hxxps://github[.]com/pankoza2-pl/Hexachlorocyclohexane[.]exe-Malware

Analysis

max time kernel
493s
max time network
511s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11-08-2024 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/Hexachlorocyclohexane.exe-Malware

Score

8^/10

bootkit discovery evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Hexachlorocyclohexane.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	charmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	charmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	charmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	charmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	charmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hexachlorocyclohexane.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	charmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	charmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3520	taskkill.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	calc.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
3316	reg.exe
1032	reg.exe
3836	reg.exe
2428	reg.exe
4444	reg.exe
3564	reg.exe
2080	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Hexachlorocyclohexane.exe.zip:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2360	notepad.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2600	msedge.exe
2600	msedge.exe
3272	msedge.exe
3272	msedge.exe
3324	msedge.exe
3324	msedge.exe
4720	identity_helper.exe
4720	identity_helper.exe
3360	msedge.exe
3360	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2340	Hexachlorocyclohexane.exe
5224	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe

Suspicious behavior: SetClipboardViewer 6 IoCs

pid	Process
5524	mmc.exe
5544	mmc.exe
6072	mmc.exe
5224	mmc.exe
5996	mmc.exe
6240	mmc.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	taskkill.exe
Token: 33	1892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1892	AUDIODG.EXE
Token: 33	5388	mmc.exe
Token: SeIncBasePriorityPrivilege	5388	mmc.exe
Token: 33	5388	mmc.exe
Token: SeIncBasePriorityPrivilege	5388	mmc.exe
Token: 33	5388	mmc.exe
Token: SeIncBasePriorityPrivilege	5388	mmc.exe
Token: 33	5524	mmc.exe
Token: SeIncBasePriorityPrivilege	5524	mmc.exe
Token: 33	5524	mmc.exe
Token: SeIncBasePriorityPrivilege	5524	mmc.exe
Token: 33	5524	mmc.exe
Token: SeIncBasePriorityPrivilege	5524	mmc.exe
Token: 33	5544	mmc.exe
Token: SeIncBasePriorityPrivilege	5544	mmc.exe
Token: 33	5544	mmc.exe
Token: SeIncBasePriorityPrivilege	5544	mmc.exe
Token: 33	5544	mmc.exe
Token: SeIncBasePriorityPrivilege	5544	mmc.exe
Token: 33	6072	mmc.exe
Token: SeIncBasePriorityPrivilege	6072	mmc.exe
Token: 33	6072	mmc.exe
Token: SeIncBasePriorityPrivilege	6072	mmc.exe
Token: 33	6072	mmc.exe
Token: SeIncBasePriorityPrivilege	6072	mmc.exe
Token: 33	5224	mmc.exe
Token: SeIncBasePriorityPrivilege	5224	mmc.exe
Token: 33	5224	mmc.exe
Token: SeIncBasePriorityPrivilege	5224	mmc.exe
Token: 33	5224	mmc.exe
Token: SeIncBasePriorityPrivilege	5224	mmc.exe
Token: 33	5996	mmc.exe
Token: SeIncBasePriorityPrivilege	5996	mmc.exe
Token: 33	5996	mmc.exe
Token: SeIncBasePriorityPrivilege	5996	mmc.exe
Token: 33	5996	mmc.exe
Token: SeIncBasePriorityPrivilege	5996	mmc.exe
Token: 33	6240	mmc.exe
Token: SeIncBasePriorityPrivilege	6240	mmc.exe
Token: 33	6240	mmc.exe
Token: SeIncBasePriorityPrivilege	6240	mmc.exe
Token: 33	6240	mmc.exe
Token: SeIncBasePriorityPrivilege	6240	mmc.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3372	OpenWith.exe
1764	wordpad.exe
1764	wordpad.exe
1764	wordpad.exe
1764	wordpad.exe
1764	wordpad.exe
5368	mmc.exe
5388	mmc.exe
5388	mmc.exe
5544	OpenWith.exe
5844	wordpad.exe
5844	wordpad.exe
5844	wordpad.exe
5844	wordpad.exe
5844	wordpad.exe
5500	mmc.exe
5524	mmc.exe
5524	mmc.exe
800	OpenWith.exe
6116	wordpad.exe
6116	wordpad.exe
6116	wordpad.exe
6116	wordpad.exe
6116	wordpad.exe
5580	mmc.exe
5544	mmc.exe
5544	mmc.exe
5904	OpenWith.exe
2852	wordpad.exe
2852	wordpad.exe
2852	wordpad.exe
2852	wordpad.exe
2852	wordpad.exe
6064	mmc.exe
6072	mmc.exe
6072	mmc.exe
5436	OpenWith.exe
5668	wordpad.exe
5668	wordpad.exe
5668	wordpad.exe
5668	wordpad.exe
5668	wordpad.exe
5916	mmc.exe
5224	mmc.exe
5224	mmc.exe
6120	OpenWith.exe
5440	wordpad.exe
5440	wordpad.exe
5440	wordpad.exe
5440	wordpad.exe
5440	wordpad.exe
536	mmc.exe
5996	mmc.exe
5996	mmc.exe
4900	OpenWith.exe
1348	wordpad.exe
1348	wordpad.exe
1348	wordpad.exe
1348	wordpad.exe
1348	wordpad.exe
6216	mmc.exe
6240	mmc.exe
6240	mmc.exe
6392	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 944	3272	msedge.exe	78
PID 3272 wrote to memory of 944	3272	msedge.exe	78
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2036	3272	msedge.exe	79
PID 3272 wrote to memory of 2600	3272	msedge.exe	80
PID 3272 wrote to memory of 2600	3272	msedge.exe	80
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81
PID 3272 wrote to memory of 4548	3272	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/Hexachlorocyclohexane.exe-Malware
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff97c003cb8,0x7ff97c003cc8,0x7ff97c003cd8
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,9279623321084121814,4393273869601178196,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,9279623321084121814,4393273869601178196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,9279623321084121814,4393273869601178196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,9279623321084121814,4393273869601178196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,9279623321084121814,4393273869601178196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,9279623321084121814,4393273869601178196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,9279623321084121814,4393273869601178196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,9279623321084121814,4393273869601178196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,9279623321084121814,4393273869601178196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,9279623321084121814,4393273869601178196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,9279623321084121814,4393273869601178196,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,9279623321084121814,4393273869601178196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,9279623321084121814,4393273869601178196,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,9279623321084121814,4393273869601178196,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4828 /prefetch:2
  2⤵
  PID:5024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2096

