teslacrypt | 69155f404a1482e4188726cb0f88b6c6fd6ca94d834b31e05f36e88662281e22

Analysis

max time kernel
143s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
Size

418KB
MD5

1a9ab9e924a6856d642bbe88064e4236
SHA1

d9d445e9dcb8694398c7acb33f38d7261c95321c
SHA256

69155f404a1482e4188726cb0f88b6c6fd6ca94d834b31e05f36e88662281e22
SHA512

f41e93d25fe32248f55dbf5c1c721e4af5d2c28531816955094585a00afa94ea2dab0a6e25191abe8896a2185cdbc535d9dcf3beac14b683d05e1c8c7c6f80b2
SSDEEP

6144:/lhEMsxe34/JTpHIOdX2JOVM8aSC4Zl7rOfT+yIaIWk3HtlE0/Ce+Mx62q2jQ1+d:7ssoJhf8JOqQC4/7CfTk/rsh2jQ1T0jv

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+dlydn.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D24292CACC660ED 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D24292CACC660ED 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/D24292CACC660ED If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/D24292CACC660ED 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D24292CACC660ED http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D24292CACC660ED http://yyre45dbvn2nhbefbmh.begumvelic.at/D24292CACC660ED Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/D24292CACC660ED

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D24292CACC660ED

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D24292CACC660ED

http://yyre45dbvn2nhbefbmh.begumvelic.at/D24292CACC660ED

http://xlowfznrg4wf7dli.ONION/D24292CACC660ED

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (874) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare1a9ab9e924a6856d642bbe88064e4236.exeomppofeqjyhp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	omppofeqjyhp.exe

Drops startup file 6 IoCs

Processes:

omppofeqjyhp.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+dlydn.html	omppofeqjyhp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+dlydn.html	omppofeqjyhp.exe

Executes dropped EXE 2 IoCs

Processes:

omppofeqjyhp.exeomppofeqjyhp.exe

pid process

4916 omppofeqjyhp.exe
1656 omppofeqjyhp.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
4916	omppofeqjyhp.exe
1656	omppofeqjyhp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

omppofeqjyhp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jixehitbduke = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\omppofeqjyhp.exe\""	omppofeqjyhp.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare1a9ab9e924a6856d642bbe88064e4236.exeomppofeqjyhp.exe

description	pid	process	target process
PID 696 set thread context of 4492	696	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
PID 4916 set thread context of 1656	4916	omppofeqjyhp.exe	omppofeqjyhp.exe

Drops file in Program Files directory 64 IoCs

Processes:

omppofeqjyhp.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppCore\Location\Shifter\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\7.0.16\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-125.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Shield.targetsize-44_contrast-white.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\x_logo.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-400.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Images\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\jsaddins\_RECoVERY_+dlydn.html	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-400.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+dlydn.html	omppofeqjyhp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_RECoVERY_+dlydn.html	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\_RECoVERY_+dlydn.html	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileWord32x32.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_2_Loud.m4a	omppofeqjyhp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\View3d\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\_RECoVERY_+dlydn.html	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-white.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\Internet Explorer\images\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\_RECoVERY_+dlydn.html	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-125_contrast-white.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-100.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+dlydn.html	omppofeqjyhp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_RECoVERY_+dlydn.html	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\_RECoVERY_+dlydn.html	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\WideTile.scale-100_contrast-white.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-125.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\30.jpg	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Images\_RECoVERY_+dlydn.html	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-200.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-80_altform-unplated.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-32_altform-unplated.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\_RECoVERY_+dlydn.html	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\_RECoVERY_+dlydn.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-36_altform-unplated.png	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+dlydn.txt	omppofeqjyhp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\SmallTile.scale-100_contrast-white.png	omppofeqjyhp.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare1a9ab9e924a6856d642bbe88064e4236.exe

description	ioc	process
File created	C:\Windows\omppofeqjyhp.exe	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
File opened for modification	C:\Windows\omppofeqjyhp.exe	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

