWUR~1.EXE
    3⤵
    PID:3920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\006CB9~1.EXE
  2⤵
  PID:1324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+iipfp.html

Filesize
11KB

MD5
8a0fdba458ef191d24bf5553b1923911

SHA1
32443d754b426c5e823558becb2fa67d174c76ed

SHA256
51d3dbc0a3859f3826803c6809497c95baf6885e9e0387ec44f05a965c2415b9

SHA512
40b9a5b4707459d5163f2073d7837e1c6d565bfc0c54b8529ad9354197b3690b76b6747a3e3879ef096ef66aa3a287354698d8e92586cc186a2a8b09c5bff726

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+iipfp.png

Filesize
64KB

MD5
1e4cb858c9bf8e40a61171eae6fc76b7

SHA1
e995e31738e25cd74137b67545e48d5cf52ec3fe

SHA256
3e5b7c2d2abf752a00c8f7e385ec4dd4d7892c04e34e0ec73bb4cd667f60a3cb

SHA512
6db3aeada4b5a15c962fd1c723ef12863892c8e2d4d11fa1f998c14d6c4ce4d39dc3a9eab6f0d8f91b0b2a792e18bcbafe48b4797d8d46d08c14d891147ca1f3

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+iipfp.txt

Filesize
1KB

MD5
8883a2c4ae14ad49bd926071ee132aa2

SHA1
728154cbfa4d362037723764115eb5ff9bcaaca8

SHA256
3a0e8075ba66df33a00f3006983626e89aade6e1708b8cc404ae042e0a0eeddf

SHA512
3ef73f1e8f4cb9ad3bd0c7780408bfdcf3b944bf5c8a140f1bc2b1db2ec81b40a22059c7eec230a3ac5cc025bd412052b4a818bf6f35703f39dd35045f79a0bd

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
6623567ad7201ffed2d4e47f46a39c28

SHA1
30a82d1d1e7cefa7dbb67617d92b3277bb5b2734

SHA256
679b0c0f6093c1833dbd578081bb5e8a633910a5260d1ceb7c3d1fe7bb03910e

SHA512
217cb46242cecd8aa8d688960ad373e55ed0a2c4bfb00123794a966f2c726392f415be6774389159f946da33a2bf87ca5596dfeb20b94076c1bdc23c6d9ac7c0

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
52d0560986d23505822475d59d255715

SHA1
d911f7b03e98076cb81d4391851ab8a2ff66e288

SHA256
9aecce0347902f42bac9bbf9c07e88915435814b4e3ca1ecc5667f1c53fc7325

SHA512
5e3e27337cd9640389069aeea139dc5189c47b3ed3c8f58110a7e17de2b33d2d45c6dbc44fd0905f22ff17532983a5179267e245cb715519cef45d7a6832cfa0

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
67f5519cf41d492178d503f866742090

SHA1
8af1086dd8b620c450c0be1617362881bf435231

SHA256
19083659c7c2fbb9179547ec714e4fdccc1fe5391e0cb06203dbcaef8bf0774d

SHA512
3951d7f427dccc279b21db980ddff99fb462a22ca4d1a81ec2df3b6078634d9a0693bf193dde6d95bf014f53fe9cf29a74773925664e5b714b88d01a43ae9b48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2379742edf5438dfc13ed6945769995d

SHA1
c17434fe88589732a7d0c3e38e8d78e87a934e2a

SHA256
84013cdd1a0042629794a301e24703e95df17848dd98819299556877b72d420e

SHA512
05636fe275e5ad276c69e4b284fe60bf93d32d2d1135bea37778c0011f3ee0085a26e759db85aa8a15f14915644b2c12f46f4ef21b7e39989ff37d77220f8cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
50ae1e1e5746493520970436d77da620

SHA1
f772a6008c95433c6f52a5de9e583c86073873b4

SHA256
dfa533fe4042a6eb0ac6699fc4fbf8471aa45ee95de07d0c6392f87858370b84

SHA512
c2e035b658e4c32130fdea0b3a7ee9f91a8a9a419997052bbdbb3f8d439a931aba033c5ae7a418d57f72f0c4350f5d358b2ea1834253cd83961fffd1581961a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d66b9036226884495df4f61896f0553f

SHA1
0ebb74cc676837c650cb29c594ad781797fa645c

SHA256
4836b64171430ddfc4d1dc0bb475071664574fceab591f44a9f1d8abf6475ba8

SHA512
19f95b22a79d085169ca9dc29515a32e735615353fdf84bece27837f5050cfb936b326f9ec4d3623016f6ffbbf54116ce9d3c1fd5d5f640e4432d12f4db0ce97

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449526171674.txt

Filesize
75KB

MD5
eb5e5fc5972350827db89f16664559e5

SHA1
acf7c525be117755c7b5b33b79fd8acdc590c589

SHA256
592d64964a85c44daa23a015d5734a77cf3ce4a92a345b079214ef549b704aa9

SHA512
29c214091be86a64d4790c67006ea3ff478b450d29a083985ca934f50c4ee09d24268ccfa43eba16ae01812abaac9e59e549b0a9ac3fcb38eb37f41710856b4f

Download Submit
C:\Windows\fhcwurslrloi.exe

Filesize
553KB

MD5
f7030b13576de49beebb29da2d5c8890

SHA1
26ccbc9c36c030258d5e38d59bf09423e5204750

SHA256
006cb9242e9c08db01fcfedf3c1ec11e0e5e8178e07b6836154ad62fd5b64786

SHA512
a29d7264c3040a04ca036641295670ca7c6678ad8b2092153c51acbf9cd91e05f273d0c7926f07f05d8569eb4e49d64bb3d2d31dd7741aea49aa5c2f5c9b38c6

Download Submit
\??\pipe\LOCAL\crashpad_3096_EFDIDGVDGIOBSVTX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/64-1-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/64-9-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/64-10-0x00000000006A0000-0x0000000000726000-memory.dmp

Filesize
536KB

Download
memory/64-0-0x00000000006A0000-0x0000000000726000-memory.dmp

Filesize
536KB

Download
memory/660-5009-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/660-10378-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/660-10422-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/660-8440-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/660-5889-0x00000000021A0000-0x0000000002226000-memory.dmp

Filesize
536KB

Download
memory/660-11-0x00000000021A0000-0x0000000002226000-memory.dmp

Filesize
536KB

Download
memory/660-2455-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/660-10479-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download