C:\Users\Admin\Downloads\Hexachlorocyclohexane.exe\Hexachlorocyclohexane.exe
"C:\Users\Admin\Downloads\Hexachlorocyclohexane.exe\Hexachlorocyclohexane.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1036
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t reg_dword /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3028
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t reg_dword /d 1 /f
    3⤵
    - Modifies registry key
    PID:3564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoControlPanel /t reg_dword /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4780
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoControlPanel /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
  2⤵
  PID:2224
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:452
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1476
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /delete {current}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Hexachlorocyclohexane\note.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2360
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4012
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1948
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4720
- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
  "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1764
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2068
- C:\Windows\SysWOW64\charmap.exe
  "C:\Windows\System32\charmap.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Windows\SysWOW64\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe"
  2⤵
  PID:4220
- C:\Windows\SysWOW64\winver.exe
  "C:\Windows\System32\winver.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2496
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5324
- C:\Windows\SysWOW64\mmc.exe
  "C:\Windows\System32\mmc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5368
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5388
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5504
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5616
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe"
  2⤵
  PID:5724
- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
  "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5844
- C:\Windows\SysWOW64\charmap.exe
  "C:\Windows\System32\charmap.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5948
- C:\Windows\SysWOW64\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6128
- C:\Windows\SysWOW64\winver.exe
  "C:\Windows\System32\winver.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4456
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5372
- C:\Windows\SysWOW64\mmc.exe
  "C:\Windows\System32\mmc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5500
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe"
    3⤵
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5524
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5604
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5740
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5924
- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
  "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6116
- C:\Windows\SysWOW64\charmap.exe
  "C:\Windows\System32\charmap.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5168
- C:\Windows\SysWOW64\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe"
  2⤵
  PID:4012
- C:\Windows\SysWOW64\winver.exe
  "C:\Windows\System32\winver.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5364
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:5672
- C:\Windows\SysWOW64\mmc.exe
  "C:\Windows\System32\mmc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5580
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe"
    3⤵
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5544
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5824
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5980
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1176
- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
  "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2852
- C:\Windows\SysWOW64\charmap.exe
  "C:\Windows\System32\charmap.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5336
- C:\Windows\SysWOW64\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5152
- C:\Windows\SysWOW64\winver.exe
  "C:\Windows\System32\winver.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5816
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5976
- C:\Windows\SysWOW64\mmc.exe
  "C:\Windows\System32\mmc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:6064
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe"
    3⤵
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:6072
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5356
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3028
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe"
  2⤵
  PID:2044
- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
  "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5668
- C:\Windows\SysWOW64\charmap.exe
  "C:\Windows\System32\charmap.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5832
- C:\Windows\SysWOW64\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe"
  2⤵
  PID:5076
- C:\Windows\SysWOW64\winver.exe
  "C:\Windows\System32\winver.exe"
  2⤵
  PID:6044
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5884
- C:\Windows\SysWOW64\mmc.exe
  "C:\Windows\System32\mmc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5916
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5224
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4800
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5576
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6064
- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
  "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5440
- C:\Windows\SysWOW64\charmap.exe
  "C:\Windows\System32\charmap.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1312
- C:\Windows\SysWOW64\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5736
- C:\Windows\SysWOW64\winver.exe
  "C:\Windows\System32\winver.exe"
  2⤵
  PID:5688
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4740
- C:\Windows\SysWOW64\mmc.exe
  "C:\Windows\System32\mmc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:536
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe"
    3⤵
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5996
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  - Modifies registry class
  PID:4208
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5904
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5876
- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
  "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1348
- C:\Windows\SysWOW64\charmap.exe
  "C:\Windows\System32\charmap.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5268
- C:\Windows\SysWOW64\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5160
- C:\Windows\SysWOW64\winver.exe
  "C:\Windows\System32\winver.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4208
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5872
- C:\Windows\SysWOW64\mmc.exe
  "C:\Windows\System32\mmc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6216
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe"
    3⤵
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:6240
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:6348
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6564
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe"
  2⤵
  PID:2444
- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
  "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:5464
- C:\Windows\SysWOW64\charmap.exe
  "C:\Windows\System32\charmap.exe"
  2⤵
  PID:5568
- C:\Windows\SysWOW64\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe"
  2⤵
  PID:5836
- C:\Windows\SysWOW64\winver.exe
  "C:\Windows\System32\winver.exe"
  2⤵
  PID:6204
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:6304
- C:\Windows\SysWOW64\mmc.exe
  "C:\Windows\System32\mmc.exe"
  2⤵
  PID:3924
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe"
    3⤵
    PID:7092