VirusShare1a9ab9e924a6856d642bbe88064e4236.exeVirusShare1a9ab9e924a6856d642bbe88064e4236.exeomppofeqjyhp.execmd.exeomppofeqjyhp.exeNOTEPAD.EXEcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omppofeqjyhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omppofeqjyhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

omppofeqjyhp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings omppofeqjyhp.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3584 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	omppofeqjyhp.exe

pid	process
3584	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

omppofeqjyhp.exe

pid	process
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe
1656	omppofeqjyhp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4708 msedge.exe
4708 msedge.exe
4708 msedge.exe
4708 msedge.exe
4708 msedge.exe
4708 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare1a9ab9e924a6856d642bbe88064e4236.exeomppofeqjyhp.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4492	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
Token: SeDebugPrivilege	1656	omppofeqjyhp.exe
Token: SeIncreaseQuotaPrivilege	4452	WMIC.exe
Token: SeSecurityPrivilege	4452	WMIC.exe
Token: SeTakeOwnershipPrivilege	4452	WMIC.exe
Token: SeLoadDriverPrivilege	4452	WMIC.exe
Token: SeSystemProfilePrivilege	4452	WMIC.exe
Token: SeSystemtimePrivilege	4452	WMIC.exe
Token: SeProfSingleProcessPrivilege	4452	WMIC.exe
Token: SeIncBasePriorityPrivilege	4452	WMIC.exe
Token: SeCreatePagefilePrivilege	4452	WMIC.exe
Token: SeBackupPrivilege	4452	WMIC.exe
Token: SeRestorePrivilege	4452	WMIC.exe
Token: SeShutdownPrivilege	4452	WMIC.exe
Token: SeDebugPrivilege	4452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4452	WMIC.exe
Token: SeRemoteShutdownPrivilege	4452	WMIC.exe
Token: SeUndockPrivilege	4452	WMIC.exe
Token: SeManageVolumePrivilege	4452	WMIC.exe
Token: 33	4452	WMIC.exe
Token: 34	4452	WMIC.exe
Token: 35	4452	WMIC.exe
Token: 36	4452	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4452	WMIC.exe
Token: SeSecurityPrivilege	4452	WMIC.exe
Token: SeTakeOwnershipPrivilege	4452	WMIC.exe
Token: SeLoadDriverPrivilege	4452	WMIC.exe
Token: SeSystemProfilePrivilege	4452	WMIC.exe
Token: SeSystemtimePrivilege	4452	WMIC.exe
Token: SeProfSingleProcessPrivilege	4452	WMIC.exe
Token: SeIncBasePriorityPrivilege	4452	WMIC.exe
Token: SeCreatePagefilePrivilege	4452	WMIC.exe
Token: SeBackupPrivilege	4452	WMIC.exe
Token: SeRestorePrivilege	4452	WMIC.exe
Token: SeShutdownPrivilege	4452	WMIC.exe
Token: SeDebugPrivilege	4452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4452	WMIC.exe
Token: SeRemoteShutdownPrivilege	4452	WMIC.exe
Token: SeUndockPrivilege	4452	WMIC.exe
Token: SeManageVolumePrivilege	4452	WMIC.exe
Token: 33	4452	WMIC.exe
Token: 34	4452	WMIC.exe
Token: 35	4452	WMIC.exe
Token: 36	4452	WMIC.exe
Token: SeBackupPrivilege	4048	vssvc.exe
Token: SeRestorePrivilege	4048	vssvc.exe
Token: SeAuditPrivilege	4048	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2624	WMIC.exe
Token: SeSecurityPrivilege	2624	WMIC.exe
Token: SeTakeOwnershipPrivilege	2624	WMIC.exe
Token: SeLoadDriverPrivilege	2624	WMIC.exe
Token: SeSystemProfilePrivilege	2624	WMIC.exe
Token: SeSystemtimePrivilege	2624	WMIC.exe
Token: SeProfSingleProcessPrivilege	2624	WMIC.exe
Token: SeIncBasePriorityPrivilege	2624	WMIC.exe
Token: SeCreatePagefilePrivilege	2624	WMIC.exe
Token: SeBackupPrivilege	2624	WMIC.exe
Token: SeRestorePrivilege	2624	WMIC.exe
Token: SeShutdownPrivilege	2624	WMIC.exe
Token: SeDebugPrivilege	2624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2624	WMIC.exe
Token: SeRemoteShutdownPrivilege	2624	WMIC.exe
Token: SeUndockPrivilege	2624	WMIC.exe
Token: SeManageVolumePrivilege	2624	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare1a9ab9e924a6856d642bbe88064e4236.exeVirusShare1a9ab9e924a6856d642bbe88064e4236.exeomppofeqjyhp.exeomppofeqjyhp.exemsedge.exe