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:800

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5904

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6392

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
PID:6572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Hexachlorocyclohexane\note.txt

Filesize
135B

MD5
ea548ab9c32ef92afc59651fd2a5ee90

SHA1
ca2460f051f27aef42d117897dfb92eeb5571165

SHA256
7e29cc704a0dd5e22cb9f09310dbc255dd3b432c9f7b57255647be8692e122e6

SHA512
c642853aad342e8f466fa413ae64d7231efa090381163abe80921dbd21a22c329b2112a5015ae217758be1ddc4559dcdd621196c7dcc7cf28e51bea28c297f9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9828ffacf3deee7f4c1300366ec22fab

SHA1
9aff54b57502b0fc2be1b0b4b3380256fb785602

SHA256
a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7

SHA512
2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fdbe80e9fe20761b59e8f32398f4b14

SHA1
049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f

SHA256
b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942

SHA512
cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
833b94db4a7e68f05d0ca628b84c23dc

SHA1
9cc614bba4230d7873f8d5663e5c680062962550

SHA256
66d594acb0d9e18675bea64f468856aca36594db1cb3c309033062d70977d38b

SHA512
207b88f30f78f4cd5202580c38427f5b7ca0940a6f6f7210686b3c2886dd47acf3bdcfbbc5455c60cd1d0b8d126ee1657b2cd4bf9fe0cd9ee75e660aa40e8ab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
8567e1f2692c0b6b22ff80d629299c19

SHA1
58cddc76e9ff5e87f484897575c3a00f748d903e

SHA256
401da02959aad39d1b085fb55389b5f8ca4ee9724f7ced382eda6517490bcfaf

SHA512
4c94507f7f61227a4f10c6380e132df75d8698fb737b635e78c1c2a280b3313f61069eab4117641ae862b228e791e207960ea267fbf201618f6c2a7671a505e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
72158aed4fed73fc9c8930337debe47b

SHA1
1151a7591713da3336c0779471cc2fc76b2b1ce6

SHA256
81ab18fef94e04f15ff25a013904489b3c7f80b73d43759a784511aaf6d60e6c

SHA512
2f57771a13234468055d3f5b2e078a7f6fbc17ffdef33c2b861560c07fa34e44e6bf9fcd508b4a68a3f79ffdfc6ef43a59a30bed232195c18aa8327137925f5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
15ebf5b825868be722b066d029533cce

SHA1
fe9f33c185941a0d175c0a7a3e8060ffdfedebca

SHA256
60a1d55bbf22bd0bade71aa09eb51c354da532f56e7e605fb405e3130429e900

SHA512
a1f7eebcbaca2ed2b4c409b92da274dc00c5e636469af742017ba6c0a78ee64b2fca379df41a4c33c528d8975e616dd0d75e254bc2c6b1311eb54d5ccb2dd0f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6182c59226e2e7e8874a6134a67da389