description	pid	process	target process
PID 696 wrote to memory of 4492	696	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
PID 696 wrote to memory of 4492	696	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
PID 696 wrote to memory of 4492	696	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
PID 696 wrote to memory of 4492	696	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
PID 696 wrote to memory of 4492	696	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
PID 696 wrote to memory of 4492	696	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
PID 696 wrote to memory of 4492	696	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
PID 696 wrote to memory of 4492	696	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
PID 696 wrote to memory of 4492	696	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
PID 4492 wrote to memory of 4916	4492	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	omppofeqjyhp.exe
PID 4492 wrote to memory of 4916	4492	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	omppofeqjyhp.exe
PID 4492 wrote to memory of 4916	4492	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	omppofeqjyhp.exe
PID 4492 wrote to memory of 1236	4492	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	cmd.exe
PID 4492 wrote to memory of 1236	4492	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	cmd.exe
PID 4492 wrote to memory of 1236	4492	VirusShare1a9ab9e924a6856d642bbe88064e4236.exe	cmd.exe
PID 4916 wrote to memory of 1656	4916	omppofeqjyhp.exe	omppofeqjyhp.exe
PID 4916 wrote to memory of 1656	4916	omppofeqjyhp.exe	omppofeqjyhp.exe
PID 4916 wrote to memory of 1656	4916	omppofeqjyhp.exe	omppofeqjyhp.exe
PID 4916 wrote to memory of 1656	4916	omppofeqjyhp.exe	omppofeqjyhp.exe
PID 4916 wrote to memory of 1656	4916	omppofeqjyhp.exe	omppofeqjyhp.exe
PID 4916 wrote to memory of 1656	4916	omppofeqjyhp.exe	omppofeqjyhp.exe
PID 4916 wrote to memory of 1656	4916	omppofeqjyhp.exe	omppofeqjyhp.exe
PID 4916 wrote to memory of 1656	4916	omppofeqjyhp.exe	omppofeqjyhp.exe
PID 4916 wrote to memory of 1656	4916	omppofeqjyhp.exe	omppofeqjyhp.exe
PID 1656 wrote to memory of 4452	1656	omppofeqjyhp.exe	WMIC.exe
PID 1656 wrote to memory of 4452	1656	omppofeqjyhp.exe	WMIC.exe
PID 1656 wrote to memory of 3584	1656	omppofeqjyhp.exe	NOTEPAD.EXE
PID 1656 wrote to memory of 3584	1656	omppofeqjyhp.exe	NOTEPAD.EXE
PID 1656 wrote to memory of 3584	1656	omppofeqjyhp.exe	NOTEPAD.EXE
PID 1656 wrote to memory of 4708	1656	omppofeqjyhp.exe	msedge.exe
PID 1656 wrote to memory of 4708	1656	omppofeqjyhp.exe	msedge.exe
PID 4708 wrote to memory of 320	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 320	4708	msedge.exe	msedge.exe
PID 1656 wrote to memory of 2624	1656	omppofeqjyhp.exe	WMIC.exe
PID 1656 wrote to memory of 2624	1656	omppofeqjyhp.exe	WMIC.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 1240	4708	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

omppofeqjyhp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	omppofeqjyhp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	omppofeqjyhp.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare1a9ab9e924a6856d642bbe88064e4236.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:696
- C:\Users\Admin\AppData\Local\Temp\VirusShare1a9ab9e924a6856d642bbe88064e4236.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare1a9ab9e924a6856d642bbe88064e4236.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\omppofeqjyhp.exe
    C:\Windows\omppofeqjyhp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\omppofeqjyhp.exe
      C:\Windows\omppofeqjyhp.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1656
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:3584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4708
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd809846f8,0x7ffd80984708,0x7ffd80984718
        6⤵
        
        PID:320
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,6734484492963089672,15497443089510640846,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
        6⤵
        
        PID:1240
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,6734484492963089672,15497443089510640846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
        6⤵
        
        PID:732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,6734484492963089672,15497443089510640846,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
        6⤵
        
        PID:2088
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6734484492963089672,15497443089510640846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        6⤵
        
        PID:2376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6734484492963089672,15497443089510640846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        6⤵
        
        PID:2796
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,6734484492963089672,15497443089510640846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
        6⤵
        
        PID:3564
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,6734484492963089672,15497443089510640846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
        6⤵
        
        PID:2500
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6734484492963089672,15497443089510640846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
        6⤵
        
        PID:2820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6734484492963089672,15497443089510640846,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
        6⤵
        
        PID:4664
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6734484492963089672,15497443089510640846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
        6⤵
        
        PID:1996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6734484492963089672,15497443089510640846,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
        6⤵
        
        PID:1840
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\OMPPOF~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+dlydn.html

Filesize
12KB

MD5
9b2f1c5a41724e20b8e1f44af4fcbdfd

SHA1
2477289b43e16d058d7b015c3d31355aa95ab5f4

SHA256
8f7b4630658d773e392ec6b3c073951e0756f2a7790afb028e768310d984cb65

SHA512
98222f8c7b5e61ad6c8dc91e1741211604b003311225ccf7a069e4554a503908f24990bb953677dfd047f5727641d236eeabb1cf1b8aa3283c706ab98896aa8c

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+dlydn.png

Filesize
64KB

MD5
e770414f111ffbcf9d401e7d22b9558b

SHA1
0020535a2781f8781d5ca51b240d68d25fdaa8ea

SHA256
33cc42f4e41f0f70db344bb72a9728714ce5274a8237f16eb4e73ee4c8f53cab

SHA512
bb1a8e7ce77390c6bddbddf83e50b64a8cba6762041750534773710fc4ac654f22586c42b57e3091d4dbaf26c7cd3d087668fdec84322fe00a926f9d3334c65c

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+dlydn.txt

Filesize
1KB

MD5
2610276c6147f0112b9c4c0c4f4883d2

SHA1
422aa2c7b8d6b3b2a1b79975eace4325188dfdc9

SHA256
3578fd369ef868cedc6d293fa4fbabd2fc3045f71d57ff8538dab483c2ae4695

SHA512
b36d9c7083046c1da40b666169c26192ca4dbaa4414da42554a5dc3e000236930d39275bf95afba18fb244325d7f7f7941a3ca2e1e6233edff11e0f45d09c283

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
8e76fdf8031f9dfc2a085ffdc8a1614c

SHA1
7af7a3eb3958671bed06ecde2a1af3969336ac89

SHA256
f402d3d51fc9c6a23ce62691cb9034b9b5c9fd368ed04e9fcf1501ac79f0eb23

SHA512
e0c86610c6350505d0c03aa5f7b236960d785b7af05828089519f73f4d7dcffff05730330039542a6e6b91f328235b445d7381bccb2f4e3b32ef4c3a4caa67a1

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
d0733ec0eec80aecb976395a7501149e

SHA1
b799f9550a984be23d4a1762c470c0df04b7cf73

SHA256
5620ccf0ba5063f8e109251db3ca3c42c104c008ccac10d8107e2d2b2c9608c6

SHA512
76583fe90e15d9f9c12f639060a76b11de7884cf7a9f2cff597c8c12e880ed920dc22abf0d0f50c441bc678e9528a8767baa846ff5238df4d72db4593b3d7ac8

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
64e7739d307ece028ab2546437ab4d88