SHA1
337f4af58693df06c01186657a468949692ab91f

SHA256
2ba3996d1ee6f09f60840419afc7ef153ccb77a53a5d8a5bc96d26d63e9dbd9c

SHA512
aabbc0d84aca3cfbd0ffacfe243ccad91aabb1f539c8ff2672582c74cf7785011fdb66811b6467180aadab918aa76cc2d255f29dea4ea5810b59457bd8438721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
693d8c64ea6d63ff9a16f012c875a766

SHA1
f35e61e2605b224bd2e091cbe98504a075e6b663

SHA256
85d221e8d1a315fd47331321f948da428d26dc2ac19618e303e917e76de67389

SHA512
6fb9331638190abb5c8cf4b3ba2fb55334bf498f92939f12bdf5145cc61ec122693b8ebcf5d031af1d6cdf5635994842e23b8bfecefc503fc6d5062b4b1a145a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1a1c38c27cf06cb86d7124d7cb121305

SHA1
ca1246cf66df82805b3194fb2280255ee40fe1d2

SHA256
630af276d10347d34205a1eab45da9963663b71bce778c6fa2752c120e429c3e

SHA512
539e1baf5ae9f1eeb76c0d70fb01468825cd2bf714ae109294d05db39e9db338a21e3d3310f2272bd8ff48739f4dd62c10f9fa77c98aa52bb1d08217e2c82536

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580114.TMP

Filesize
1KB

MD5
3a525303596c0258147efeb57ef8961d

SHA1
814c2d21ef975f734298dbbe85c99f3fbd4fede3

SHA256
4920151f48b88442fd54dbe8dc8720333a9d7da1d5fa2f9a7b5028b4633933c5

SHA512
164715509918244f91b4e6691675980340be17320700d5df45411501f9bae17bd47d779952a28426a273457ae7e5e08ffc44a309224023370f36238f2372e6b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6fb5c0736035452f90eddd05a5652fee

SHA1
19c85bc34a309249729372445ee8d3d03655e8a2

SHA256
b8f11d2a72d6e4c0f6fe673fd0bd4742af34e36f9e22692cd1b1c463ce594432

SHA512
e5428f436b2337434b0f24d2a6a087bc16eb8060b221b2fdaaf792f446e74e286f46c59af16a17a7db84162fa6d2fed043ec2d043b5044e425d85da03dcf07bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
848ffef03af2a9c0c7691454a1e500c2

SHA1
167285e78238ab08ebd2b6de203b36eeba0d5313

SHA256
8205c828bdaea46f2dea33dc92f7ba20f6b4e920d0a767eaf3920dce4c143e5b

SHA512
f1928ae33b7b17db0b52a1c39d1049ea30727446b86deb6aef5a036b8babec0e178a9be6fd68ebe9ca9196845870cc7f8b1be79b597530c50193fe33933b6c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2a2f32c34220b0ecd52053b4b2a2b01c

SHA1
eec7f5920b4a49f18964590edf20c9f52ed40477

SHA256
724734a3053cd88f558b845310e428ee730706f602131aea8dd0c7c74e37727e

SHA512
2db0c0469913ebc56ff31e5a339021bf7a752cd2b977c7e8b3d300e79f0cb602e4165786392ceff17aa905cb04a957667fd8264301bae156458c4154d513e0a1

Download Submit
C:\Users\Admin\Downloads\Hexachlorocyclohexane.exe.zip

Filesize
128KB

MD5
58a598fae3d8704c7f0e078b79bb652c

SHA1
970798ecdf9a3f10339de094f3d5a8f5dabb7be5

SHA256
efbbce0316a92a5fda21196ca0e7ec73357f66c0d4d05698c3133f0a32b0e1f8

SHA512
165e447505d5a7650f90617fde0cdd02071b504a9dfdb573a2fdb874639aaf1d25e6bae6ab71d522178c94ca55e9c3664b96295cf73fbf38ccae3d120628dd43

Download Submit
C:\Users\Admin\Downloads\Hexachlorocyclohexane.exe.zip:Zone.Identifier

Filesize
268B

MD5
9b55744e5efc431d02352460848fda8f

SHA1
7676287b1f392dda03537fb6b49978bd9e671589

SHA256
e07ccb4dbf91a1b8958b0af70be2a8a11530d0301df0637deb8041550d5b66a7

SHA512
d0d27df69b25b9556ec1fc2d17a6089917da394798b72ce4c1131f9b7144a18e135591636cf5d93e47c7cef64de4a759a71011b8e883673335863e941b4f75e6

Download Submit