SHA1
8b26a7cc5ebda459b488f7742c95d12503b6bdb5

SHA256
adf865ee9cd026e97ef8290fc0de473b7e94c14fd881c342d39d94a0df15317b

SHA512
d6a85160b9e996800c95a1ceba836653821085ba444bef7d9d82affee2a66594f3739d5ea3ec62fecc9dc38ff7d784a4b3b0dc001eed74a07817ff570492b15a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7f21fe76e57a338c4715a8a49c211ac3

SHA1
9dbf7215c9ed03bf941ec416fba1e878b9c230c4

SHA256
4fbdf5684dc10ddac2db7d1c5ba9ae62bfc8f33d0b2e9a43f9e3affdd2e83ed8

SHA512
9432f7280bf87b523e759e4a2f3049170c8217faff63a8f9a246233039896eb24593de48ac2028abc65af8ab50b1e59e1e3d88899037c910b3d5ec8352d7f918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bffa12de14c74d00d91069bb8d411990

SHA1
c5c878e46304ad76ad4bfcd6e1b55af40db1af02

SHA256
3bdba74be9d6f76fa1ba5b33b5e4c682f4bc655a4fe2f9f9bfaf8171c36383de

SHA512
fef8376dbdec8628e7a130ad3e8039efeaae2f0f2ce6c1d0d6872c59b11e7886e76ab85ec0a4a2dde784f6ab1bc891a7b01063aecdba366d80108e425dfcc41e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b9e7e5fac45e1c0a835e661541e518a0

SHA1
578e3cdc45afb5349824b735269896334308a76a

SHA256
9c9319e291d2fc949fe24cdbe2f5ae78a316a099038644088ffe6888480c59ab

SHA512
22ef7a6d7529c0401c73f0250e6b6ee0f20b5593963b9eb083c377107111096ca79a7bc7df4b407d5076bf7ee43f90488aeb6738ca0a06c3d7bb9b2f18e8be78

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670756182462133.txt

Filesize
47KB

MD5
823fc14a8bbb2799f221d1bf2395a195

SHA1
de2dbbf13a0f5513e74540e03bbdb6247723319f

SHA256
19f7b4532bfbaf9b5049e3ce386c47f97c157f4fd590e28fdf132fcc800967d1

SHA512
98289668af583a60e93f18246986ad53582bad711086bb8e64307f9585bd5409d4d450f28884c2439df835d7385aa04db066ee3ab0b17efdbcc2594fbe4caf14

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670764368086779.txt

Filesize
74KB

MD5
25740a6940c9b1a27d8eacfe72aabc53

SHA1
ee25365cc15e36c68e60f8de6e4eab5e7bde0b25

SHA256
5cb12d1817f6ce2422fc70179aa1783979e0a022f78c01af87b397dd39fb4dfb

SHA512
d960a244e413fc53a000625521f5d8f055e3003977dcfc537fb51ab453f3735952b1e4d82c6411957037fb64f2bb5fd595733b3d14564fe5b262975df595870d

Download Submit
C:\Windows\omppofeqjyhp.exe

Filesize
418KB

MD5
1a9ab9e924a6856d642bbe88064e4236

SHA1
d9d445e9dcb8694398c7acb33f38d7261c95321c

SHA256
69155f404a1482e4188726cb0f88b6c6fd6ca94d834b31e05f36e88662281e22

SHA512
f41e93d25fe32248f55dbf5c1c721e4af5d2c28531816955094585a00afa94ea2dab0a6e25191abe8896a2185cdbc535d9dcf3beac14b683d05e1c8c7c6f80b2

Download Submit
\??\pipe\LOCAL\crashpad_4708_QICIENFCPKGTAAFL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/696-0-0x0000000000550000-0x0000000000554000-memory.dmp

Filesize
16KB

Download
memory/696-4-0x0000000000550000-0x0000000000554000-memory.dmp

Filesize
16KB

Download
memory/696-1-0x0000000000550000-0x0000000000554000-memory.dmp

Filesize
16KB

Download
memory/1656-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-10646-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-25-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-24-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-2896-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-2895-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-6022-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-21-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-9549-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-10645-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-216-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-10654-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-10655-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1656-10697-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4492-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4492-15-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4492-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4492-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4492-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4916-12-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download